Numerous Microsoft technologies are now taking advantage of digital certificate-based authentication to enable the support for and management of systems outside trusted networks and domains. Join us to learn how you can use digital certificates with System Center to extend your management capabilities beyond your immediate environment, and enable a single management infrastructure to manage systems and IT services across multiple trusted and untrusted domains.

2. Using Microsoft System Center to Manage beyond the Trusted Domain Pete Zerger, Rory McCaw Principal Consultants Infront Consulting Group Session Code: MGT300 Both

3. Agenda Rory Public Key Infrastructure Defined Anatomy of a Certificate How Does Certificate Authentication Work? Public Key Infrastructure Differences across Operating Systems Using PKI to Extend the Reach of System Center Changes in Provisioning Certificates in Windows 2008 Bulk Certificate Provisioning for System Center Managing Internet-Based Clients with ConfigMgr 2007 Troubleshooting Certificates in OpsMgr 2007 Monitoring CA and Certificate Validity

4. What Is a PKI? The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions

5. Anatomy of a Certificate A certificate is like a Passport Issued for specific uses Server Authentication (1.3.6.1.5.5.7.3.1) Client Authentication (1.3.6.1.5.5.7.3.2) To work, the issuer must be a ‘trusted’ authority If some piece of information does not check out – authentication fails

7. Each system requires a cert mapped to their FQDN

8. Public keys are distributed with the certificate

9. Private keys are never distributed, they are privateAgent GW

10. Certificate Authority Options Rory Standalone CA can be a quick fix EnterpriseCA - requires more thought, planning and buy-in from across the organization Server OS version is another important consideration. Our recommendation: Use Standard Edition Server for all offline CAs (Root CA, Policy CA). Use Enterprise Edition Server of all online CAs

11. Rory Stand-alone versus Enterprise CA on Win2k3 Standalone Root CA on W2k3 Standard ‘Other’ certificate template allows for certificate creation Enterprise Root CA on Enterprise Edition Need to duplicate Server Authentication certificate template to create an OpsMgr template

12. Rory Stand-alone versus Enterprise CA on W2k8 Standalone Root CA on W2k8 Standard No option to store the certificate in the Local Computers certificate store Must use certreq or export from the Local User store and import into the Local Computer store Enterprise CA on W2k8 Enterprise Cross forest authentication allows clients to request a certificate from a CA that is part of a different AD This will require populating the NTAuth store in the additional forests

13. The Certificate Stores Rory Certificates stores Personal Certificate store Trusted Root Certificate Authorities store Operations Manager store Don’t touch the certificates in this store. This is internally generated.

14. Pete Configuration ValidationCertificate Configuration and Validity 1. Check for Certificate in Store Local Computer/Personal/Certificates 2. Verify Certificate Configuration Check for client and server authentication OIDs 4. Verify Issuing CA is Trusted Check the Certification Path 3. Check for Certificate in Store Local Computer/Personal/Certificates

15. Common Pitfalls Rory Name resolution Confirm that DNS is working or use hosts file IPv6 on Windows Server 2008 R2 Confirm that IPv6 addresses are registered in DNS Windows Firewall Configure properly or disable Certificate configuration Import Trusted Root CA cert Confirm certs are imported in Local Computer store, not Local User store Run momcertimport.exe with Admin credentials on W2k8 CRLs must be accessible

16. Using PKI to Extend the Reach of System Center Extend OpsMgr to Windows based workgroup computers Extend OpsMgr to separate Active Directory Forest through a gateway Extend OpsMgr to xplat servers Extend Config Mgr to internet based clients

17. Certificate Configuration in OpsMgr Rory Rory McCaw Principal Consultant Infront Consulting Group demo

18. Pete Certificate Provisioning Options Auto-enrollment is not an option outside trust boundaries without W2k8* 2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer store Advantages of Command Line Provisioning Avoid Web Enrollment Limitations Many certificate properties can be pre-populated Provisioning can be automated to some degree Certificates can be generated in bulk * Cross Forest Authentication in W2k8

