MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain

Using Microsoft System Center to Manage beyond the Trusted Domain

Pete Zerger, Rory McCawPrincipal ConsultantsInfront Consulting GroupSession Code: MGT300

Both

Agenda Public Key Infrastructure DefinedAnatomy of a Certificate How Does Certificate Authentication Work?Public Key Infrastructure Differences across Operating Systems Using PKI to Extend the Reach of System Center

Changes in Provisioning Certificates in Windows 2008Bulk Certificate Provisioning for System CenterManaging Internet-Based Clients with ConfigMgr 2007

Troubleshooting Certificates in OpsMgr 2007Monitoring CA and Certificate Validity

Rory

What Is a PKI?

Requirement PKI solutions

Confidentiality Data encryption

Integrity Digital signatures

Authenticity Hash algorithms, message digests, digital signatures

Nonrepudiation Digital signatures, audit logs

Availability Redundancy

The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions

The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions

Anatomy of a Certificate

A certificate is like a PassportIssued for specific uses

Server Authentication (1.3.6.1.5.5.7.3.1)Client Authentication (1.3.6.1.5.5.7.3.2)

To work, the issuer must be a ‘trusted’ authorityIf some piece of information does not check out – authentication fails

How Does Certificate Authentication Work?

Rory

“Keys” to Success• All systems must trust the CA that issued the certificates• Each system requires a cert mapped to their FQDN• Public keys are distributed with the certificate• Private keys are never distributed, they are private

GW

Agent

Certificate Authority Options

Standalone CA can be a quick fix Enterprise CA - requires more thought, planning and buy-in from across the organizationServer OS version is another important consideration. Our recommendation:

Use Standard Edition Server for all offline CAs (Root CA, Policy CA). Use Enterprise Edition Server of all online CAs

Rory

Stand-alone versus Enterprise CA on Win2k3Standalone Root CA on W2k3 Standard

‘Other’ certificate template allows for certificate creationEnterprise Root CA on Enterprise EditionNeed to duplicate Server Authentication certificate template to create an OpsMgr template

Rory

Stand-alone versus Enterprise CA on W2k8

Standalone Root CA on W2k8 StandardNo option to store the certificate in the Local Computers certificate store

Must use certreq or export from the Local User store and import into the Local Computer store

Enterprise CA on W2k8 Enterprise Cross forest authentication allows clients to request a certificate from a CA that is part of a different AD

This will require populating the NTAuth store in the additional forests

Rory

The Certificate Stores

Certificates storesPersonal Certificate storeTrusted Root Certificate Authorities storeOperations Manager store

Don’t touch the certificates in this store. This is internally generated.

Rory

3. Check for Certificate in StoreLocal Computer/Personal/Certificates

2. Verify Certificate Configuration

Configuration ValidationCertificate Configuration and Validity

Pete

1. Check for Certificate in StoreLocal Computer/Personal/Certificates

Check for client and server authentication OIDs

4. Verify Issuing CA is Trusted Check the Certification Path

Common PitfallsName resolution

Confirm that DNS is working or use hosts fileIPv6 on Windows Server 2008 R2

Confirm that IPv6 addresses are registered in DNSWindows Firewall

Configure properly or disableCertificate configuration

Import Trusted Root CA certConfirm certs are imported in Local Computer store, not Local User storeRun momcertimport.exe with Admin credentials on W2k8CRLs must be accessible

Rory

Using PKI to Extend the Reach of System Center

Extend OpsMgr to Windows based workgroup computersExtend OpsMgr to separate Active Directory Forest through a gatewayExtend OpsMgr to xplat serversExtend Config Mgr to internet based clients

Certificate Configuration in OpsMgrRory McCawPrincipal ConsultantInfront Consulting Group

demo

Rory

Certificate Provisioning Options Auto-enrollment is not an option outside trust boundaries without W2k8*2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer storeAdvantages of Command Line Provisioning

Avoid Web Enrollment Limitations Many certificate properties can be pre-populated Provisioning can be automated to some degreeCertificates can be generated in bulk

