The documentation for this is yet to be published. Since I configured this recently and it's fresh in my mind I thought I'd commit to blog for posterity. Let me know if you found it useful and specifically if you did use the steps and found they need "tweaking".
In a situation where you are not able to use mutual authentication and also need to collect security events from agents, you can configure ACS forwarders in an untrusted domain to communicate with the collector running on a management server using certificates. Communication between forwarders and a collectors where kerberos mutual autentication is not available is only possible using certificates. If you have implimented a Gateway server, the communication channel used for agent communication and ACS Forward communication is different. ACS forwarder communication will not pass via the gateway server which could be an expectation. If you're using a Gateway Server you can of course install the ACS Collector role on the Gateway, if required. The ACS Collector database role could also reside here, or be located elseware with the option of using SQL Auth if required rather than Integrated security, again if there is no trust and the default SQL port is open on any firewalls. ACS Forwarders would then communicate with the Collector on the Gateway server without the need for certificates.
When a gateway server isn't used, or the Collector role cannot be installed on the Gateway. Each Forwarder can communicate to a Collector in an untrusted domain via certificates (a requirement).
Here's how to do it:
The steps below assume certificate based communication between agent and management server is already configured and is working correctly (See the links at the end of this posting if you need more on configuring certificates for agent communication).
Steps to enable certificate use on the ACS Collector.
The ACS Collector has to be installed on a Management Server role and has to be a member of an active directory forest. It is assumed here that the Management Server is configured to use certificates already for communcation to the agents in the untrusted domain. The same certificate used for Management Server authenication can be used for ACS Collector authenication (this fortunately reduces the amount of certificate maintenance you may have to perform). Recall, the intended purpose of the certificate is Server Authentication and Client Authentication and the Subject name must contain the FQDN of the server to which it is issued.
- On the Management Server housing the ACS Collector role execute CMD and from the command prompt navigate to the %systemroot%\system32\security\adtserver folder.
- Stop the ADTServer Windows service (e.g. NET STOP ADTSERVER)
- Execute ADTServer -c . This should display a list of certificates in the computers personal certificate store and title each with a numeric reference (1...n). If you have more than one listed select the certificate already used for Management Server authenication by selecting its number (e.g. 1 , if there is only one). Selecting 0 will abandon the selection and not make any changes. Also confirm the Issued to (subject) is the FQDN.
- Restart the ADTServer Windows Service (e.g. NET START ADTSERVER) . Confirm successful startup in the event log.
Steps to perform on the ACS Forwarders
Assumption is that each of the agents already has a certificate and is communicating normally to the management server.
- Launch a copy of MMC.exe and add the Certificates snap-in for the Computer Account (Local Computer)
- Locate the certificate in the personal computer store used for OpsMgr agent authentication and export the certificate without the private key in DER encoded binary X.509 format to file. (Recommend the file name is the computer name for identification later)
- Transfer the certificate file to a computer in the ACS Collectors domain which has administrator access to Active Directory Users and Computers.
- Within Active Directory Users and Computers you will need to create a Computer account matching each server in the untrusted domain for certificate mapping purposes
- Once you have this dummy computer account created use the "Name Mappings.." option (you will need Advanced Options enabled from the View menu) against the computer account, and from the X.509 panel select Add and add the certificate file you exported for that computer in the second step above.
- Once each agent has an account in AD and the certificate mapping in place, on the agent using a CMD prompt run ADTAgent -c . This should display a list of certificates in the computers personal certificate store and title each with a numeric reference (1...n). If you have more than one listed select the certificate already used for Management Server authenication by selecting its number (e.g. 1 , if there is only one). Selecting 0 will abandon the selection and not make any changes. Also confirm the Issued to (subject) is the FQDN.
- The ACS Forwarder should now be in a position to use certificate based authentication.
Steps to enable ACS Forwarders
These steps assume the ACS Forwarder hasn't yet been enabled.
- Within the Operations Manager administrator console select the Monitoring space and click the Discovered Inventory node.
- From the Actions menu choose State Actions and then Change target type from the sub-menu
- In the Look for text entry box type Agent and select Agent from the list and click OK
- The Discovered Inventory list will be rebuilt and now entitled Discovered Inventory (Agent)
- Select each agent in turn (sorry no multi-select) and from the Actions menu select Health Service Tasks, Enable Audit Collection.
Once the ACS Forwarder starts it should now use certificate based auth to the Collector.
See the Operations Manager 2007 Security Guide for discussion on obtaining and using certificate based authentication using an Enterprise or Standalong CA http://www.microsoft.com/technet/opsmgr/2007/library/proddocs.mspx
How to import a certificate using MOMCertImport using a .PFX file (http://technet.microsoft.com/en-us/library/bb309600.aspx)
Or simpler still
How to import a certicate using MOMCertImport from the certificate store itself (MOMCertImport /SubjectName <thesubjectnameofthecert=FQDN> . E.g. MOMCertImport /SubjectName dc1.contoso.com >