Wednesday, 26 January 2011

How to properly issue a certificate for Forefront TMG Standalone Arrays in a workgroup


Due to the problems and pain we have encountered in making Forefront TMG 2010 Standalone Array in a workgroup to work on VMware ESX 3.5 Update 5 I will detail the steps for creating and importing certificates to TMG certificates store and point out to the problems with TMG Control service dependencies.

This is the environment we had:
  • Two Forefront TMG 2010 Enterprise Servers in a workgroup configured in Standalone Array with one TMG configured as Array Manager and another configured as Array Member
  • Windows Server 2008 R2 Standard
  • Virtual machines on VMware ESX 3.5 Update 5

During the implementation we have experienced the problem with Forefront TMG Control service taking 10 minutes to start after a server restart. The service would eventually start but the other Forefront services that depend on it will fail to start.

The problem was solved implementing the following fixes:

I do not imply with this article that the problem with TMG Control service hang is related only to VMware ESX but we only experienced it on this platform. When we encountered the problem we did some tests on Hyper-V environment and on separate VMware ESX 3.5 Update 5 environment and there was no problem, however on this particular environment the service would not start once the TMG array was configured.

So I would recommend for anyone to get these dependencies fixed even if you do not encounter this problem now. Regarding the problem with certificates, I have already blogged about it here but I also wrote a procedure how to properly issue Server Authentication certificate for TMG arrays in a workgroup.

How to issue a proper "Server Authentication" certificate

  • Access to any Windows Server 2008 IIS 7.0 web server
  • Access to Enterprise or Standalone Windows Sever 2008 Certification Authority (Windows 2003 CA is also okay)

1. Open the IIS Manager, click on server name node from the left pane and click on "Server Certificates" from the middle pane

2. Click on the "Create Certificate Request" from the right pane

3. In the "Common name" field type the FQDN of the TMG server that will act as an Array Manager. In this example we will use "". Fill the remaining fields so that you best describe your organization.

4. Choose "Microsoft RSA SChannell Cryptographic Provider" for the "Cryptographic service provider" and choose 2048 for the "Bit lenght".

5. Save the certificate request as C:\tmg01.req.

6. Navigate to the Issuing or Root CA web site such as https://yourservername/certsrv and click on "Request a certificate"

7. Click on "advanced certificate request"

8. Click on "Submit a certificate request by using  a base-64-encoded CMC or PKCS #10 file, or submit a renewall request  by using a base-64-encoded PKCMS #7 file".

9. Paste the contents of the tmg01.req file that you have created earlier from IIS to the "Base-64-encoded certificate request" field. In case you have a drop-box with Certificate Templates list, select "Web Server" template.

10. Your certificate request is now submitted to the CA. In case the "Request Handling" property of your CA is set to automatically issue certificates you will be presented with the following page where you have the possibility to download your issued "cer" file. Click on "Download certificate" and save the file as C:\tmg01.cer. Go to the step number 15.

In case the "Request Handling" is set to manually issue the certificates by the administrator then you will have to perform the following steps.

11. Open the "Certification Authority" console on your Issuing CA server and click on "Pending Requests". You should see your request in the right pane.

12. Right click on the request and select All Tasks > Issue.

13. Browse to the CA web site again (https://yourservername/certsrv) and click "View the status of the pending certificate request". There should be your "Saved-Certificate Request" listed.

14. You are now presented with the same page as in step number 10. Download the "cer" file as described in step 10 and proceed to step 15.

15. Now return to the IIS Manager console from which you have created the certificate request and now select "Complete Certificate Request".

16. In the "Specify Certificate Authority Response" screen browse to the "cer" file you  have downloaded from the CA and enter a friendly name for the certificate. I usually type the same name as common name.

You have now completed the procedure of issuing the "Server Authentication" certificate. If you open the "Local Computer" Certificates store on the server where you have requested the certificate you should see the certificate in the Personal > Certificates folder. The certificate icon should have a little yellow key pictured which means that you have both private and public key. We must export the certificate with private and public keys so that we can import it on our TMG server.

