- Home
- Drupal
- Linux
- WAN Emulator
- Bacula with Tape Autochanger
- DIY iSCSI Virtual Tape Library
- Installing CentOS 6 Linux
- Installing OpenSUSE
- LSI MegaRaid Storage Manager on Ubuntu Linux Deskktop (GUI)
- LSI MegaRaid Storage Manager on Ubuntu Server Linux (No GUI - remote management)
- Let's Build a Spam/Antivirus Filter
- Linux Fibre Channel SAN (Ubuntu)
- Microsoft
- Microsoft System Center 2012
- Failed to get DP locations as the expected version from MP
- SCCM 2012 Certificates and Templates for Internet and Workgroup Clients
- SCCM 2012 R2 Prerequisites
- SCCM 2012 R2 Slow Collection Refresh/Membership Update
- SCCM 2012 Tool
- SCOM 2012 R2 Linux Monitoring Cert Error
- SCOM 2012 R2 Ubuntu Linux Agent
- System Center 2012 Prerequisites
- System Center 2012 R2 and SQL Pit Falls
- System Center Configuration Manager 2012 OSD & PXE
- Exchange 2013
- Microsoft Office 365
- Microsoft Azure and TMG
- Windows Server 2012
- Microsoft System Center 2012
- Security
- Contact us
SCCM 2012 : Configure your Clients for internet and workgroup clients
Submitted by Justin on Tue, 02/18/2014 - 22:08
- SCCM 2012 : Server Authentication Certificate Templates
- SCCM 2012 : Client Authentication Certificate Templates
- SCCM 2012 : Deploying Server Authentication Certificate
- SCCM 2012 : Configure your Clients for internet and workgroup clients
Adding Client Certificate through AD Group Policy
Once you have completed Tasks 1-3, you are ready to configure your environment for the internet/workgroup client. Each computer needs to have a certificate created and installed. If these are Domain joined computers, you can do Auto Enrolment through AD Group Policy.
1. On a computer with the RSAT (Remote Server Administration Tools) or from a Domain Controller, open Group Policy Management Console.
2. Now you can either use an existing GPO or create a new one and link it to an OU with your internet Client in it. For our purposes we will create a GPO and Link it to our Workstations OU. So right click on the Workstations OU and select "Create a GPO in this domain and Link it here..."
3. Give it a name.
4. now expand the Workstations (or whatever yours is named) and right click on your newly created GPO. Select Edit.
5. Under Computer Configuration, go to "Policies→Windows Settings→Security Settings→Public Key Policies" and right click on "Certificate Services Client - Auto Enrollment" and select Properties.
6. Under Properties Enable Configuration Model, and check "Renew expired Certificates, update pending certificates, and remove revoked certificates" and check "Update certificates that use certificate templates".
7. Close All GPO MMCs.
8. Install from AD Certificate:
Now we need to install it with the client. copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer. create text file and name it "internetsetup.bat" in the folder. Past the following script into it and modify the yellow highlighted areas according to your environment. Blue highlights provide directions:
Rem Use your internet SCCM server for all of the SCCMSERVER.DOMAIN.COM hightlights below
Rem Replace ABC for SMSSITECODE to your environments 3 diget site code
Rem If the computer will be Internet/Workgroup only set CCMALWAYSINF t0=1
Rem IF the computer is a domain computer and will be connect to the internal network sometime, and sometimes be in the internet set CCMALWAYSINF=0
"%~dp0Setup\ccmsetup.exe" /usePKICert /NOCRLCheck mp=https://sccmServer.domain.com FSP=sccmServer.domain.com DNSSUFFIX=domain.com SMSSITECODE=ABC CCMALWAYSINF=1 CCMFIRSTCERT=1 CCMHOSTNAME=sccmServer.Domain.com
Make Certificate from a Script
I have written the following script create a certificate from a batch file. you will run this on a domain joined computer logged in as a domain admin, and right clicking the batch file and doing a 'run as Administratior'.
1. in the "\\<PrimarySiteServer>\SMS_ITH\Client" folder do 2-5.
2. create a text file and name it "CreateCert.bat".
