View RSS Feed


SCCM 2007 Native Mode - fun with certificates

Rate this Entry
by , 5th July 2012 at 05:11 PM (9745 Views)
This is going to be a quick one while it is fresh in my mind because if I don't write this down straight away it will never get written down (see: the rest of the virtualization posts. Or rather, don't see them, because I stopped writing them when I got too busy getting on with it).

Pretty much every guide I see on SCCM2007, including and @TheScarfedOne's excellent missives here, say to install in mixed mode. Pfft, says I, how boring and lacking in ambition; if I wanted a life without challenge and frustration I wouldn't be working in IT. I figure, if I'm setting this up fresh for the first time, I may as well do it right.

Native mode requires certificates left, right and centre, and possibly also above and below, and some of these have been less-than-well-documented. So here's some hints for the daft problems I came up against today. You'll want this page open in another tab, as it's the step-by-step guide you need to the three kinds of certificate, so the following points are just my addendums to this guide:

The certificate required for installation in Native mode is pretty easy if you have your PKI set up already, as you can just request it through the web interface. The web interface of your Enterprise CA may not work very well until you set the Certificate Services site up with SSL though, once you do that and access it through https it works much better than through plain http (where it doesn't work at all). When setting up the template as in the linked guide, while you're in the Duplicate Template dialog, on the Request Handling tab, make sure you Allow private key to be exported. The web interface for the certificate request doesn't let you import straight into the local computer store, and instead installs the certificate into the Personal store of the current user, so you have to export it from there with the private key and reimport it into the Local Computer Personal store. Check your validity as well, you may want to extend it to make your life easier in future.

The certificate required for the web site is more of a pain in the proverbial, as it's requested through MMC - or at least, it was more of a pain for me. I'd continued down the technet article linked above but the request kept failing with "The RPC server is unavailable" which is a very unhelpful error that hides a multitude of problems. There is a lengthy troubleshooting guide on technet, and typically it was the very last step that seemed to be my issue - my servers weren't permitted to access the DCOM interface. However, that troubleshooting guide is written around 2003R2, and the CERTSVC_DCOM_ACCESS doesn't exist in 2008R2 - so you need the top answer here to get it working where your CA is 2008R2 (may only be an issue where your CA is also a DC, as mine is).

The last thing required - at least, as far as I've found so far, I'm testing tomorrow - is automatically issuing certificates to machines. The instructions linked above work quite well, but be aware that your certificate authority has to be using the SHA1 hash algorithm otherwise client certs won't work. If you've already set your CA up with a different hashing algorithm (*cough*) then you can change it, but you need to reissue your CA certificates and republish your CRL (with certutil -crl) once you've made the registry edit. Once it's done, though, you should start seeing certificates build up in the issued area as soon as workstations refresh policy - they shouldn't need to restart.

And finally, when installing a client manually on a test machine, you need to use the /native flag straight after the path to the .exe - so before the /mp: flag. Make sure you use the FQDN of your management point with that /mp: flag as well, else you'll get WINHTTP_CALLBACK_STATUS_SECURE_FAILURE and WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID errors (the final line in the client log - C:\Windows\ccmsetup\ccmsetup.log - will state "Error at WinHttpSendRequest: 12175"). This is because the web server certificate should, if set up correctly, be using the FQDN of your management point, so it will fail if you only use the NetBIOS name.

Hope that helps any brave souls out there tackling Native mode as well...!

UPDATE: As was pointed out to me, SCCM2012 is proper out now, rather than pretend out, so I've shifted to that instead. The PKI for that is similar to the above, and if anything a little simpler as the Site Server Signing Certificate no longer exists, and an entire (and apparently complete) step-by-step is available on Technet. Still, it may only have been straightforward for me because of the steps I went through above, so this may still be relevant to someone out there.

Updated 16th July 2012 at 02:39 PM by sonofsanta




Total Trackbacks 0
Trackback URL: