When Configuration Manager 2007 clients connect to their management points, they use a client certificate for authentication.
A Configuration Manager 2007 client uses a certificate located in the Computer certificate store. By default, the client identifies a certificate in the Personal store that includes client authentication in the intended purpose field and it will use this certificate for native mode communication. If a client computer has only one valid certificate that matches this requirement, there are no certificate settings to configure in Configuration Manager 2007.
However, you will have to configure client certificate settings if either of the following conditions applies:
- The client certificate to use with
Configuration Manager 2007 is not stored in the Personal store, but
in a different location in the Computer certificate store.
- There is more than one certificate that is
valid and contains the client authentication purpose. In this
scenario, Configuration Manager will not know which certificate
should be used.
When clients have more than one certificate that can be used for native mode communication, there are two available selection methods that can be configured for multiple clients to determine which certificate will be used:
- A partial string match on the client
certificate Subject Name. This is a case-insensitive match that is
appropriate if you are using the fully qualified domain name (FQDN)
of a computer in the subject field and want the certificate
selection to be based on the domain suffix, for example
contoso.com. However, you can use this selection method to identify
any string of sequential characters that differentiate the
certificate from others in the client certificate store.
- A match on the client certificate Subject
Name attribute values or the Subject Alternative Name attribute
values. This is a case-sensitive match that is appropriate if you
are using an X500 distinguished name or equivalent OIDs (Object
Identifiers) in the Subject field in accordance with RFC 3280, and
you want the certificate selection to be based on the attribute
values. You can specify only the attributes and their values that
you require to uniquely identify or validate the certificate and
differentiate the certificate from others in the certificate
store.
The attribute values that are supported in Configuration Manager 2007 for certificate selection criteria are listed in the following table.
| OID Attribute | Distinguished Name Attribute | Attribute Definition |
|---|---|---|
|
0.9.2342.19200300.100.1.25 |
DC |
Domain component |
|
1.2.840.113549.1.9.1 |
E or E-mail |
E-mail address |
|
2.5.4.3 |
CN |
Common name |
|
2.5.4.4 |
SN |
Subject name |
|
2.5.4.5 |
SERIALNUMBER |
Serial number |
|
2.5.4.6 |
C |
Country code |
|
2.5.4.7 |
L |
Locality |
|
2.5.4.8 |
S or ST |
State or province name |
|
2.5.4.9 |
STREET |
Street address |
|
2.5.4.10 |
O |
Organization name |
|
2.5.4.11 |
OU |
Organizational unit |
|
2.5.4.12 |
T or Title |
Title |
|
2.5.4.42 |
G or GN or GivenName |
Given name |
|
2.5.4.43 |
I or Initials |
Initials |
|
2.5.29.17 |
(no value) |
Subject Alternative Name |
If more than one suitable certificate is located even after the selection criteria is applied, you can specify the client behavior with regard to certificate selection. When a certificate cannot be uniquely selected, the default setting is that no certificate is selected, which results in failed communication with the management point. In this scenario, the client will send an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria.
Alternatively, you can configure clients to select any of the suitable and matching certificates. If the client is running Configuration Manager 2007 SP1 or later, the certificate with the longest validity period is selected, which might be required if you are using Network Access Protection and IPsec enforcement. This setting might result in successful native mode communication but is a less reliable configuration because there is no control over which client certificate will be used.