Planning your CRL Distribution Point for Configmgr 2007 Native mode

August 23, 2007 at 1:25 pm in ConfigMgr 2007, SCCM 2007, SMS by The WMI guy

Hi all,


 


Everyone that has ever done an sms roll-out should know that planning is critical to the success of the project. Now one planning part that might easily get overlooked is planning some portions of the PKI infrastructure. And an important part of planning your pki for Configmgr 2007 is planning the location of your Certificate Revocation List Distribution point.


Let me start by Sketching the problem. Configmgr 2007 Native mode relies on certificates to do the client authentication. Certificate authentication is a very strong authentication method, but it comes with some things you should know about it, to properly use it. One of the things that work different with certificate based authentication is how you disable a certain account from being able to authenticate in the future. This might be necessary because you don’t want the certificate of an end-of-life machine to be mis-used for communication purposes, or because the certificate was compromised. When you use user accounts you can just disable the account and your done. With certificates you need to revoke the certificate AND publish the certificate on the Certificate Revocation List.


If you use a default Windows 2003 PKI then the Certificate Revocation list is by default published in Active Directory and on The Certificate authority website, which is accessible to all authenticated users (Which includes computer accounts). Now, these defaults are fine for Internal clients, but are not accessible in some instances. Internet based clients for instance will not be able to access either of these Crl distribution points (CDP). And they are not the only ones, clients in untrusted forests, workgroups, or even clients that boot from a Configmgr 2007 Boot Image will not be able to access these CDP’s.


The reason why your CDP’s need to be carefully planned is because the list of CDP’s is actually part of the certificate. So once the certificate is rolled out, there is NO WAY to add another CDP on their in an easily automated way without redistributing all your certificates!!!


Clients that are not able to contact the CDP, will fail to communicate if CRL checking is enabled, and will throw an error in the logs called


WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED.


 


Now, there are 2 fixes for this:


1) Disable Certificate Revocation List checking. You can do this from within the Configmgr 2007 Console, on the Site Properties Site Mode tab, by clearing the Check Certificate Revocation list checkbox.  (The checkbox is only visible if your site is in Native mode). This obviously is the easiest fix, but lowers your pki, client-certificate based security to an unacceptable level in my humble opinion, and by consequence is only fit for Labo and demonstration purposes.


 


2) Publish your CDP and make sure it is accessible to Workgroup, internet-based, and untrusted forest clients. This obviously is the proper way of handling this issue. Great, now how de we do that? Well, that could be food for another post. But since the folks over at isaserver.org already created an article about that, which continues into publishing the CDP with Isa Server 2004, I am not going to bother writing it up myself. I will just point you guys to this article http://www.isaserver.org/tutorials/Publishing-Public-Key-Infrastructure-ISA-Server-2004-Part2.html.


 



Enjoy


 




Everyone is an expert at something”
Kim Oppalfens – Sms Expert for lack of any other expertise
Windows Server System MVP – SMS

Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInPin on Pinterest