WildCard Certificate for IBCM - SCCM 2012

Similar Messages

• IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall

  Hi All
  IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall for our site syatem in DMZ with role MP,sup &DP

  I agree, for IBCM you need SSL.
  But as far as i know your Update Point isn't forced to run on SSL (8531) unless you tick your Update point with "Require SSL" within your update point configuration - which ofcourse is the idael configuration.
  And if that's the case it's running 8530.
  That's true, but for IBCM, as Peter pointed out HTTPS is required. Thus, if you don't configure your WSUS instance to run using SSL, I doubt that it will work simply because the client agent will be "smart" enough to see that you don't have an SSL
  capable WSUS instance and thus won't configure the WUA to use the non-SSL WSUS instance. I can't say I've tested this though, so it's possible that it works, but I doubt it.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Import certificate in to Firefox certificate store using SCCM 2012 R2

  Hello,
  I'm trying to figure out how to import a certificate in to the Firefox certificate store using SCCM 2012 R2 to push out to 8,000 computers. The only answer I have found was to import the certificate manually on my computer and copy the "cert8.db" file out of my "appdata\Roaming\Mozilla\Firefox\Profiles\******.default\" folder and use this file to copy to all profiles on each computer. I have not tried this since I believe this is not a standard practice. Is there a Firefox certificate scripting tool that I can use to accomplish this or a recommended way?
  Thanks,
  Matt

  Hi,
  It is listed here:http://technet.microsoft.com/en-us/library/gg712298.aspx
  There are a number of limitations to supporting workgroup computers:
  Workgroup clients cannot locate management points from Active Directory Domain Services, and instead must use DNS, WINS, or another management point.
  Global roaming is not supported, because clients cannot query Active Directory Domain Services for site information.
  Active Directory discovery methods cannot discover computers in workgroups.
  You cannot deploy software to users of workgroup computers.
  You cannot use the client push installation method to install the client on workgroup computers.
  Workgroup clients cannot use Kerberos for authentication and so might require manual approval.
  A workgroup client cannot be configured as a distribution point. System Center 2012 Configuration Manager requires that distribution point computers be members of a domain.
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 IP for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS which is in a different .Domain

  Hi,
  Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 Ip for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS . ?
  Scenario: We are building 1 SCCM 2012 primary site and 2 DPs in one domain . In future this will attach to a CAS server which is in different domain. Can we assign  2 IPs in Primary site server , one IP will use to communicate with its 2 DPs and second
  IP for communicating with the CAS server which is in a different domain.? 
  Details: 
  1)Server : Windows 2012 R2 Std , VM environment .2) SCCM : SCCM 2012 R2 .3)SQL: SQL 2012 Std
  Thanks
  Rajesh Vasudevan

  First, it's not possible. You cannot attach a primary site to an existing CAS.
  Primary sites in 2012 are *not* the same as primary sites in 2007 and a CAS is 2012 is completely different from a central primary site in 2007.
  CASes cannot manage clients. Also, primary sites are *not* used for delegation in 2012. As Torsten points out, multiple primary sites are used for scale-out (in terms of client count) only. Placing primary sites for different organizational units provides
  no functional differences but does add complexity, latency, and additional failure points.
  Thus, as the others have pointed out, your premise for doing this is completely incorrect. What are your actual business goals?
  As for the IP Addressing, that depends upon your networking infrastructure. There is no way to configure ConfigMgr to use different interfaces for different types of traffic. You could potentially manipulate the routing tables in Windows but that's asking
  for trouble IMO.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Unable to install WildCard Certificate for ASA 5512-x

  Have a customer who we manage an ASA 5512-X for.  I am configuring a Wildcard Certificate for AnyConnect. They have a wildcard certificate purchased through Godaddy.com.  I am utilizing ASDM 7.3 for the installation of the certificate.  I added the Identity Certificate ASDM_TrustPoint0.  Checked the radio button "Add a new identity certificate:"  Named the Key Pair WildCard, and set the size to 2048.  I also changed the "Certificate Subject DN: to CN=cityvpn.wirapids.org.  There were no other attributes to add.  I also changed the FQDN under the advanced tab to the same cityvpn.wirapids.org.  Then clicked Add Certificate.  Successful
  Under CA Certificates I added the certificate from file.  Which I added the bundle.crt from Godaddy.  Certificate was added successfully.
  Going back to Identity Certificates.  I click on install.  Install from a file.  Which I tried the other crt file and the bundle file from Godaddy.  I get an Error: Failed to parse or verify imported certificate.  With the other .crt file from Godaddy I get the same error, but "Certificate does not contain device's General Purpose Public Key."
  Not sure what to think.  Any suggestions or help would be great.  Thanks
  Paul

  You should never ever get a wildcard certificate. Because if that certificates private key gets stolen, the thief can impersonate all ssl-protected services. The clients view them as valid resources, because the certificate is correct. The only thing to do then, is to revocate the certificate, which will cause you to get a new certificate installed on ALL services that you had protected with the wildcard one.
  Even worse, most broswers (besides IE) ignore certificate revocation lists in various cases!

