Archive

Archive for the ‘Certificates’ Category

Windows 2003 Stand alone Certificate Server

July 20, 2010 1 comment

I found the information that Layne posted here:
http://social.technet.microsoft.com/Forums/en-US/operationsmanagerdeployment/thread/7e8dde55-6e55-4109-8da5-85a93fa64ea0
extremely useful when I was onsite the other day. The customer had a windows 2003 stand-alone certificate server and the servers to be monitored had no connectivity to the certificate server.

I found that the standard template that is documented for use with certreq didn’t work. But that the following that Layne gave in his post did the trick.

[Version]
Signature= “$Windows NT$”
[NewRequest]
Subject = “CN=agent.contoso.com,OU=MyOU,O=MyOrg,L=MyCity,S=MyState,C=US”
KeySpec= 1
KeyLength = 1024
KeyUsage = 0xa0
ProviderName = “Microsoft RSA Schannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
Exportable = TRUE
MachineKeySet = TRUE
UseExistingKeySet = FALSE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2

What if agent can’t access certificate server?

November 21, 2009 Leave a comment

First, it depends whether you are using Windows 2003 CA or Windows 2008:
http://technet.microsoft.com/en-us/library/bb735417.aspx
http://technet.microsoft.com/en-us/library/dd362655.aspx

For windows 2008, expanding on the url above:

The high-level process to obtain a certificate from a stand-alone certification authority (CA) is as follows:

1. Download the Trusted Root (CA) certificate – do this on a machine that has access to the certificate server and then copy to the workgroup machine.

2. Import the Trusted Root (CA) certificate to the workgroup machine.

3. Create a setup information file to use with the CertReq command-line utility – do this on the workgroup machine.

4. Create a request file – do this on the workgroup machine and then copy file to a server that has access to the certificate server

5. Submit a request to the CA using the request file from a server that has access to the certificate server

6. Approve the pending certificate request – from the certificate server

7. Retrieve the certificate from the CA – from a machine that has access to the certificate server

8. Import the certificate into the certificate store – copy certificate to workgroup computer

9. Import the certificate into Operations Manager using MOMCertImport – on workgroup computer.

10. And then install the agent and approve install from opsmgr console

Troubleshooting Certificate Problems

July 13, 2009 Leave a comment

A few quick pointers:

Read the documentation 😉

http://technet.microsoft.com/en-us/library/bb735408.aspx

I have given a step by step walkthrough of a windows 2008 Stand-alone CA here. It will take some time to download as the graphics need tuning but it fits in with the documention steps above.

1) Look for event id 20052 on the agent stating that the “Specified certificate could not be loaded because the subject name on the certificate does not match the local computer name”. For a domain machine the FQDN is needed in the subjectname of the certificate. For a workgroup machine you need just the machine name. When you right click My Computer and select Properties, under the Computer Name tab it will tell you the Full Computer Name for the box, this is what goes in the subjectname for the cert. (Thanks to Lincoln Atkinson of MSFT for that information).

2) Look for event id 20053 after running MomCertImport – this indicates the cert was loaded properly.

3) Make sure you can ping the FQDN of the RMS from the agent.

4) Obviously make sure that in Operations Manager you have enabled Manual Agent Installs and Approved the agent. You can do this in Administration, Settings, Server, Security

If everything looks good yet the server still stays as Unmonitored then check permissions. A quick check on the HSLockDown tool might show that the agent action account doesn’t have rights (this is usually the case on Domain Controllers when local system is specified as the Agent Action Account) – http://support.microsoft.com/default.aspx/kb/946428