When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a client certificate that is managed externally to Configuration Manager 2007. When there is more than one certificate that can be used, it is important that the correct certificate is selected for Configuration Manager 2007 client communication. In this scenario, specify a certificate selection method.
There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:
- Publish the settings to Active Directory
Domain Services. To publish the settings to Active Directory Domain
Services, specify the setting on the Site Properties: Site
Mode tab. For clients to be configured with the settings using
this configuration method, the following conditions must all
apply:
- Active Directory Domain Services must be
extended with the Configuration Manager 2007 schema
extensions.
- The site must be publishing to Active
Directory Domain Services.
- Clients must be on the intranet.
- Clients must be from the same Active
Directory forest as the site server's forest.
- Active Directory Domain Services must be
extended with the Configuration Manager 2007 schema
extensions.
- Specify the settings using CCMSetup.exe
command-line options. You can use CCMSetup options when the client
is first installed or when they are supplied as a script to run
after installation, which will reinstall the client with the new
configuration.
If the client is already installed, you can use the software distribution feature to send the CCMSetup commands to the client or use Configuration Manager 2007 task sequences to achieve this. If the settings supplied with CCMSetup conflict with those published to Active Directory Domain Services, and clients can access the settings in the Active Directory Domain Services, the settings from Active Directory Domain Services will take precedence and the settings specified with CCMSetup will not be used.
Additionally, you can also specify the settings using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.
To specify the client certificate selection criteria by publishing the settings to Active Directory Domain Services:
-
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.
-
Right-click <site code> - <site name> and then click Properties.
-
On the Site Mode tab in the site properties dialog box, ensure that the site mode is configured for Native and locate the section Client settings published to Active Directory.
-
For the Certificate criteria, select one of the following options, and if you select an option that uses a string or attribute match, enter it in the text box:
- Check only certificate purpose
- Subject or alt name contains:
- Subject or alt includes
attributes:
- Check only certificate purpose
-
For the option If multiple certificates match criteria, select one of these options:
- Select any certificate that matches.
Select this option if the client should attempt communication with
its site by selecting a certificate at random from the list of
possible certificates that meet the certificate selection criteria.
However, if the client is running Configuration Manager
2007 SP1 or later, the certificate with the longest validity
period is selected.
- Fail selection and send error message.
Select this option if the client should not select a certificate
for communication with its site. In this scenario, the client will
not attempt to connect to its management point, but it will send an
error message to its fallback status point. This is the more secure
and more reliable option when more than certificate can be
used.
- Select any certificate that matches.
Select this option if the client should attempt communication with
its site by selecting a certificate at random from the list of
possible certificates that meet the certificate selection criteria.
However, if the client is running Configuration Manager
2007 SP1 or later, the certificate with the longest validity
period is selected.
-
Click OK.
Note For more information about the options in this dialog box, see Site Properties: Site Mode Tab
To specify the client certificate selection criteria by specifying the settings using CCMSetup.exe command-line options:
-
Use CCMSetup.exe with the client.msi parameter CCMCERTSEL. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties.