The Beta 2 help file (SMSv4.chm) and the TechNet online Configuration Manager Documentation Library has lots of documentation to help you plan for native mode and the PKI certificates.
If you need a quick primer on native mode and where to start, see my article on www.myITforum.com: Now Is The Time – To Brush-Up On Your PKI.
I also wanted to pass on to you any corrections, revisions and tips we’ve learned since the documentation was published. We very much appreciate feedback on these topics and will use this blog to pass on to you any additional information you might need.
Step-By-Step Guide to Deploying the PKI Certificates Required for Configuration Manager Native Mode
In the section To create and issue the site server signing certificate template, there is a step missing. After step 5 where you rename the duplicate certificate template, you also need this step:
Click the Subject Name tab, and then click Supply in the request.
When this step is missing, you will not see the certificate template listed in step 5 in Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server.
Certificate Requirements for Native Mode (http://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/782cec7b-9525-43c5-a182-999d2cf7b9ff.mspx)
The string for the subject name of the site server signing certificate is case sensitive - both the string and the site code.
The text used to say:
This exact text string in English must be used, and the site code must be specified at the end of the string.
The text now says:
This exact text string in English must be used, in the same case, and the site code must be specified at the end of the string in the same case as it appears in the Configuration Manager console.
When you are deploying certificates for site systems that support both Internet-based clients and intranet clients, the certificate subject name or subject alternate name must contain both the Internet FQDN and the intranet name (FQDN or short name). Standard PKI notation for concatenating names is to use the “&” delimiter.
The text used to say:If the site system will accept connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer NetBIOS name) must be specified.
The text now says:If the site system accepts connections from both the Internet and the intranet, both the Internet FQDN and the intranet FQDN (or computer NetBIOS name) must be specified using the ampersand (&) symbol delimiter between the two names.
Publishing Internet-Based Site Systems with ISA Server:
If you are using ISA Server to publish your Internet-based site systems, use the Server Publishing wizard and not the Web Publishing wizard. This is because the connections use machine-based authentication (using client authentication certificates) and not user-based authentication. You will also need a separate IP address for each Internet-based site system, even if you combine site system roles onto the same server.
Let me know of any other revisions that are needed, tips or general feedback! And I’ll keep you posted as well.
- Carol Bailey
This posting is provided “AS IS” with no warranties and confers no rights.
Since its release, there have been some updates… Read it…
Summary: in the last week of March, at MMS 2007, we talked about a huge number of subjects. Some needed