Export (0) Print
Expand All
Expand Minimize

Determine If You Need to Specify Client Certificate Settings (Native Mode)

Updated: November 1, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

When Configuration Manager 2007 clients connect to their management points, they use a client certificate for authentication.

A Configuration Manager 2007 client uses a certificate located in the Computer certificate store. By default, the client identifies a certificate in the Personal store that includes client authentication in the intended purpose field and it will use this certificate for native mode communication. If a client computer has only one valid certificate that matches this requirement, there are no certificate settings to configure in Configuration Manager 2007.

However, you will have to configure client certificate settings if either of the following conditions applies:

  • The client certificate to use with Configuration Manager 2007 is not stored in the Personal store, but in a different location in the Computer certificate store.

  • There is more than one certificate that is valid and contains the client authentication purpose. In this scenario, Configuration Manager will not know which certificate should be used.

When clients have more than one certificate that can be used for native mode communication, there are two available selection methods that can be configured for multiple clients to determine which certificate will be used:

  • A partial string match on the client certificate Subject Name. This is a case-insensitive match that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. However, you can use this selection method to identify any string of sequential characters that differentiate the certificate from others in the client certificate store.

  • A match on the client certificate Subject Name attribute values or the Subject Alternative Name attribute values. This is a case-sensitive match that is appropriate if you are using an X500 distinguished name or equivalent OIDs (Object Identifiers) in the Subject field in accordance with RFC 3280, and you want the certificate selection to be based on the attribute values. You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.

The attribute values that are supported in Configuration Manager 2007 for certificate selection criteria are listed in the following table.

 

OID Attribute Distinguished Name Attribute Attribute Definition

0.9.2342.19200300.100.1.25

DC

Domain component

1.2.840.113549.1.9.1

E or E-mail

E-mail address

2.5.4.3

CN

Common name

2.5.4.4

SN

Subject name

2.5.4.5

SERIALNUMBER

Serial number

2.5.4.6

C

Country code

2.5.4.7

L

Locality

2.5.4.8

S or ST

State or province name

2.5.4.9

STREET

Street address

2.5.4.10

O

Organization name

2.5.4.11

OU

Organizational unit

2.5.4.12

T or Title

Title

2.5.4.42

G or GN or GivenName

Given name

2.5.4.43

I or Initials

Initials

2.5.29.17

(no value)

Subject Alternative Name

If more than one suitable certificate is located even after the selection criteria is applied, you can specify the client behavior with regard to certificate selection. When a certificate cannot be uniquely selected, the default setting is that no certificate is selected, which results in failed communication with the management point. In this scenario, the client will send an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria.

Alternatively, you can configure clients to select any of the suitable and matching certificates. If the client is running Configuration Manager 2007 SP1 or later, the certificate with the longest validity period is selected, which might be required if you are using Network Access Protection and IPsec enforcement. This setting might result in successful native mode communication but is a less reliable configuration because there is no control over which client certificate will be used.

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft