Microsoft does automatically renew their AD server certificates using a certificate template.
By default the certificates are automatically renewed 45 days before the certificate expires.
If you have an sldap connection to an AD system the ZCM System has no knowledge of this certificate renewal.
In this case the connection to the ldap store is broken and the effects are, that users can't authenticate to the ZCM environment.
ZCM should be able to start a periodic check of the certificate renewal. At the time which ZCM expect a certificate expiration. As example the popup warning that in 60 days the certificate will expire.
At this time ZCM should start a dayly check of the certificate. At the time it will be changed as example 45 days before the actual expiration (by the default Microsoft certificate template), the certificate should be automatically renewed.
In that case we would prevent, that LDAP connecstions being broken
by: Ramon L. | over a year ago | Supportability
Comments
This sounds like a good idea. I would like the nag window to only be shown to super administrators because in our environment, 99% of the ZCM admins are not super admins and only manage devices, not the zone like us zone admins, who are super admins. We have recently gone through an expiring zone cert and that nag pop-up was confusing and unnecessary for most of the admins. Thanks!
sometimes we have the same problem with broken connection to the LDAP.
Annoying issue.
Have a look at UTM software. UTM is a linux based OS. This software has this option. It is used for SSO there but this option could also be used for certificate renewal.
UTM has a join to AD button. When AD credentials are filled up, and Join to AD is selected, a computer object with the name of the server will be created in Active Directory. After that the computer is trusted by AD and it will also receive new certificates from DC.
So this could also be created on ZCM
It's a must, we have a lot of disconnecting issues by certificate renewal.