When Configuration Manager 2007 clients connect to their management points, they use a client certificate for authentication.

A Configuration Manager 2007 client uses a certificate located in the Computer certificate store. By default, the client identifies a certificate in the Personal store that includes client authentication in the intended purpose field and it will use this certificate for native mode communication. If a client computer has only one valid certificate that matches this requirement, there are no certificate settings to configure in Configuration Manager 2007.

However, you will have to configure client certificate settings if either of the following conditions applies:

When clients have more than one certificate that can be used for native mode communication, there are two available selection methods that can be configured for multiple clients to determine which certificate will be used:

The attribute values that are supported in Configuration Manager 2007 for certificate selection criteria are listed in the following table.

OID Attribute Distinguished Name Attribute Attribute Definition



Domain component


E or E-mail

E-mail address


Common name


Subject name


Serial number


Country code



S or ST

State or province name


Street address


Organization name


Organizational unit

T or Title


G or GN or GivenName

Given name

I or Initials


(no value)

Subject Alternative Name

If more than one suitable certificate is located even after the selection criteria is applied, you can specify the client behavior with regard to certificate selection. When a certificate cannot be uniquely selected, the default setting is that no certificate is selected, which results in failed communication with the management point. In this scenario, the client will send an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria.

Alternatively, you can configure clients to select any of the suitable and matching certificates. If the client is running Configuration Manager 2007 SP1 or later, the certificate with the longest validity period is selected, which might be required if you are using Network Access Protection and IPsec enforcement. This setting might result in successful native mode communication but is a less reliable configuration because there is no control over which client certificate will be used.

See Also