• Gift Certificate for NI Week 2012 worth $500

  Hi I Have a Gift Certificate for NI Week 2012 worth $500, unfortunately i'm not able to attend NIWeek and any body can offer to have the GiftCode.
  Thanks!
  Ashok

  Matt got the certificate. Thanks for a great community. Tom
  Tom Lohre artist/scientist
  Has a operating painting robot using RoboLab/RCX
  Developing a LabView/ NXT robot that analyzes an image for aesthetic quality.

• Wildcard certificate for Exchange 2010

  Hi
  I have single exchange 2010 installed. I have installed single domain name on exchange certificate , it expire next month March 2014. I have a plan to buy new Wildcard certificate for the exchange. I access OWA by  ns1.xyz.com/owa  without any
  problem but in my local network my outlook giving certificate error because of single domain name on certificate.
  My question is what name should be on wildcard CSR? Just put the    " *.xyz.com  " or somting else ? That will work in my local area as well OWA and Outlook anywhere ?

  Hi,
  According to your description, your internal URLs have the different host name with the external ones.
  If you don’t want to change the URLs, we need add the following host names in the certificate:
  All the host names in the external and internal URLs including autodiscoverserviceinternalurl;
  Autodiscover.smtpaddresssuffix
  In this case, SAN certificate is more suitable for your environment than wildcard certificate.
  If I misunderstand your meaning, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Wildcard certificate for Exchange 2013

  Hello!
  I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
  For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
  Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
  Q1) Is Windows CA capable of issuing a wildcard certificates?
  Q2) If Q1=yes then what can be the cause of the problem?
  Thank you in advance,
  Michael

  Hi Michael,
  Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
  Certificates dialog box, click the Trusted Root Certification Authorities
  tab and check if your certificate is in the list.
  If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
  http://support2.microsoft.com/kb/2006728
  If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
  run the following command to check it:
  Get-ExchangeCertificate | FL
  Regards,
  Winnie Liang
  TechNet Community Support

• W2k8R2 - Enterprise CA - Need WildCard Certificate for Internal Use

  Hi guys,
  A new client of mine has a "standalone" CA in their domain already...but I need a Wildcard Cert for some applications I'm installing in IIS.
  I'm used to setting up an "Enterprise" CA and issuing a Wildcard Cert that way, but I don't know if the "standalone" CA can do that.  I attempted to have IIS request a cert and it didn't auto-populate the CA information...but I told
  it to use CERTAUTHNAME\domaincontroller and it created one...but it doesn't appear to be working.
  My question is...if I install the Enterprise Root CA on a DC in their environment, can it interfere with the already issued certs from the standalone CA?
  I don't want to break something to move forward with my stuff.
  Thanks a lot and any help is greatly appreciated!!!

  Standalone CA can issue wildcard certificates. You just need to generate certificate request manually (without using IIS Mgmt console for that) by using INF file and certreq. Then, you submit your request to a CA server. Look at this article:
  http://social.technet.microsoft.com/wiki/contents/articles/2017.certificate-enrollment-for-system-center-operations-manager-agent.aspx
  although, this article is intended for OpsMgr, certificate enrollment process is the same for all products, just skip OpsMgr-specific stuff. There are three sections related to Standalone CAs: request generation, submission and installation. In the INF file,
  you specify your wildcard name in the Subject key.
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Check out new:
  PowerShell FCIV tool.

• WSUS on DMZ for SUP SCCM 2012 R2

   
  Hi all,
  We are setting up SCCM 2012 r2 environment for production purpose and we would be having one primary . Due to security reason internet connectivity is not allowed for SCCM primary server , however
  we have some DMZ servers that has internet connectivity .
  My question here is
  Is it possible to have WSUS on DMZ server and SUP role in SCCM primary server ?

