mgt300 using microsoft system center to manage beyond the trusted domain
DESCRIPTION
Numerous Microsoft technologies are now taking advantage of digital certificate-based authentication to enable the support for and management of systems outside trusted networks and domains. Join us to learn how you can use digital certificates with System Center to extend your management capabilities beyond your immediate environment, and enable a single management infrastructure to manage systems and IT services across multiple trusted and untrusted domains.TRANSCRIPT
Using Microsoft System Center to Manage beyond the Trusted Domain
Pete Zerger, Rory McCawPrincipal ConsultantsInfront Consulting GroupSession Code: MGT300
Both
Agenda Public Key Infrastructure DefinedAnatomy of a Certificate How Does Certificate Authentication Work?Public Key Infrastructure Differences across Operating Systems Using PKI to Extend the Reach of System Center
Changes in Provisioning Certificates in Windows 2008Bulk Certificate Provisioning for System CenterManaging Internet-Based Clients with ConfigMgr 2007
Troubleshooting Certificates in OpsMgr 2007Monitoring CA and Certificate Validity
Rory
What Is a PKI?
Requirement PKI solutions
Confidentiality Data encryption
Integrity Digital signatures
Authenticity Hash algorithms, message digests, digital signatures
Nonrepudiation Digital signatures, audit logs
Availability Redundancy
The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions
The combination of software, encryption technologies, processes, and services that enables an organization to secure its communications and business transactions
Anatomy of a Certificate
A certificate is like a PassportIssued for specific uses
Server Authentication (1.3.6.1.5.5.7.3.1)Client Authentication (1.3.6.1.5.5.7.3.2)
To work, the issuer must be a ‘trusted’ authorityIf some piece of information does not check out – authentication fails
How Does Certificate Authentication Work?
Rory
“Keys” to Success• All systems must trust the CA that issued the certificates• Each system requires a cert mapped to their FQDN• Public keys are distributed with the certificate• Private keys are never distributed, they are private
GW
Agent
Certificate Authority Options
Standalone CA can be a quick fix Enterprise CA - requires more thought, planning and buy-in from across the organizationServer OS version is another important consideration. Our recommendation:
Use Standard Edition Server for all offline CAs (Root CA, Policy CA). Use Enterprise Edition Server of all online CAs
Rory
Stand-alone versus Enterprise CA on Win2k3Standalone Root CA on W2k3 Standard
‘Other’ certificate template allows for certificate creationEnterprise Root CA on Enterprise EditionNeed to duplicate Server Authentication certificate template to create an OpsMgr template
Rory
Stand-alone versus Enterprise CA on W2k8
Standalone Root CA on W2k8 StandardNo option to store the certificate in the Local Computers certificate store
Must use certreq or export from the Local User store and import into the Local Computer store
Enterprise CA on W2k8 Enterprise Cross forest authentication allows clients to request a certificate from a CA that is part of a different AD
This will require populating the NTAuth store in the additional forests
Rory
The Certificate Stores
Certificates storesPersonal Certificate storeTrusted Root Certificate Authorities storeOperations Manager store
Don’t touch the certificates in this store. This is internally generated.
Rory
3. Check for Certificate in StoreLocal Computer/Personal/Certificates
2. Verify Certificate Configuration
Configuration ValidationCertificate Configuration and Validity
Pete
1. Check for Certificate in StoreLocal Computer/Personal/Certificates
Check for client and server authentication OIDs
4. Verify Issuing CA is Trusted Check the Certification Path
Common PitfallsName resolution
Confirm that DNS is working or use hosts fileIPv6 on Windows Server 2008 R2
Confirm that IPv6 addresses are registered in DNSWindows Firewall
Configure properly or disableCertificate configuration
Import Trusted Root CA certConfirm certs are imported in Local Computer store, not Local User storeRun momcertimport.exe with Admin credentials on W2k8CRLs must be accessible
Rory
Using PKI to Extend the Reach of System Center
Extend OpsMgr to Windows based workgroup computersExtend OpsMgr to separate Active Directory Forest through a gatewayExtend OpsMgr to xplat serversExtend Config Mgr to internet based clients
Certificate Configuration in OpsMgrRory McCawPrincipal ConsultantInfront Consulting Group
demo
