When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a client certificate that is managed externally to Configuration Manager 2007.
By default, a Configuration Manager 2007 client will look for a suitable certificate in the Computer Personal store. If this is the location of the deployed client certificate, there is nothing further to configure. However, if the client certificate is stored in an alternative location, you must specify the client certificate store.
There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:
- Publish the settings to Active Directory
Domain Services. To publish the settings to Active Directory Domain
Services, specify the settings on the Site Properties: Site
Mode tab. For clients to be configured with the settings using
this configuration method, the following conditions must all
apply:
- Active Directory Domain Services must be
extended with the Configuration Manager 2007 schema
extensions.
- The site must be publishing to Active
Directory Domain Services.
- Clients must be on the intranet.
- Clients must be from the same Active
Directory forest as the site server's forest.
- Active Directory Domain Services must be
extended with the Configuration Manager 2007 schema
extensions.
- Specify the settings using CCMSetup.exe
command-line options. You can use CCMSetup options when the client
is first installed or when they are supplied as a script to run
after installation, which will reinstall the client with the new
configuration. If the client is already installed, you can use the
software distribution feature to send the CCMSetup commands to the
client, or you can use Configuration Manager 2007 task
sequences to achieve this. If the settings supplied with CCMSetup
conflict with those published to Active Directory Domain Services
and clients can access the settings in the Active Directory Domain
Services, the settings from Active Directory Domain Services will
take precedence and the settings specified with CCMSetup will not
be used.
Additionally, you can also specify the settings using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.
To specify the client certificate store by publishing the setting to Active Directory Domain Services:
-
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.
-
Right-click <site code> - <site name> and then click Properties.
-
On the Site Mode tab in the site properties dialog box, ensure that the site mode is configured for Native and enter the alternative certificate store you want to use in the text box for Certificate store name.
-
Click OK.
To specify the client certificate store by specifying the setting using CCMSetup.exe command-line options:
-
Use CCMSetup.exe with the client.msi parameter ccmcertstore. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties.