This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 83%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
HI Everyone,
Hope everyone is doing well and being safe!
Need someone's expertise to understand the authentication procedure of clients with cloud management gateway.
As per the Microsoft current documentation if we have a cert issued by a known third-party cert provider like Digicert we don't need the trusted root certificate for the client to trust the issuer.
But since the certificate authentication is a two process to even though the client would be able to trust the cert and the server identity so it could borrow the content from these servers how could the server trust the identity of these clients?
Need someone help does the client need to have some kind of cert or identity or certificate to make themselves trusted considering when they are not Hybrid/Azure Ad joined?
Hope someone's experience can help me out to clear this confusion :).
Thanking you in advance !!
Regards,
Shashi Dubey
It's not clear exactly what you are asking here. PKI certificate trust is based on trusting the PKI that issued the certificate. That's generally the whole point of using a public CA like DigiCert as certs they issue are automatically trusted by all devices as Microsoft configures Windows to do this by default.
Note though that trusting the identity of a client doesn't mean the client itself is trusted to gain access to anything. In this case, it simply means that ConfigMgr will manage the device. This is no different than any credential; specifically, just because you have the credential and can authenticate doesn't mean you can actually access anything as authorization is separate and must still be granted.
Also, keep in mind that every client requires its own, unique client auth certificate. For this reason, it's generally impractical to use a public CA for client auth certificates as it's a recurring expense and recurring logistic nightmare to renew these individual certs on every managed device.
HI Jason,
Thanks a bunch for your precious time and expertise :).
Also Appreciate you for sharing this amazing experience to help clear the query and best practices for it.
Regards,
Shashi Dubey
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 23%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Agree with what Jason said, Here is also an article we could refer to:
https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/configure-authentication
If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Sunny,
Thanks for this wonderful article !!
Would sure to refer to it as it would be an amazing source of knowledge for the basics and fundamentals.
Regards,
Shashi Dubey