Wednesday, June 20, 2018

Disabling TLS 1.0 for ConfigMgr.

PCI

PCI compliance, oh man. If you’re not familiar with PCI compliance, there is a deadline of June 30th, 2018 to disable SSL/early TLS in PCI compliant environments.

To accomplish this for our ConfigMgr environment, I used software by Nartac Software called IIS Crypto. It is a free tool which allows you to reorder SSL\TLS cipher suites, enable/disable protocols, ciphers, hashes, and key exchanges, as well as save or apply templates for these things.

In a nutshell, here’s the procedure I went through.
  • Using IIS Crypto, save a template of current, pre-change settings.
  • Uncheck SSL 2.0, SSL 3.0, and TLS 1.0
  • Apply changes
  • Update SQL Server Native Client
  • Reboot server
  • Repeat on all ConfigMgr Servers
After a bit of trial and error, the above procedure is what ended up working for me. Getting there took an hour or so to realize that without updating the SQL Server Native Client, server logs were spitting out tons of errors, and the console was never managing a connection.

What’s deceiving about the logs in the log viewer is the error is not highlighted as an error – once you spot it, though, it’s a dead giveaway about the issue. The following is from sitecomp.log;





In plain English, you can see that the SQL Server Native Client isn’t supporting the current encryption methods (because we're relying solely on TLS 1.1 and TLS 1.2 now) – an update of the SQL Server Native Client to support TLS 1.2, and this error goes away and ConfigMgr starts to function normally.

To check what version of the SQL Server Native Client your site server has, open the ODBC Data Source Administrator and move to the Drivers tab; you can see mine were well out of date.

References

The below resources helped me work through this change in my environment, hopefully, they can help you as well.

Thursday, June 14, 2018

Community.

I wanted to take a moment to talk about the community and share the ones I participate in most. If you’re like me, I find a lot of value in being able to conversate, brain-storm, and dork around with people who are doing the same things I’m doing. Sometimes, that project you’ve been working on for weeks just needed that fresh pair of eyes to end shed some light and share some insight.
Above anything I'm likely to post on this blog, these resources should be the thing to take home.

Reddit
Oh boy, do I spend a lot of time on Reddit. Most of that time isn’t productive, but when it is, these are the subreddits I use:
www.reddit.com/r/SCCM
www.reddit.com/r/sysadmin
www.reddit.com/r/homelab
www.reddit.com/r/PowerShell

Slack
Slack is a modern chat/workplace platform. You can use it on the web, on your phone, or with a desktop app. The WinAdmins Slack has over 4,000 members, and 40 channels dedicated to different Windows Admin focused topics.
The WinAdmins Slack: https://slofile.com/slack/winadmins

Twitter
While I’m new to Twitter, it didn’t take me very long to understand the value of being able to interact with other admins in such an immediate and open way. Now, I’m following all the MVPs I can think of that contribute to the #ConfigMgr community, as well as a lot of the #ConfigMgr product team, and it’s helped me stay afloat in this rapid iteration world we live in.

Sharing is Caring.

One of the many things that stuck with me from the Midwest Management Summit conference was this; there is a ton of value in sharing knowledge with the community. Certainly, I don't know where I'd be in my career now without the guidance of the MVPs, bloggers, and Twitterers. My mission will be to use this blog, and my Twitter below, to share information that will be useful to every day Windows IT admins.

To that effect, I've started actually using my Twitter account. The #ConfigMgr community is one to keep an eye on as a ConfigMgr admin, for sure. You can find me, creatively, @tstolswo. I'll do my best to stay active, retweet information that is useful, and answer any questions that I'm able to.

Disclaimer: I don't actually know what I'm doing, either on Twitter or on this blog - this is the first effort for both, so forgive me as this is the start of a learning process.