When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a client certificate that is managed externally to Configuration Manager 2007. When there is more than one certificate that can be used, it is important that the correct certificate is selected for Configuration Manager 2007 client communication. In this scenario, specify a certificate selection method.

There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:

Additionally, you can also specify the settings using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.

To specify the client certificate selection criteria by publishing the settings to Active Directory Domain Services:

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> - <site name> and then click Properties.

  3. On the Site Mode tab in the site properties dialog box, ensure that the site mode is configured for Native and locate the section Client settings published to Active Directory.

  4. For the Certificate criteria, select one of the following options, and if you select an option that uses a string or attribute match, enter it in the text box:

    • Check only certificate purpose

    • Subject or alt name contains:

    • Subject or alt includes attributes:

  5. For the option If multiple certificates match criteria, select one of these options:

    • Select any certificate that matches. Select this option if the client should attempt communication with its site by selecting a certificate at random from the list of possible certificates that meet the certificate selection criteria. However, if the client is running Configuration Manager 2007 SP1 or later, the certificate with the longest validity period is selected.

    • Fail selection and send error message. Select this option if the client should not select a certificate for communication with its site. In this scenario, the client will not attempt to connect to its management point, but it will send an error message to its fallback status point. This is the more secure and more reliable option when more than certificate can be used.

  6. Click OK.

    Note
    For more information about the options in this dialog box, see Site Properties: Site Mode Tab

To specify the client certificate selection criteria by specifying the settings using CCMSetup.exe command-line options:

See Also