  Thanks for you reply..
  You mean we have to install WSUS and SUP in primary site server and also install WSUS in DMZ server, then primary site server WSUS should get Sync from DMZ WSUS. Am I correct ?
  My next question is while installing SUP in SCCM primary site
   , do we need give sync from an upstream data sources location as primary site WSUS or DMZ wsus ?

• Software metering date not available for selection sccm 2012

  Hi
  I have installed SCCM 2012. 
  While viewing a report for software metering date and year are not available for selection. they are blank. 

  thaks 
  I is showing after restart. 
  Now there is another problem. 
  When I see the software metering report for enabled rule i.e. KasperskyAdminKit I can not understand the figures
  Computers that have run a specific metered software program  
  NetBIOS Name
  Installed Site Code
  Last Usage
  Total Usages
  Average Usages per Day
  Total Duration (min)
  Average Duration of Use (min)
  Average Duration per Day (min)
  WIL-WNR-AV
  PUN
  11/16/2012 5:13:35 PM
  1
  0.03
  7384.27
  7384.27
  246.14
  How to know the the explanations for the underlined items ? 

• Import wildcard certificate for use on GW 2012 webaccess

  My company already has a purchased wildcard cert. I want to ssl our upgraded webaccess utilizing that wildcard cert. We are running GroupWise 2012sp2 on SuSE11sp2, no OES or edirectory installed on the box. What I am looking for is a procedure for importing that already created wildcard into it. The instruction I keep seeing talks about createing a csr file and uploading it to the provider, which in our case is godaddy. Is there a way to use the already created wildcard and import it for use?

  In article <[email protected]>, Jlewter wrote:
  > My company already has a purchased wildcard cert. I want to ssl our
  > upgraded webaccess utilizing that wildcard cert. We are running
  > GroupWise 2012sp2 on SuSE11sp2, no OES or edirectory installed on the
  > box. What I am looking for is a procedure for importing that already
  > created wildcard into it. The instruction I keep seeing talks about
  > createing a csr file and uploading it to the provider, which in our case
  > is godaddy. Is there a way to use the already created wildcard and
  > import it for use?
  You can just focus on the apache side, and I suspect that your provider
  has docs that will handle this exactly.
  Andy of
  KonecnyConsulting.ca in Toronto
  Knowledge Partner
  http://forums.novell.com/member.php/75037-konecnya
  If you find a post helpful and are logged in the Web interface, please
  show your appreciation by clicking on the star below. Thanks!

• MAC OS X Certificates question in SCCM 2012 R2

  We recently switched our SCCM environment over to HTTPS/PKI and everything has been working well.  We were now wanting to include MAC's into our environment for some asset reporting.  But we recently started to notice some errors on teh enrollment
  server.  If we re-image a MAC, and re-enroll it to SCCM it creates another record and cert I believe.  So what I was doing was deleting the old record which seemed like not a big deal till we started getting the errors below.
  Our MAC clients are not bound by to AD by the way either.
  Failed to revoke Certificate on CA: ******\DUQCA1 with serial number: 1*******00000000573F. Check CA permission.
  ICertAdmin2 RevokeCertificate failed: Access is denied.
  Do we need to make the user able to revoke the permissions also?  I did not see this in the step by step from Microsoft.  What would best practice be?

  Hi,
  As far as I know, there is no other way except manually deleting them.
  In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• IBCM SCCM 2012 R2

  Hi,
  I need to arrange IBCM for our customer, however I have not done this ever. Any help will be appreciated warmly.
  Thnx

  Here are some links that should help:
  https://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients;
  http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/;
  http://www.systemcenterdudes.com/internet-based-client-management/.
  Keep in mind that it's a difficult part of ConfigMgr to configure and that you should really understand what you're doing. Instead of simply trying to implement it.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• GPO for SUP SCCM 2012 R2 Cu3

  Hello,
  which Settings in a GPU do i have to configure for using SUP
  We are using a WSUS at the moment.

  Technically, none. The ConfigMgr agent will set a local GPO to configure the WUA properly. If you override this, the ConfigMgr agent will detect this and disable software updates functionality.
  Generally, I recommend setting the "Configure Automatic Updates" setting to Disabled also to prevent the WUA from automatically performing any activity on its own.
  Reference:
  http://blog.configmgrftw.com/software-update-management-and-group-policy-for-configmgr-what-else/
  http://blog.configmgrftw.com/software-updates-management-and-group-policy-for-configmgr-cont/
  Jason | http://blog.configmgrftw.com | @jasonsandys