Remove From My Forums

Config Mgr 2012 R2 - Changing from HTTP to HTTPS

Question
0

Sign in to vote

Hi Guys, I would appreciate any thoughts or help on this matter.

I have set up a single server running config Mgr 2012 R2, SQL 2014 is on the same box and this is running in a dev environment. It's a VM.

Before transition to live I am testing the use of HTTPS for the web server, client communication and DP. I followed various online articles, for example: http://wibier.me/https-communication-sccm-2012-sp1-part-1/

Created the certs on our CA, pushed out the client cert via GP, enabled HTTPS only on "site" and configured the DP to use HTTPS.

As soon as I do this client communication fails to clients and builds no longer work. The clients are still reoprting a self signed cert.

Is it possible to make this change to a SCCM service which has already been provisioned or does HTTPS need to be specified during the initial set up?

Thanks very much, Dave

Friday, August 19, 2016 1:02 PM

Answers

0

Sign in to vote
It shouldn't take 25 hours. As I noted above, it should happen at the next policy polling interval. Clientidstartupmanager.log along with clientlocation.log, and locationservices.log will provide the details.
Jason | http://blog.configmgrftw.com | @jasonsandys
- Proposed as answer by Jimmy LSMicrosoft contingent staff Monday, August 22, 2016 1:49 PM
- Marked as answer by Jimmy LSMicrosoft contingent staff Saturday, September 10, 2016 8:11 AM
Monday, August 22, 2016 10:08 AM

All replies

0

Sign in to vote

Hello Dave,

I would suggest you to look n following blogs, they will help you to understand.

ConfigMgr 2012 R2 Certificate Requirements and HTTPS configuration

A closer look at Internet Based Client Management in ConfigMgr 2012
Sharad Singh | My blogs: SharadTech | Twitter: @SinghSharaad | | Please remember to click “Mark as Answer” on the post that helps you.This can be beneficial to other community members reading the thread.

Friday, August 19, 2016 2:05 PM
0

Sign in to vote
You don't need to specify HTTPS on installation time. the clients will automatically change over after a period of time. I can't remember how long this is but have done it a few times in the past and it's worked fine.

I always follow these 4 blogs, they are identical to the MS official pages word for word but also contain screen shots.

https://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/

https://blogs.technet.microsoft.com/jchalfant/build-and-capture-in-https-only-configmgr-2012-r2-environment/

Edit:

I think it's every 25 hours or under certain conditions.

https://technet.microsoft.com/en-us/library/gg682060.aspx#BKMK_AutomaticAssignment

Right click the pic, open in new tab.
- Edited by Richard.Knight Friday, August 19, 2016 6:11 PM
Friday, August 19, 2016 5:09 PM
0

Sign in to vote

Have you validated that the client system has a valid cert to use in the certificated snap-in?

The change from HTTPS to HTTPS will happen the next time the clients try to retrieve their policy as they won't be able to and will switch HTTPS if they have their cert and the MP is properly published in AD.
Jason | http://blog.configmgrftw.com | @jasonsandys

Sunday, August 21, 2016 10:54 AM
0

Sign in to vote

Hi Guys,

Thanks very much for the feedback, it's very much appreciated. I have followed this guide: "https://sccmguy.com/2013/11/26/pki-certificates-for-configuration-manager-2012-r2-part-1-of-4-web-server-certificate/"

Something I have noticed, When I complete the final step on the Site to use "HTTPS only" I don't have a trusted root certification authorities certificate. It's set to "None Specified"

Do I need to export the root cert on the primary site server and then use when configuring the site?

Thanks, Dave

Monday, August 22, 2016 8:09 AM
0

Sign in to vote

Yes. OSD will not work without this. Normal client management should (to my knowledge) work without this configured though.
Jason | http://blog.configmgrftw.com | @jasonsandys

Monday, August 22, 2016 8:51 AM
0

Sign in to vote

OK great,

I've done that and I am now waiting for these changes to take affect. As it looks like it's up to 25 hours for these changes to occur, I will start some testing this time tomorrow and see how things are looking.

I am building in live today for HTTP only with a mind to change to HTTPS once the CA is updated.

I shall report back tomorrow with an update.

Thanks very much, Dave

Monday, August 22, 2016 9:19 AM
0

Sign in to vote
It shouldn't take 25 hours. As I noted above, it should happen at the next policy polling interval. Clientidstartupmanager.log along with clientlocation.log, and locationservices.log will provide the details.
Jason | http://blog.configmgrftw.com | @jasonsandys
- Proposed as answer by Jimmy LSMicrosoft contingent staff Monday, August 22, 2016 1:49 PM
- Marked as answer by Jimmy LSMicrosoft contingent staff Saturday, September 10, 2016 8:11 AM
Monday, August 22, 2016 10:08 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Config Mgr 2012 R2 - Changing from HTTP to HTTPS

Question

Answers

All replies