MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
Download as PPTX, PDF1 like552 views
The document outlines the use of Microsoft System Center for managing PKI and certificate provisioning across different operating systems, particularly focusing on Windows Server 2008. It discusses the anatomy of certificates, the importance of trusted authorities for authentication, methodologies for bulk certificate provisioning, and troubleshooting certificate-related issues in operations manager. The session also touches on extending System Center's capabilities to manage various client types, including internet-based clients and cross-platform systems.
MGT300 Using Microsoft System Center to Manage beyond the Trusted Domain
- 2. Using Microsoft System Center to Manage beyond the Trusted Domain Pete Zerger, Rory McCawPrincipal ConsultantsInfront Consulting GroupSession Code: MGT300Both
- 3. Agenda RoryPublic Key Infrastructure DefinedAnatomy of a Certificate How Does Certificate Authentication Work?Public Key Infrastructure Differences across Operating Systems Using PKI to Extend the Reach of System CenterChanges in Provisioning Certificates in Windows 2008Bulk Certificate Provisioning for System CenterManaging Internet-Based Clients with ConfigMgr 2007Troubleshooting Certificates in OpsMgr 2007Monitoring CA and Certificate Validity
- 4. What Is a PKI?The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions
- 5. Anatomy of a CertificateA certificate is like a PassportIssued for specific usesServer Authentication (1.3.6.1.5.5.7.3.1)Client Authentication (1.3.6.1.5.5.7.3.2)To work, the issuer must be a ‘trusted’ authorityIf some piece of information does not check out – authentication fails
- 6. RoryHow Does Certificate Authentication Work?“Keys” to Success All systems must trust the CA that issued the certificates
- 7. Each system requires a cert mapped to their FQDN
- 8. Public keys are distributed with the certificate
- 9. Private keys are never distributed, they are privateAgentGW
- 10. Certificate Authority OptionsRoryStandalone CA can be a quick fix EnterpriseCA - requires more thought, planning and buy-in from across the organizationServer OS version is another important consideration. Our recommendation:Use Standard Edition Server for all offline CAs (Root CA, Policy CA). Use Enterprise Edition Server of all online CAs
- 11. RoryStand-alone versus Enterprise CA on Win2k3Standalone Root CA on W2k3 Standard‘Other’ certificate template allows for certificate creationEnterprise Root CA on Enterprise EditionNeed to duplicate Server Authentication certificate template to create an OpsMgr template
- 12. RoryStand-alone versus Enterprise CA on W2k8Standalone Root CA on W2k8 StandardNo option to store the certificate in the Local Computers certificate storeMust use certreq or export from the Local User store and import into the Local Computer storeEnterprise CA on W2k8 Enterprise Cross forest authentication allows clients to request a certificate from a CA that is part of a different ADThis will require populating the NTAuth store in the additional forests
- 13. The Certificate Stores RoryCertificates storesPersonal Certificate storeTrusted Root Certificate Authorities storeOperations Manager storeDon’t touch the certificates in this store. This is internally generated.
- 14. Pete Configuration ValidationCertificate Configuration and Validity1. Check for Certificate in StoreLocal Computer/Personal/Certificates2. Verify Certificate ConfigurationCheck for client and server authentication OIDs 4. Verify Issuing CA is Trusted Check the Certification Path3. Check for Certificate in StoreLocal Computer/Personal/Certificates
- 15. Common PitfallsRoryName resolutionConfirm that DNS is working or use hosts fileIPv6 on Windows Server 2008 R2 Confirm that IPv6 addresses are registered in DNSWindows FirewallConfigure properly or disableCertificate configurationImport Trusted Root CA certConfirm certs are imported in Local Computer store, not Local User storeRun momcertimport.exe with Admin credentials on W2k8CRLs must be accessible
- 16. Using PKI to Extend the Reach of System CenterExtend OpsMgr to Windows based workgroup computersExtend OpsMgr to separate Active Directory Forest through a gatewayExtend OpsMgr to xplat serversExtend Config Mgr to internet based clients
- 17. Certificate Configuration in OpsMgrRoryRory McCawPrincipal Consultant Infront Consulting Groupdemo
- 18. PeteCertificate Provisioning Options Auto-enrollment is not an option outside trust boundaries without W2k8*2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer storeAdvantages of Command Line Provisioning Avoid Web Enrollment Limitations Many certificate properties can be pre-populated Provisioning can be automated to some degreeCertificates can be generated in bulk* Cross Forest Authentication in W2k8