17. Right click on the certificate and click All Tasks > Export.

18. Select "Yes, export the private key".

19. "Personal Information Exchange - PKCS #12 (.PFX)" should be selected. Unmark all the checkboxes and click Next.

20. Type the password that you will need to type when you import the certificate to the TMG computer.

21. Save the certificate as C:\tmg01.pfx.

Now that we have our certificate ready for import there is still one thing we must do. Since we are creating TMG array in a workgroup mode we must import the root certificate of the CA that issued the certificate to all of the TMG servers that will participate in array. But first we must export the root CA certificate from a computer that has it.

22. Open the "Local Computer" Certificates store on the Issuing CA computer or on some other computer which is a domain member in a domain where CA resides.

23. Navigate to the Trusted Root Certification Authorities > Certificates, right-click on the root certificate from the CA which issued your certificate and select All Tasks > Export.

24. Select "DER encoded binary X.509 (.CER)" and click Next.

25. Save the "cer" file to disk. In our example it is C:\CompanyRootCA.cer.

Now we have both the PFX file which contains our public and private keys for the TMG computer certificate and a CER file that contains a public key from our root CA. The next thing we must do is to import the root certificate to each TMG server that will participate in the array and to import the "Server Authentication" certificate.

Note: It is good practice to create "Server Authentication" certificate for all TMG servers so that if Array Manager fails you can promote some other Array Member to Array Manager.

26. Open the "Local Computer" Certificates store on each TMG server and import the root certificate "cer" file to the "Trusted Root Certification Authorities".

27. Now open the "Forefront TMG Management" console on the TMG server that will act as an Array Manager. Expand "Forefront TMG" in the left pane and click on System node. Click on the TMG server name in the center pane and click on the "Install Server Certificate" in the right pane.

28. Now browse to the "pfx" file you have exported from the web server computer and type a password for the file. Unmark the checkbox "Automatically create the root CA certificate on this array manager." To my experience leaving this checkbox marked always resulted in an error even though the pfx file contained the root CA certificate. Click OK.

Now if you open the Certificates store for the Windows service named ISASTGCTRL you should see the imported certificate with the private key in the Personal store.

So why is important to use Forefront TMG Management console to import the certificate? You could just import the certificate in the Local Computer Certificates store, right? Well the answer is yes and no. If you do it this way the ISASTGCTRL service will not have enough permissions to read private key file that is stored in the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and you would get Schannel errors in the Windows event log and TMG Control service would not be able to communicate with the ADAM service (ISASTGCTRL) on the Array Manager computer. If you use Forefront TMG Management console to import the certificate all the necessary permissions are added to the private key file including:
  • fwsrv
Of course you could manually update the permissions on the private key file if you knew which private key it is and things would work but it is not the proper way to do this.

Test the connection

Now there is only thing left and that is to test the secure LDAP connection to the Array Manager server. We will use ldp.exe for this. You should be able to run it from your TMG servers.

Open ldp.exe and click on Connection > Connect. Type FQDN of your TMG server that will act as Array Manager and type 2172 for the port number as this is the port on which ISASTGCTRL service listens. Click on the SSL and click Connect.

If the connection is successful you will see the screen like the following:

And that is all there is to it! Make sure to complete the procedure for all TMG servers that will participate in the array for the already mentioned reason and that is so that another Array Member can become Array Manager in case the Array Manager fails.


  1. Thank you very much!!!
    I spent hours on building up the array and was wondering why it just won't work. But after setting up the certificates it worked like a charm.

  2. Thanks, the procedure was so clear and it is very helpfull

  3. AWESOMENESS !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Worked like a friggin charm !!!

  4. Thanks a lot from france too !!

  5. Another Very Happy reader. Thank you for the help... Did a re-install of TMG and this part did not reinstall properly. Saved me from having to revert to a bare metal rebuild.

  6. Really great!
    Very useful and something not clear in the ufficial documentation...

  7. Yeh... it worked like a charm......
    You are great........ burrrah burrrah

  8. Thank you, even Microsoft does not discribe this process as detailed as you did.