none
HTTPS roles in SCCM using Windows Authentication RRS feed

  • Question

  • Hello Experts,

    Can we use "Windows authentication" alone instead of PKI certificates in configuring SCCM HTTPS roles. Which method is recommended( (windows authentication vs PKI)  and more secure and why ? can you please help me understand.

    Thanks

    Narasimha


    Narasimha Reddy K

    Monday, October 14, 2019 10:23 AM

All replies

  • Hi Narasimha,

    Yes, the PKI authentication is more secure than Windows basic authentication, Microsoft recommends using HTTPS communication for all Configuration Manager communication paths (Client=>MP, Client=>DP...), you can read the following articles for more details:

    https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/enhanced-http

    https://docs.microsoft.com/en-us/sccm/core/clients/deploy/plan/security-and-privacy-for-clients

    Step-by-step PKI integration: 

    https://www.prajwaldesai.com/deploy-pki-certificates-for-sccm-2012-r2/

    Regards,

    SAAD Youssef

    ______

    Please remember to mark the replies as answer if they help, thank you!

    • Proposed as answer by SAAD Youssef Tuesday, October 22, 2019 7:31 AM
    Monday, October 14, 2019 10:35 AM
  • HI SAAD Youssef,

    Thanks for your reply. But can you please throw some more light on what are the security implications if "Windows Integrated Authentication" is used instead of PKI ( I understand that PKI is more secured than Windows Authentication from above links).Customer is asking for the detailed security implications in this scenario.  I'm referring to the Below screenshot where Microsoft states that HTTPS can be implemented for Distribution points(DP)  and Management points (MP) using Windows Integrated Authentication.

    Link : "https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/communications-between-endpoints"

    Any help in this regard would be really helpful.

    Thanks

    Narasimha


    Narasimha Reddy K

    Monday, October 14, 2019 12:58 PM
  • You're misinterpreting the documentation as there is no actual choice between PKI and Windows Integrated auth for client communication. The only things that potentially uses integrated auth is client registration (this is not configurable) and user targeted deployments. Thus, there are no detailed implications here as the choice is between PKI or no PKI certificates (both scenarios still use certificates though).


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, October 14, 2019 2:19 PM
  • Hi,

    For more information about Windows Integrated authentication, please refer to the following article:
    IIS logging for Windows Integrated authentication

    Thanks for your time.

    Best regards,
    Simon Ren

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 15, 2019 8:51 AM
  • Hi,

    Just checking in to see if there is any update. If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.

    Thanks and regards,
    Simon 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 18, 2019 6:31 AM
  • Hi,

    Just checking in to see if there is any other assistance we can provide. If there are no other questions, would you please help close this case? Thanks for your time.

    Thanks and regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 22, 2019 2:42 AM
  • Hi,

    Thanks for posting in TechNet. Hope things are going well. 

    Here are some articles for future benefit:
    IIS logging for Windows Integrated authentication
    Security and privacy for Configuration Manager clients

    Thanks for your time.

    Best regards,
    Simon

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 3:14 AM