- 19. Pete Bulk Certificate Provisioning Manual requests can be time consuming Automation possible from the command lineCertreq.exe – to make the requestCertutil.exe - to process/retrieve the request Can be scripted for batch processingRequires a certificate templateTIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate
- 20. Bulk Provisioning of Certificates demoPeteFor System Center
- 21. Internet-Based Client Management Pete TIP: AD Forest can be separate from site servers and no trust required
- 22. ConfigMgr Topology Optionsfor Internet-based Client Mgmt
- 23. Ops Mgr Mutual AuthenticationRequired in Operations Manager 2007 Two methods: Kerberos - Requires Active Directory Certificate Authentication Update TopologyOkUpdate TopologyRequest toJoinX
- 24. OpsMgr Authentication Troubleshooting ChecklistCertificate ConfigurationCorrect OIDs (1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2)
- 25. Serial Appears in Registry (MOMCertImport)
- 26. Issuing CA Appears in Trusted Root Cert AuthoritiesConnectivity Issues Network Connectivity – Ping, Telnet 5723
- 27. Name Resolution Review Events in OpsMgr Event Log Start on Downstream Node
- 28. Pete Certificate Authentication Events Look for Events in OpsMgr Event Log Relevant events will be in the 20,000 and 21,000 ranges21016 / 20070 – Generic event with every authentication failure.
- 29. 20050 – Enhanced key usage error (wrong OID)
- 30. 21005 – DNS resolution failed
- 31. 21006 – TCP Connection failed (at TCP level)
- 32. 21007 – Not in a trusted domain. (no full trust)Master List of OpsMgr Authentication Errorshttp://www.systemcentercentral.com/teched
- 33. TroubleshootingName Resolution and ConnectivityPete Name ResolutionDownstream node must resolve name of upstream node by FQDNGateway must resolve FQDN of Mgmt ServerAgent must resolve FQDN of GatewayAgent must resolve FQDN of Mgmt Server (if no GW)Network Connectivity Verify Agent or Gateway Server can telnet to management server on port 5723Connection is instantiated by downstream component
- 34. Pete Troubleshooting Namespace IssuesIf using non-routable namespaces across the Internet Establish site-to-site VPN tunnel ORUse HOSTS file on Gateway to resolve Management Serverms.contoso.localgtw.contoso.localInternet
- 35. Pete Troubleshooting Certificates (cont)Verify MOMCertImport successfully wrote certificate serial # to the registryHKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumberCompare to certificate serial number on certificate in Local Computer Certificate StoreIf wrong serial, delete the key and re-run MOMCertImportRun momcertimport.exe as an Administrator
- 36. Cross-Platform Monitoring OpsMgr 2007 R2 extends agent-based monitoring to *NIX systemsCan be installed remotely from the consoleTarget *NIX systems can be outside Kerberos boundaryRory
- 37. demoCross Platform Agent Deployment in OpsMgrRory McCawPrincipal Consultant Infront Consulting Group
- 38. OpsMgr Cross-Platform Issues RoryPortsTCP 22 (Discovery with SSH)TCP 1270 (Agent Communication via WS-Man)Certificate ErrorsPrerequisite IssuesHostname mismatchWinRM Errors Basic Authentication Not Enabled winrm set winrm/config/client/auth @{Basic="true"}Run As Execution Unix Action Account and Unix Privileged Account
- 39. Monitoring CA HealthRoryPKI Health Tool Monitors CA Health and Current Activity Included in Windows 2008 OS Provides Visual Indicators of HealthTo launch: Start Run PKIView.mscCRL Distribution Points Enterprise CA HierarchyAuthority Information Access (AIA)
- 40. Monitoring Certificate HealthRoryAll Certificates have an Expiration DateCertificate validity can be monitored with Operations ManagerNo off-the-shelf Microsoft Solution Solution: PKI Certificate Verification MPAlerts on Certificate Health Issues Including:A certificate’s lifetime is about to expire A certificate’s lifetime has ended Certificate has been revoked Root CertOM CertCRLX
- 41. Birds of a feather session on Thursday System Center Questions... Answered!!announcing
- 43. Required SlideSpeakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. www.microsoft.com/techedSessions On-Demand & Communitywww.microsoft.com/learningMicrosoft Certification & Training Resourceshttp://microsoft.com/technetResources for IT Professionalshttp://microsoft.com/msdnResources for DevelopersResources
- 44. Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
- 46. Required Slide© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.