Rory
Certificate Provisioning Options Auto-enrollment is not an option outside trust boundaries without W2k8*2008 Web Enrollment no longer gives users the option of storing a Machine Certificate in the Local Computer storeAdvantages of Command Line Provisioning
Avoid Web Enrollment Limitations Many certificate properties can be pre-populated Provisioning can be automated to some degreeCertificates can be generated in bulk
* Cross Forest Authentication in W2k8
Pete
Bulk Certificate Provisioning
Manual requests can be time consuming Automation possible from the command line
Certreq.exe – to make the requestCertutil.exe - to process/retrieve the request
Can be scripted for batch processingRequires a certificate template
Pete
TIP: Because they share common OID requirements, OpsMgr 2007 and ConfigMgr 2007 agents can share the same certificate
Bulk Provisioning of Certificates demo
Pete
For System Center
Internet-Based Client Management Pete
Management clients without VPN
POS Devices
KiosksTIP: AD Forest can be separate from site servers and no trust required
ConfigMgr Topology Options for Internet-based Client Mgmt
Ops Mgr Mutual Authentication
Required in Operations Manager 2007 Two methods:
Kerberos - Requires Active Directory Certificate Authentication
X
Ok
Request toJoin
Update Topology
Update Topology
OpsMgr Authentication Troubleshooting Checklist
Start on Downstream Node
Review Events in OpsMgr Event Log
Certificate Configuration• Correct OIDs (1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2)• Serial Appears in Registry (MOMCertImport)• Issuing CA Appears in Trusted Root Cert Authorities
Connectivity Issues • Network Connectivity – Ping, Telnet 5723• Name Resolution
Certificate Authentication Events Look for Events in OpsMgr Event Log
Relevant events will be in the 20,000 and 21,000 ranges• 21016 / 20070 – Generic event with every authentication failure. • 20050 – Enhanced key usage error (wrong OID)• 21005 – DNS resolution failed• 21006 – TCP Connection failed (at TCP level)• 21007 – Not in a trusted domain. (no full trust)
Pete
Master List of OpsMgr Authentication Errorshttp://www.systemcentercentral.com/teched
TroubleshootingName Resolution and Connectivity
Name ResolutionDownstream node must resolve name of upstream node by FQDN
Gateway must resolve FQDN of Mgmt ServerAgent must resolve FQDN of GatewayAgent must resolve FQDN of Mgmt Server (if no GW)
Network Connectivity Verify Agent or Gateway Server can telnet to management server on port 5723Connection is instantiated by downstream component
Pete
Troubleshooting Namespace IssuesIf using non-routable namespaces across the Internet
Establish site-to-site VPN tunnel ORUse HOSTS file on Gateway to resolve Management Server
Internet
gtw.contoso.localms.contoso.local
Pete
Troubleshooting Certificates (cont)
Verify MOMCertImport successfully wrote certificate serial # to the registry
HKLM\SOFTWARE\Microsoft\Microsoft Operations Manager\3.0\Machine Settings\ChannelCertificateSerialNumber
Compare to certificate serial number on certificate in Local Computer Certificate StoreIf wrong serial, delete the key and re-run MOMCertImport
Run momcertimport.exe as an Administrator
Pete
Cross-Platform Monitoring
OpsMgr 2007 R2 extends agent-based monitoring to *NIX systemsCan be installed remotely from the consoleTarget *NIX systems can be outside Kerberos boundary
Rory
Cross Platform Agent Deployment in OpsMgrRory McCawPrincipal ConsultantInfront Consulting Group
demo
OpsMgr Cross-Platform Issues
PortsTCP 22 (Discovery with SSH)TCP 1270 (Agent Communication via WS-Man)
Certificate ErrorsPrerequisite IssuesHostname mismatch
WinRM Errors Basic Authentication Not Enabled
winrm set winrm/config/client/auth @{Basic="true"}
Run As Execution Unix Action Account and Unix Privileged Account
Rory
Monitoring CA Health
PKI Health Tool Monitors CA Health and Current Activity Included in Windows 2008 OS Provides Visual Indicators of HealthTo launch: Start Run PKIView.msc
Rory
Enterprise CA
Hierarchy
Authority Information Access (AIA)
CRL Distribution
Points
OM Cert
Monitoring Certificate Health
All Certificates have an Expiration DateCertificate validity can be monitored with Operations Manager
No off-the-shelf Microsoft Solution
Solution: PKI Certificate Verification MPAlerts on Certificate Health Issues Including:
A certificate’s lifetime is about to expire A certificate’s lifetime has ended Certificate has been revoked
CRL
Root Cert
X
Rory
Birds of a feather session on Thursday System Center Questions... Answered!!
announcing
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.