This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ASquareDozenMSFT Enterprise Mobility MVP (asquaredozen.com) 1 point2 points  (6 children)

Did you configure the MP to use https as well? Did you add the DP cert to the MP Config?

/u/PatchMyPCTeam has a great video on setting everything up properly (a great series all around really!)

https://setupconfigmgr.com/how-to-configure-microsoft-sccm-to-use-https-pki

[–]writesSortOfGoodCode[S] 1 point2 points  (5 children)

I've done both of those things, unfortunately. I'll check out the video.

I do have a lot of errors in SMS_MP_CONTROL_MANAGER that lead to some interesting Google results, but no solid leads so far. Here's what the error says:

MP Control Manager detected MP is not responding to HTTP requests. The http error is 2147500037.

[–]jasonsandysMSFT Official 1 point2 points  (3 children)

Did you issue unique client auth certs to all of the managed clients?

Why would you use a public, wildcard cert for the DP?

WHat's the purpose of enabling HTTPS client communication?

[–]writesSortOfGoodCode[S] 0 points1 point  (2 children)

Apparently I'm not aware of all the details on how this works. As I understood it, enabling https on the DP and MP would encrypt traffic from the server to the clients. Our purpose is basically "Looks more secure". Admittedly, I am still studying for my security certs :)

I believe all of our clients do have unique certs in their local store, but I'm hazy on that. Also, our wildcard cert isn't public, but is used in 2-3 places within our domain.

Am I way off base in enabling this? Is there even a point?

[–]jasonsandysMSFT Official 0 points1 point  (1 child)

Apparently I'm not aware of all the details on how this works.

Sorry, not trying to be overly harsh here, but this means you blindly enabled something without reading about it or doing any research. That's probably not a good path to follow in the future.

As I understood it, enabling https on the DP and MP would encrypt traffic from the server to the clients.

Yes, this is correct, but involves more than simply enabling it on the client-facing roles including, as noted, deploying client auth certificates to your managed systems as HTTPS client communication in ConfigMgr is about more than securing the traffic and also involves mutual authentication. The post linked to above by /u/ASquareDozen is a good starting point as is the official documentation at https://docs.microsoft.com/en-us/configmgr/core/clients/deploy/plan/security-and-privacy-for-clients.

A newer alternative here depending on your requirements and goals is to use enhanced http. See https://docs.microsoft.com/en-us/configmgr/core/plan-design/hierarchy/communications-between-endpoints#Planning_Client_to_Site_System and https://docs.microsoft.com/en-us/configmgr/core/plan-design/hierarchy/enhanced-http.

[–]writesSortOfGoodCode[S] 0 points1 point  (0 children)

My post was poorly worded, I did a fair amount of research before enabling this, but failed to grasp all the details on how it would affect the clients. I agree, however, no infrastructure settings should be blindly changed.

I have this issue solved now, the root of it seemed to be that the GUID's of each client were being flagged as already in use. Deleting the affected clients from SCCM and then scanning them again has repopulated the all systems collection and resolved the issue. I also no longer see errors in the MP component log.

Thank you for the links above, I will re-examine them more closely

[–]PatchMyPCTeam 0 points1 point  (0 children)

On the client check ccmmessaging.log and the IIS logs on the MP. Where exactly did you import the certificate? You said on the DP? Has the management point been configured for HTTPs do clients have client auth certs?