How to Enable or Disable Certificate Revocation Checking (CRL) on Clients
Updated: June 1, 2009
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Follow these procedures to enable or disable certificate revocation checking on Configuration Manager 2007 client computers in a native mode site.
|Mobile device clients do not use certificate revocation lists.|
When a Configuration Manager site is installed in native mode, the default site setting is for clients to check the certificate revocation list (CRL) before successful communication can be established with the native mode site systems. When a Configuration Manager site is installed in mixed mode and then migrated to native mode, this setting is disabled by default. To verify this setting for individual clients, see How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management. You cannot configure CRL checking of native mode site systems in Configuration Manager 2007; this setting is on by default and inherited with IIS configuration.
|The publishing and maintenance of the CRL is an integral part of the public key infrastructure (PKI) and external to Configuration Manager 2007. Do not use CRL checking on Configuration Manager clients until you have confirmed that your infrastructure can support this. For example, if you are using Internet-based client management and the issuing certification authority for the native mode site systems is on the intranet, you will need to ensure that the CRL is accessible from the Internet.|
There are two supported procedures you can use for configuring CRL checking on clients. Choose the procedure that is suitable for your environment. However, client functions that run as a result of task sequence actions always check the CRL when the client is running versions prior to Configuration Manager 2007 SP2. The two procedures are as follows:
Configure the option as a site property. Client computers that can access site properties published to Active Directory Domain Services will be automatically configured with this option on a periodic basis (including at site assignment time, every time the client starts, and every 25 hours). Clients installed using the client push installation method will be configured with the option at installation time only.
For installed clients to be configured with the setting using Active Directory Domain Services, the following conditions must all apply:
Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions
The site must be publishing to Active Directory Domain Services
Clients must be on the intranet
Clients must be from the same Active Directory forest as the site server's forest.
- Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions
Specify the setting using CCMSetup.exe command line options. You can use CCMSetup options when the client is first installed, or supplied as a script to run after installation, which will reinstall the client with the new configuration. If the client is already installed, you can use the software distribution feature to send the CCMSetup commands to the client, or use a Configuration Manager 2007 task sequence to achieve this.
Note If the settings supplied with CCMSetup conflict with those published to Active Directory Domain Services, and clients can access the settings in the Active Directory Domain Services, the settings from Active Directory Domain Services will take precedence and the settings specified with CCMSetup will not be used.
Additionally, you can also specify the setting using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.
To configure certificate revocation checking (CRL) on clients by configuring the setting as a site property
In the Configuration Manager console, navigate to System CenterConfiguration Manager / Site Database / Site Management.
Right-click <site code> -<site code> and then click Properties.
On the Site Mode tab in the site properties dialog box, select or cancel Enable CRL checking on clients.
To configure certificate revocation checking (CRL) on clients by specifying the setting using CCMSetup.exe command-line options
To enable CRL checking: Use CCMSetup.exe with the command line property /native:CRL (for native mode communication and CRL checking), or /native:CRLANDFALLBACK (for native mode communication and CRL checking and HTTP communication for roaming and site assignment).
To disable CRL checking: Use CCMSetup.exe with the command line property /native: (for native mode communication without CRL checking), or /native:FALLBACK (for native mode communication and HTTP communication for roaming and site assignment without CRL checking).
For more information about CCMSetup installation properties, see About Configuration Manager Client Installation Properties.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.