question

ShashiDubey-3691 avatar image
0 Votes"
ShashiDubey-3691 asked ·

Certificate needed for client authentication in CMG

HI Everyone,

Hope everyone is doing well and being safe!

Need someone's expertise to understand the authentication procedure of clients with cloud management gateway.

As per the Microsoft current documentation if we have a cert issued by a known third-party cert provider like Digicert we don't need the trusted root certificate for the client to trust the issuer.

But since the certificate authentication is a two process to even though the client would be able to trust the cert and the server identity so it could borrow the content from these servers how could the server trust the identity of these clients?

Need someone help does the client need to have some kind of cert or identity or certificate to make themselves trusted considering when they are not Hybrid/Azure Ad joined?

Hope someone's experience can help me out to clear this confusion :).

Thanking you in advance !!

Regards,

Shashi Dubey

 


mem-cm-generalmem-cm-osd
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered ·

It's not clear exactly what you are asking here. PKI certificate trust is based on trusting the PKI that issued the certificate. That's generally the whole point of using a public CA like DigiCert as certs they issue are automatically trusted by all devices as Microsoft configures Windows to do this by default.

Note though that trusting the identity of a client doesn't mean the client itself is trusted to gain access to anything. In this case, it simply means that ConfigMgr will manage the device. This is no different than any credential; specifically, just because you have the credential and can authenticate doesn't mean you can actually access anything as authorization is separate and must still be granted.

Also, keep in mind that every client requires its own, unique client auth certificate. For this reason, it's generally impractical to use a public CA for client auth certificates as it's a recurring expense and recurring logistic nightmare to renew these individual certs on every managed device.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HI Jason,

Thanks a bunch for your precious time and expertise :).

Also Appreciate you for sharing this amazing experience to help clear the query and best practices for it.

Regards,
Shashi Dubey

0 Votes 0 ·
SunnyNiu-MSFT avatar image
0 Votes"
SunnyNiu-MSFT answered ·

Agree with what Jason said, Here is also an article we could refer to:
https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/configure-authentication


If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Sunny,

Thanks for this wonderful article !!

Would sure to refer to it as it would be an amazing source of knowledge for the basics and fundamentals.

Regards,
Shashi Dubey

0 Votes 0 ·