locked
Mutual Authentication not Enabled RRS feed

  • Question

  • We have 30 servers that are part of our Active Directory and two that are in a work-group. In order to see these two servers in the Forefront Client Security Management Console, I disabled the requirement for mutual authentication.

    Now the FCS BPA complains: Mutual authentication has not been enabled on this server. This is not a supported configuration. For more information, see Client Security Best Practices Analyzer tool: Mutual authentication check (http://go.microsoft.com/fwlink/?LinkId=98164).

    There are lots of warnings in the event log: The MOM Agent at w.x.y.zis configured to use Mutual Authentication, but the MOM Server is not. This is a misconfiguration and is typically caused by a manual agent install configuration that does not match the MOM Server. 

    What should be done here? With SCOM 2007 R2, we use certificate-based authentication and do not receive any errors.

    Could we use the MOMCertImport.exe that comes with SCOM? Do we have to reconfigure all the 30 servers that can leverage mutual authentication. Should we drop the two DMZ servers from being managed?


    MCTS: Messaging | MCSE: S+M
    Monday, November 21, 2011 11:43 AM

Answers

  • Hi,

    Oh, You remind me and sorry to confuse you.

    Yes, not supported. FCS v1 requires a two way trust for MOM 2005 to perform mutual authentication between the client and server.

    There are 3 Scenario you could read from this article , Scenario 3 support to report FCS via ISA.

    Regards,
    Rick Tan

    Thursday, November 24, 2011 2:49 AM

All replies

  • Hi,

    Thank you for your post.

    It's ok to disabled the mutual authentication on MOM server. Please follow To disable mutual authentication in this article.

    Since MOM client agent use server global settings, so you need to select agent-managed computers--All tasks--click agent update settings to pull settings to clients.

    As FCS will be installed on non-domain servers, you also need to use Fcslocalpolicytool to import FCS policy to the servers. FEP will be auto installed or manually installed by command with /CG /MS.

    Here is similar case you could take a reference.

    If there are more inquiries on this issue, please feel free to let us know.

    Regards,
    Rick Tan

    Wednesday, November 23, 2011 8:09 AM
  • Thank you for your answer, but in the link you provide, Johan Blom, Forefront MVP says: "Turning off mutual authentication is not a supported configuration."

    That's also what the Forefront Client Security Best Practices Analyzer complains about.I t was exactly this article I used:

    Troubleshoot MOM 2005 Agent Installation
    http://technet.microsoft.com/en-us/library/cc180826.aspx

    So the conclusion is perhaps: Not supported -- do not centrally manage the servers in the DMZ?


    MCTS: Messaging | MCSE: S+M
    Wednesday, November 23, 2011 9:31 AM
  • Hi,

    Oh, You remind me and sorry to confuse you.

    Yes, not supported. FCS v1 requires a two way trust for MOM 2005 to perform mutual authentication between the client and server.

    There are 3 Scenario you could read from this article , Scenario 3 support to report FCS via ISA.

    Regards,
    Rick Tan

    Thursday, November 24, 2011 2:49 AM
  • Thanks! That was the real confirmation I needed. We'll be moving to SCCM and Forefront Endpoint Protection, but for the time being we need a supported configuration.
    MCTS: Messaging | MCSE: S+M
    Thursday, November 24, 2011 5:11 AM