question

GJ-4375 avatar image
0 Votes"
GJ-4375 asked saldana-msft edited

Change IIS binding MEMCM management point from 3rd party cert (eHTTP)

Previously in v2006 i bound a third party cert to the MP IIS so that i could test bitlocker. My MP is remote from the site server.

Since ive now upgraded to v2111 I had to enable eHTTP. My 3rd Party cert expires soon, and the documentation saysit uses the "SMS Role SSL Certificate" (but obviously didnt replace the current 3rd party cert) but i only have the "SMS Token Signing Certificate" available- do i need to export the "SMS Role SSL Certificate" from the site server and import into my MP- and if so what stores?
(The Token signing cert is located in Trusted People and Person stores on the MP)

Also, this article here: https://www.prajwaldesai.com/enable-sccm-enhanced-http-configuration/ states that i want to add it into my trusted root cert store- is this required to do this? and if so is this on the site server?
Do i need to distribute any of these certs to clients at all? Apologies- a little confused- Will be starting testing bitlocker again (MBAM migration) soon so wanted to check everything was ok and eHTTP is still working ok (what logs can i check once i change the cert?)

Many Thanks

190897-image.png


190981-image.png


mem-cm-generalmem-cm-site-deployment
image.png (10.7 KiB)
image.png (54.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image Amandayou-MSFT ·

Thanks for your posting.

This is a quick note to let you know that I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.
If you have any updates during this process, please feel free to let me know.

Best regards,
Amanda

1 Vote 1 ·

4 Answers

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered GJ-4375 commented

Hi @GJ-4375

Thanks for your update.

Please change the environment to http, and in the option of cert binding, kindly select 'not selected', wait a moment, and then use eHTTP, and check if the certificate is normal in site server and MP.

191628-411.png

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



411.png (14.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GJ-4375 avatar image GJ-4375 ·

HI @Amandayou-MSFT
I finally got this sorted. i had to disable ehttp, then totaly remove the https binding in IIS. When i re-enable ehttp, the process creates the https binding itslef with the correct cert. Thanks

0 Votes 0 ·
Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered Amandayou-MSFT edited

Hi,

Based on this article from Microsoft, the certificate is automatically generated, which named SMS Role SSL certificate, we could go to the Administration workspace, expand Security, and select the Certificates node. Look for the SMS Issuing root certificate and the site server role certificates issued by the SMS Issuing root, please check the name is SMS Role SSL certificate or SMS token signing certificate.

And wait up to 30 minutes for the management point to receive and configure the new certificate from the site, so if the certificate is normal, it is not required to import into the MP.

Do i need to distribute any of these certs to clients at all?

--> Based on my experience, we need not to distribute these certs.

About the logs, we could check MPcontrol.log and ADALOperationProvider.log.

Here is the related article we could refer to:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http#configure-the-site

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GJ-4375 avatar image
0 Votes"
GJ-4375 answered

Hi Amanda,

Thanks. There are two SMS issuing certificates in the admin console, but neither of the other certs (SSL Role or Token Signing) appear there
191226-image.png

the SMS Role SSL cert only appears on the site server
site server
191333-image.png

the SMS Token signing cert only appears on the remote MP
mp
191305-image.png

I updated the site a few weeks ago to v2111 and i think the issue might be that i already had a cert bound to IIS on the MP.
So, i'm stil confused which cert to use- do i import the SSL Role cert into the MP for binding in IIS or us ethe SMS token signing cert?

Thanks


image.png (12.5 KiB)
image.png (28.1 KiB)
image.png (23.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GJ-4375 avatar image
0 Votes"
GJ-4375 answered GJ-4375 edited

Hi Amanda,

Thanks. Initially when i enabled eHTTP, there was no "SMS Token Signing Certificate" there, that appeared later (FYI)

What impact does this have on clients etc?
I will need to put in a change request for this and am actually on holiday for a week, so will get back to you on the result. Thanks

· 7
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Amandayou-MSFT avatar image Amandayou-MSFT ·

Hi,

To avoid the influence of a third party cert, we change the environment from http to ehttp, so that we are looking forward to there will be the SMS Role SSL certificate in MP.

Have a good holiday!

If the response is helpful, it's appreciated that you could click "Accept Answer" and upvote it, this will help other users to search for useful information more quickly.

Best regards,
Amanda

0 Votes 0 ·
Amandayou-MSFT avatar image Amandayou-MSFT Amandayou-MSFT ·

Hi,

May we know the current status of the question? If there is any chance to try above suggestion? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

Thanks and regards,
Amanda

0 Votes 0 ·
GJ-4375 avatar image GJ-4375 Amandayou-MSFT ·

Hi Amanada, Thanks. I currently have a change request in to do this tonight, so hopefully will be able to update you then. Thanks

0 Votes 0 ·
GJ-4375 avatar image GJ-4375 Amandayou-MSFT ·

Hi Amanda,

Unfortnately IIS wouldnt let me pick "not selected" for https in IIS once i had changed the communication to http. I had to select something (i did select the sms token signing certtificate but after waiting over 30 mins, no SSL Role cert appeared in the personal store for me to be able to select it in IIS)

I have currently chnaged it back to the orginal 3rd party cert
Thanks

0 Votes 0 ·
GJ-4375 avatar image GJ-4375 GJ-4375 ·

Hi @Amandayou-MSFT do you have any other suggestions for me to try please? Thanks

0 Votes 0 ·
Show more comments