Share via

Enhanced HTTP - Behaviour clarifications and pre-requisites

SAMUEL VALAPARLA 126 Reputation points
2023-09-12T19:13:56.59+00:00

Hi All,

So we're running MEMCM 2203 and preparing to enable enhanced http for Client Server communication as this is now mandatory (if not already running https communication)

We've already implemented CMG with 2 Cloud MPs which are already using an SSL certificate that has been bound in IIS (and these specifically cater to Internet clients - understandably). In addition to this we have 3 MPs and 180 DPs which cater to the clients on the corporate network.

Have setup a lab environment to test the enhanced http functionality and I think there are some observations that aren't fully detailed in the official documentation for this topic.

https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/enhanced-http

  1. Even before we enabled Enhanced HTTP we observe that the SMS Role SSL Certificate is already available within SCCM. It's also found in the Certificate Store of our Site Server as well as MP servers (under Personal and SMS)

User's image

Also the SMS Role SSL Certificate shows to bound to port 443 in IIS for all the MP Servers even before we've enabled Enhanced Http. So this certs and behaviour doesn't seem to be issued after enabling ehttp.

User's image

This seems to be a design change (undocumented) from 2103. Please correct me if I'm missing something here.

  1. After enabling Enhanced HTTP in the Site Server > Communication tab we can see that the SMS Role SSL Certificate gets bound to port 443 on the DPs and also 2 new WVDs (Virtual Directories) below get created under IIS websites specifically for ehttp based communication between clients over port 443.

User's image

  1. After enabling Enhanced Http haven't seen any explicit communication with the MPs over port 443 or the use of the SMS_MP_TokenAuth or SMS_MP_WindowsAuth IIS WVDs by the client communications. These seem to be specifically for the Internet Based clients which would connect over 443 for the respective token exchange communication. Is this a correct understanding, or am I missing something here?
  2. After enabling enhanced http, the clients do not receive any explicit Certificates (as described in some of the popular blogs on this topic). However for the clients to start using the enhanced http based communication the registry key "HttpsState" (under HKLM\Software\Microsoft\CCM) needs to get updated to a specific value ( 0x000004e0 (1248)) faiing which the client will continue to use the older http based communication with the DPs. Only after the above reg key is updated would we see the client connect to the newly created WVDs on the DP over port 443. Is this a correct understanding, or am I missing something here?
  3. Lastly with Enhanced HTTP doing away with the Domain Join account (which is specifically required in OSD scenarios) how would a client authenticate itself to request content from DPs? Especially during the WinPE phase where there is no Active Directory identity for the incoming client (since we also do not allow anonymous clients to connect)? My understanding is that the newly generated certificate on the DP would come in-play here, and if yes there is a need to update the Boot Images after enabling Enhanced HTTP. Any correction or detail around this understanding of the workflow would be greatly appreciated.

Much of the details around these workflows are not detailed in the official documentation and I believe there is a representation towards this on the MS user voice forum as well. But any thoughts, learnings or things to be cautious about before enabling enhanced http setting in SCCM would be very helpful.

Thank You.

SV

Microsoft Configuration Manager Application
Microsoft Configuration Manager Application
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Application: A computer program designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end users.
461 questions
Microsoft Configuration Manager
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Simon Ren-MSFT 30,831 Reputation points Microsoft Vendor
    2023-09-13T09:45:58.6433333+00:00

    Hi,

    Thanks for your detailed and insightful information. I will do more research about this question, if there is any update, I will let you know.

    Similar thread for your reference: Simple Guide to Enable SCCM Enhanced HTTP Configuration

    Thanks for your time. Have a nice day!

    Best regards,

    Simon

    If the response is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments