Tuesday, August 30, 2011

Using Internal Certificates with SCOM on Windows Server 2008 Part 1

A while back I wrote a series of blog posts around using Public Certificates with SCOM - 'Using Public Certificates With SCOM Part 1' - and thought that it wouldn't be a complete overview of using SCOM with certificates unless I covered the use of an internal PKI infrastructure too.

The following few posts are based on my experiences of using SCOM with an internal Certificate Authority on Windows Server 2008. I have broken each post down into separate sets of tasks that need to be completed as you move through the process to make things easier to follow.

Overview

 Here's a high-level overview of the process:
  • Download the Trusted Root (CA) certificate
  • Import the Trusted Root (CA) certificate
  • Create a certificate template
  • Request a certificate from the enterprise CA
  • Import the certificate into SCOM

In this first part of the series, I will be focusing on downloading and then importing the Trusted Root Certificate Authority (CA) certificate to the server(s) that you want to use certificate authentication with.

Downloading the Trusted Root (CA) Certificate

Log on to the computer where you want to install a certificate – e.g. RMS, MS, Gateway server or untrusted domain/DMZ server.
Start Internet Explorer, and connect to the Certificate Enrolment URL on the computer hosting Certificate Services; for example, http://<servername>/certsrv




On the Welcome page, click Download a CA Certificate, certificate chain, or CRL.
On the Download a CA Certificate, Certificate Chain, or CRL page, click Encoding method, click Base 64, and then click Download CA certificate chain.

If you are using Windows Server 2008 with Internet Explorer 7 or higher, you will more than likely come across an Active-X error when you get to the next page similar to the one in the screen below


 
To resolve this issue, open Internet Explorer properties and go to the ‘Security’ tab, then click on ‘Trusted Sites’ and then select the ‘Sites’ button.

 
Add the - http://<servername>/certsrv - URL to the ‘Trusted Sites’ Websites list and un-tick ‘Require server verification (https:) for all sites in this zone’ – This step can be omitted if your URL is published on https instead of http however.

 
Back on the ‘Security’ tab with ‘Trusted Sites’ highlighted, ensure you change the security level to ‘Low’ as the diagram below shows


Now you should be able to browse back to the - http://<servername>/certsrv - homepage and then once more, click on the ‘Download a CA certificate, certificate chain, or CRL’ link
If you see an Active-X error and a Web Access Confirmation window like the ones below now, you should be able to click ‘Yes’ to continue on each of them


 
Now you should be able to select the Encoding method and select the ‘Download CA Certificate’ option from the window that opens as below

 
In the File Download dialog box, click Save, and save the certificate with a relevant name such as ‘rootcert’ to the C:\ drive of your computer



When the download has finished, close Internet Explorer.

Importing the Trusted Root (CA) Certificate

On the Windows desktop, click Start, and then click Run.

In the Run dialog box, type mmc, and then click OK.

In the Console1 window, click File, and then click Add/Remove Snap-in.

In the Add/Remove Snap-in dialog box, click Add.

In the Add Standalone Snap-in dialog box, click Certificates, and then click Add.

In the Certificates snap-in dialog box, select Computer account, and then click Next.

In the Select Computer dialog box, ensure that Local computer: (the computer this console is running on) is selected, and then click Finish.

In the Add Standalone Snap-in dialog box, click Close.

In the Add/Remove Snap-in dialog box, click OK.

In the Console1 window, expand Certificates (Local Computer), expand Trusted Root Certification Authorities, and then click Certificates.

Right-click Certificates, select All Tasks, and then click Import as the screenshot below shows


In the 'Certificate Import Wizard' window, click 'Next'

 
On the File to Import page, click Browse and select the location where you downloaded the CA certificate file, for example, c:\rootcert.cer, select the file, and then click Open.

 
On the 'File to Import' page, select Place all certificates in the following store and ensure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.


On the 'Completing the Certificate Import Wizard' page, click Finish to complete the process.