* Cross Forest Authentication in W2k8

Pete

Bulk Certificate Provisioning

Manual requests can be time consuming Automation possible from the command line

Certreq.exe – to make the requestCertutil.exe - to process/retrieve the request

Can be scripted for batch processingRequires a certificate template

Pete

TIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate

Bulk Provisioning of Certificates demo

Pete

For System Center

Internet-Based Client Management Pete

Management clients without VPN

POS Devices

KiosksTIP: AD Forest can be separate from site servers and no trust required

ConfigMgr Topology Options for Internet-based Client Mgmt

Ops Mgr Mutual Authentication

Required in Operations Manager 2007 Two methods:

Kerberos - Requires Active Directory Certificate Authentication

X

Ok

Request toJoin

Update Topology

Update Topology

OpsMgr Authentication Troubleshooting Checklist

Start on Downstream Node

Review Events in OpsMgr Event Log

Certificate Configuration• Correct OIDs (1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2)• Serial Appears in Registry (MOMCertImport)• Issuing CA Appears in Trusted Root Cert Authorities

Connectivity Issues • Network Connectivity – Ping, Telnet 5723• Name Resolution

Certificate Authentication Events Look for Events in OpsMgr Event Log

Relevant events will be in the 20,000 and 21,000 ranges• 21016 / 20070 – Generic event with every authentication failure. • 20050 – Enhanced key usage error (wrong OID)• 21005 – DNS resolution failed• 21006 – TCP Connection failed (at TCP level)• 21007 – Not in a trusted domain. (no full trust)

Pete

Master List of OpsMgr Authentication Errorshttp://www.systemcentercentral.com/teched

TroubleshootingName Resolution and Connectivity

Name ResolutionDownstream node must resolve name of upstream node by FQDN

Gateway must resolve FQDN of Mgmt ServerAgent must resolve FQDN of GatewayAgent must resolve FQDN of Mgmt Server (if no GW)

Network Connectivity Verify Agent or Gateway Server can telnet to management server on port 5723Connection is instantiated by downstream component

Pete

Troubleshooting Namespace IssuesIf using non-routable namespaces across the Internet

Establish site-to-site VPN tunnel ORUse HOSTS file on Gateway to resolve Management Server

Internet

gtw.contoso.localms.contoso.local

Pete

Troubleshooting Certificates (cont)

Verify MOMCertImport successfully wrote certificate serial # to the registry

HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber

Compare to certificate serial number on certificate in Local Computer Certificate StoreIf wrong serial, delete the key and re-run MOMCertImport

Run momcertimport.exe as an Administrator

Pete

Cross-Platform Monitoring

OpsMgr 2007 R2 extends agent-based monitoring to *NIX systemsCan be installed remotely from the consoleTarget *NIX systems can be outside Kerberos boundary

Rory

Cross Platform Agent Deployment in OpsMgrRory McCawPrincipal ConsultantInfront Consulting Group

demo

OpsMgr Cross-Platform Issues

PortsTCP 22 (Discovery with SSH)TCP 1270 (Agent Communication via WS-Man)

Certificate ErrorsPrerequisite IssuesHostname mismatch

WinRM Errors Basic Authentication Not Enabled

winrm set winrm/config/client/auth @{Basic="true"}

Run As Execution Unix Action Account and Unix Privileged Account

Rory

Monitoring CA Health

PKI Health Tool Monitors CA Health and Current Activity Included in Windows 2008 OS Provides Visual Indicators of HealthTo launch: Start Run PKIView.msc

Rory

Enterprise CA

Hierarchy

Authority Information Access (AIA)

CRL Distribution

Points

OM Cert

Monitoring Certificate Health

All Certificates have an Expiration DateCertificate validity can be monitored with Operations Manager

No off-the-shelf Microsoft Solution

Solution: PKI Certificate Verification MPAlerts on Certificate Health Issues Including:

A certificate’s lifetime is about to expire A certificate’s lifetime has ended Certificate has been revoked

CRL

Root Cert

X

Rory

Birds of a feather session on Thursday System Center Questions... Answered!!

announcing

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.