19. Pete Bulk Certificate Provisioning Manual requests can be time consuming Automation possible from the command line Certreq.exe – to make the request Certutil.exe - to process/retrieve the request Can be scripted for batch processing Requires a certificate template TIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate

20. Bulk Provisioning of Certificates demo Pete For System Center

21. Internet-Based Client Management Pete TIP: AD Forest can be separate from site servers and no trust required

22. ConfigMgr Topology Optionsfor Internet-based Client Mgmt

23. Ops Mgr Mutual Authentication Required in Operations Manager 2007 Two methods: Kerberos - Requires Active Directory Certificate Authentication Update Topology Ok Update Topology Request to Join X

25. Serial Appears in Registry (MOMCertImport)

27. Name Resolution Review Events in OpsMgr Event Log Start on Downstream Node

29. 20050 – Enhanced key usage error (wrong OID)

30. 21005 – DNS resolution failed

31. 21006 – TCP Connection failed (at TCP level)

32. 21007 – Not in a trusted domain. (no full trust)Master List of OpsMgr Authentication Errors http://www.systemcentercentral.com/teched

33. TroubleshootingName Resolution and Connectivity Pete Name Resolution Downstream node must resolve name of upstream node by FQDN Gateway must resolve FQDN of Mgmt Server Agent must resolve FQDN of Gateway Agent must resolve FQDN of Mgmt Server (if no GW) Network Connectivity Verify Agent or Gateway Server can telnet to management server on port 5723 Connection is instantiated by downstream component

34. Pete Troubleshooting Namespace Issues If using non-routable namespaces across the Internet Establish site-to-site VPN tunnel OR Use HOSTS file on Gateway to resolve Management Server ms.contoso.local gtw.contoso.local Internet

35. Pete Troubleshooting Certificates (cont) Verify MOMCertImport successfully wrote certificate serial # to the registry HKLMOFTWAREicrosofticrosoft Operations Manager.0achine SettingshannelCertificateSerialNumber Compare to certificate serial number on certificate in Local Computer Certificate Store If wrong serial, delete the key and re-run MOMCertImport Run momcertimport.exe as an Administrator

36. Cross-Platform Monitoring OpsMgr 2007 R2 extends agent-based monitoring to *NIX systems Can be installed remotely from the console Target *NIX systems can be outside Kerberos boundary Rory

37. demo Cross Platform Agent Deployment in OpsMgr Rory McCaw Principal Consultant Infront Consulting Group

38. OpsMgr Cross-Platform Issues Rory Ports TCP 22 (Discovery with SSH) TCP 1270 (Agent Communication via WS-Man) Certificate Errors Prerequisite Issues Hostname mismatch WinRM Errors Basic Authentication Not Enabled winrm set winrm/config/client/auth @{Basic="true"} Run As Execution Unix Action Account and Unix Privileged Account

39. Monitoring CA Health Rory PKI Health Tool Monitors CA Health and Current Activity Included in Windows 2008 OS Provides Visual Indicators of Health To launch: Start  Run  PKIView.msc CRL Distribution Points Enterprise CA Hierarchy Authority Information Access (AIA)

40. Monitoring Certificate Health Rory All Certificates have an Expiration Date Certificate validity can be monitored with Operations Manager No off-the-shelf Microsoft Solution Solution: PKI Certificate Verification MP Alerts on Certificate Health Issues Including: A certificate’s lifetime is about to expire A certificate’s lifetime has ended Certificate has been revoked Root Cert OM Cert CRL X

41. Birds of a feather session on Thursday System Center Questions... Answered!! announcing

42. question & answer

43. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/teched Sessions On-Demand & Community www.microsoft.com/learning Microsoft Certification & Training Resources http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers Resources

44. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

46. Required Slide © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.