At this point you should now have the Trusted Root CA certificate downloaded and installed onto your server and ready to move onto the next step. In Part 2 of this blog series, I will explain how to create a certifcate template within the Windows Server 2008 Certification Authority that can be used by your servers that you want to monitor for nice and simple certificate requests from the CA.

11 comments:

  1. Kevin,
    I have a question. I am getting this error, but it is because someone at this instittion had installed SCOM 2007R2 previously. I made sure the agent was uninstalled from the server (SQL Cluster Node 1) and then installed the agent from the opsmgr discovery wizard. The agent is trying to connect to the old server name, not the new one. I did a search for the old server name in the regsitry and changed the one entry to the new server name. I am not sure if this is going to resolve the issue or not. Do you have any suggestions? The SQL Clustered server is otherwise monitored and healthy in the SCOM 07R2 console. I found this because I was researching a script failure. Thanks! Stoney

    ReplyDelete
  2. to clarify, the error is "The OpsMgr Connector could not connect to SCOMPROD.old-server-name:5723. The error code is 11004L(The requested name is valid, but no data of the requested type was found.). Please verify there is network connectivity, the server is running and has registered it's listening port, and there are no firewalls blocking traffic to the destination."

    ReplyDelete
    Replies
    1. Hi Stoney,

      Thanks for the comment!

      The SCOM agent can 'multi-home' itself to up to four different SCOM management groups but it sounds like your agent is only 'homed' to the old management group. You can manually install the agent from the new management group and see if that resolves the issue for you - just modifying a registry key probably isn't the best way to do it!

      Check out this link for information on multihoming and manually installing agents:

      http://technet.microsoft.com/en-us/library/cc180900.aspx

      Hope this helps!

      Kevin

      Delete
  3. Man, thanks.. You rock. I appreciate it and will report back on the manual install success. Thanks for the link. You can't imagine how much your blogs and posts have helped me setting up SCOM. I have close to 200 licenses, but we have over 1000 servers here. will probably be doing a large scale deployment within the year.
    Stoney

    ReplyDelete
    Replies
    1. No problem Stoney! Thanks for reading the blog and glad it's helping you out :)

      Feel free to ask for any advice that you need for your SCOM deployment and if you don't mind a delayed response from time to time, then I'll be happy to answer for you!

      Kevin.

      Delete
    2. Hi Kevin


      These are the error messages on the GATEWAY server:

      EVENT 20067 - A device at IP 192.168.5.26:5723 attempted to connect but the certificate presented by the device was invalid. The connection from the device has been rejected. The failure code on the certificate was 0x800B0109 (A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.).
      EVENT 21002 - The OpsMgr Connector could not accept a connection from 192.168.5.26:5723 because mutual authentication failed.
      EVENT 20071 - The OpsMgr Connector connected to xxx066X.XXXSOFT.COM, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which indicate a failure to authenticate.
      EVENT 21016 - OpsMgr was unable to set up a communications channel to xxxP066X.xxxxxSOFT.COM and there are no failover hosts. Communication will resume when xxxPP066X.xxxxSOFT.COM is available and communication from this computer is allowed.

      Please advise where am I going wrong.

      Thanks

      Delete
    3. Hi there,

      It looks like the Root certificate for the CA isn't trusted. I'd recommended that you go through all the steps in these posts again, paying particular attention to the Root CA cert import location and you should be fine.

      Kevin.

      Delete
  4. Hi Kevin

    Thanks for posting this article. Great job!!! Just one point I wanted to clarify. Do we have to perform the download and import certificates step on both the SCOM and the workgroup systems? I want to monitor one workgroup server using SCOM 2012.
    Thanks again.
    Regards
    Dipan

    ReplyDelete
  5. Hi Kevin,

    How to renew the trusted root certificate if it is going to be expire very soon

    ReplyDelete
  6. hi kevin, how to renew the trusted root certificate if it is going to expire soon

    ReplyDelete
  7. Hi Kevin,

    Can i multihome DMZ servers ? if yes how can i do so plz provide me the steps. Thanks in adcance

    Regards,
    Rahul P

    ReplyDelete