Microsoft

Blog Categories

Subscribe to RSS feed

Archives

Publishing SCMDM Enrollment Server with ISA 2006 Array

During a recent deployment of SCMDM I ran into a little snag while publishing the internal IIS web site on the Enrollment Server. Because my client was using an ISA Server 2006 Array I needed to get the exact same certificate on both array nodes in order to configure the Listener correctly.

If you follow the technical article Configuring External and Internal Firewalls in Mobile Device Manager then the requested certificate will not be configured to allow exporting the private key. And because ISA Server requires all array nodes to have the exact same certificate, you can’t simply run through the certificate request and submission steps twice, one per server. The original certificate must be exported with the private key and installed on each ISA Server.

So, I used a slightly different process then documented in the section entitled “Guidance for Publishing MDM Enrollment Server on ISA Server 2006” from the article linked in the previous paragraph. I modified both the content of the certificate request .INF (a required step) and also performed the request from an internal server to reduce the amount of file copies between servers in the perimeter network and internal network (optional).

To start, I looked up how to allow the private key to be exported in the original certificate request when using the certreq.exe command. I found the answer in the Appendix 3 from the Windows Server 2003 Operations Whitepapers which shows that the line Exportable = TRUE should be added to the request INF file. As previously mentioned, I created the original request from an internal server already on the domain, then exported the certificate and private key to a file. At this time you can also chose to remove the private key from the local server, as I didn’t want to leave that key sitting on that server unnecessarily.

The Process

Request, issue and install a new certificate on an internal domain-connected server (in this case the SCMDM Enrollment Server).

  • Create a new text file C:NewCertReq.inf and type the following text in (do not cut/paste from this article), replacing domain.com with your public domain name:

[NewRequest]
Subject = "CN=mobileenroll.domain.com"
Exportable = TRUE
KeySpec = 1
MachineKeySet = TRUE

  • Issue the following certificate request at the command prompt:

certreq -new NewCertReq.inf NewCertReq.txt

  • Submit the request using a domain account with sufficient rights to make requests and use the template:

certreq -submit -attrib "CertificateTemplate:SCMDM2008WebServer" NewCertReq.txt NewCert.cer

  • Accept new request to import the certificate into local Certificates Store:

certreq -accept NewCert.cer

Export the new certificate and private key into a Personal Information Exchange (.pfx) file.

  • Locate the new mobileenroll.domain.com certificate using the Certificates console in the Local ComputerPersonal store.
  • Open the certificate and verify that the bottom of the General tab shows the certificates private key is stored locally.

image

  • Click on the Details tab and then the “Copy to File…” button to start the Certificate Export Wizard.
  • Select “Yes, export the private key””

image

  • Select Personal Information Exchange (.PFX)

image

  • Choose a new password and save

Import the new certificate into ISA Server

  • Copy the .PFX file to each ISA Server array member.
  • Open the Certificates console for Local Computer (not Current User) and import the certificate into Personal store.
    • Mark Key as exportable

Now when the certificate is selected for the ISA listener it should be displayed as ‘Correctly Installed’ on all array nodes.

There is one important note regarding whether to retain or delete the private key if the export is successful from the requesting server. If any additional array nodes will be added in the future then it would be prudent to retain the private key here on the this internal server so an identical certificate could later be issued. But if leaving the key on this internal server will be against any security policies then it should be deleted now. The additional of future ISA array nodes would require a fresh certificate to be installed to all members.

Leave a Reply