none
Enhanced HTTP site systems - Where is the client cert?

    Question

  • Has anyone successfully used the Enhanced HTTP site system feature? I enabled this feature, but I am not seeing any certificates generated on my client.  When switching over to internet only it fails with errors in LocationServices.log:

    • Unable to find any Certificate based on Certificate Issuers
    • Failed to get client certificate for transportation. Error 0x87d00215

    Levi Stevens

    Wednesday, December 5, 2018 8:53 PM

All replies

  • It doesn't create a cert on the client, it just creates a cert on the MP/DP and adds it to the IIS bindings on port 443. You should see a cert called SMS Role SSL Certificate. More info https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/enhanced-http

    If you're using the CMG then the client either needs PKI cert or to be Azure AD joined/hybrid azure ad joined.

    Wednesday, December 5, 2018 10:31 PM
  • I have read the documentation. It implies that no PKI cert is needed, it really is not that helpful genera cert for the MP only, if I still have to have PKI in order to authenticate the clients:

    Configuration Manager version 1806 includes improvements to how clients communicate with site systems. There are two primary goals for these improvements: 

    • You can secure sensitive client communication without the need for PKI server authentication certificates

    • Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

    The devices are not AAD joined.


    Levi Stevens

    Wednesday, December 5, 2018 10:37 PM
  • It is helpful for having Windows 10 devices that are hybrid Azure AD joined (on-prem domain joined and Azure AD registered) and allowing them to communicate over the CMG without any PKI certs. The purpose of using Azure AD for authentication is to simplify it by not needing PKI certs.


    Wednesday, December 5, 2018 11:45 PM
  • I have read the documentation. It implies that no PKI cert is needed, it really is not that helpful genera cert for the MP only, if I still have to have PKI in order to authenticate the clients:

    Configuration Manager version 1806 includes improvements to how clients communicate with site systems. There are two primary goals for these improvements: 

    • You can secure sensitive client communication without the need for PKI server authentication certificates

    • Clients can securely access content from distribution points without the need for a network access account, client PKI certificate, and Windows authentication.

    The devices are not AAD joined.


    Levi Stevens

    You can still use enhanced HTTP even if the devices are not domain joined so long as the users are sync'd to AAD. Not all features work this way though.

    And to answer your question... Yes I have implemented enhanced HTTP for MANY customers.


    BI For SCCM https://www.fatstacks.tech/home/bi | Register for a Free Demo


    • Edited by John Marcum Thursday, December 6, 2018 7:36 PM
    Thursday, December 6, 2018 7:35 PM
  • As the others have more or less said, Enhanced HTTP is not for IBCM and with a CMG, there are other requirements. If your goal is to use HTTPS client communication, then Enhanced HTTP is not part of the solution.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, December 6, 2018 7:41 PM