3. Edit the "CreateCert.bat" file with notepad.
4. copy the following text into it. Change the yellow highlighted text to your environment. the blue highlighted REM line above the highlight provides instructions:
echo type NetbiosName of computer
set /p input1=:
for /f "tokens=* delims= " %%c in ("%input1%") do set input=%%c
for /l %%a in (1,1,100) do if "!input1:~-1!"==" " set input=!input1:~0,-1!
echo %input1%
Rem Change "domain.com" in the following line to your internal AD DNS domain name
set input=%input1%.domain.comecho %input%
rem Create an INF request file with the specified subjectname
echo Generating *.inf file for certificate request for server %input%
REM Change ConfigurationManagerClientTemplate below to the name of the Certificate Template you create HERE. Remember use the Cert Name NOT the Display Name.
echo ;-----ConfigurationManagerClientTemplate.inf----– > %input%.inecho [NewRequest] >> %input%.inf
echo Subject="cn=%input%" >> %input%.inf
echo Exportable=TRUE >> %input%.inf
echo KeyLength=2048 >> %input%.inf
echo KeySpec=1 ;key exchange >> %input%.inf
echo KeyUsage=0xA0 >> %input%.inf
echo MachineKeySet=TRUE >> %input%.inf
echo [RequestAttributes] >> %input%.inf
REM Change ConfigurationManagerClientTemplate below to the name of the Certificate Template you create HERE. Remember use the Cert Name NOT the Display Name.
echo CertificateTemplate="ConfigurationManagerClientTemplate" ; this is for Client Authentication >> %input%.infecho SAN="DNS=%input%" >> %input%.inf
rem Create the a binary request file from the INF
echo Generating certificate request for server %input%
CertReq -new -f %input%.inf %~dp0%input%.req
echo Retrieving certificate for server %input%...
REM : in the next line you need to have Change CAServerFQN to the FQN Name domain name (server.domain.com) and Change CAName to the name of the CA (default is Domain-Servername-CA You can get this in your CA Console)
CertReq -Submit -q -f -config "CAServerFQN\CAName" "%~dp0%input%.req" "%~dp0%input1%.cer"Echo Importing certificate into Local Computer Store...
certreq -accept "%~dp0%input%.cer"
Echo Exporting certificate with private key...
certutil -f -p SCCMPassword -exportpfx %input% "%~dp0%input1%.pfx"
Echo Cleaning up....
certutil -delstore "MY" %input%
del "%~dp0%input%.req" /q
del "%~dp0%input%.inf" /q
echo Certificate generation for server %input% complete
Now we need to install it with the client. copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer. create text file and name it "internetsetup.bat" in the folder. Past the following script into it and modify the yellow highlighted areas according to your environment. Blue highlights provide directions:
certutil -f -addstore "ROOT" "%~dp0%computername%.cer"
certutil -p SCCMPassword -importPFX "%~dp0%computername%.pfx" NoExport
Rem Use your internet SCCM server for all of the SCCMSERVER.DOMAIN.COM hightlights below
Rem Replace ABC for SMSSITECODE to your environments 3 diget site code
Rem If the computer will be Internet/Workgroup only set CCMALWAYSINF t0=1
Rem IF the computer is a domain computer and will be connect to the internal network sometime, and sometimes be in the internet set CCMALWAYSINF=0
"%~dp0ccmsetup.exe" /usePKICert /NOCRLCheck SMSSIGNCERT="%~dp0%Computername%.cer" mp=https://sccmServer.domain.com FSP=sccmServer.domain.com DNSSUFFIX=domain.com SMSSITECODE=ABC CCMALWAYSINF=1 CCMFIRSTCERT=1 CCMHOSTNAME=sccmServer.Domain.comdel "%~dp0%Computername%.pfx" /q
5. Run the CreateCert.bat as administrator. It did not run properly on the client computer so I ran it on the server and it worked properly.
6. copy this install files from "\\<PrimarySiteServer>\SMS_ITH\Client" to the local computer. Run the created internetsetup.bat as administrator. Once if is finished your computer should now work on the internet/workgroup.
This website and its content is copyright of ITHierarchy Inc - © ITHierarchy Inc 2013-2015. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:
- you may print or download to a local hard disk extracts for your personal and non-commercial use only
- you may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.