Determine If You Need to Specify Client Certificate Settings (Native Mode)
When Configuration Manager 2007 clients connect to their management points, they use a client certificate for authentication.
A Configuration Manager 2007 client uses a certificate located in the Computer certificate store. By default, the client identifies a certificate in the Personal store that includes client authentication in the intended purpose field and it will use this certificate for native mode communication. If a client computer has only one valid certificate that matches this requirement, there are no certificate settings to configure in Configuration Manager 2007.
However, you will have to configure client certificate settings if either of the following conditions applies:
The client certificate to use with Configuration Manager 2007 is not stored in the Personal store, but in a different location in the Computer certificate store.
There is more than one certificate that is valid and contains the client authentication purpose. In this scenario, Configuration Manager will not know which certificate should be used.
When clients have more than one certificate that can be used for native mode communication, there are two available selection methods that can be configured for multiple clients to determine which certificate will be used:
A partial string match on the client certificate Subject Name. This is a case-insensitive match that is appropriate if you are using the fully qualified domain name (FQDN) of a computer in the subject field and want the certificate selection to be based on the domain suffix, for example contoso.com. However, you can use this selection method to identify any string of sequential characters that differentiate the certificate from others in the client certificate store.
A match on the client certificate Subject Name attribute values or the Subject Alternative Name attribute values. This is a case-sensitive match that is appropriate if you are using an X500 distinguished name or equivalent OIDs (Object Identifiers) in the Subject field in accordance with RFC 3280, and you want the certificate selection to be based on the attribute values. You can specify only the attributes and their values that you require to uniquely identify or validate the certificate and differentiate the certificate from others in the certificate store.
The attribute values that are supported in Configuration Manager 2007 for certificate selection criteria are listed in the following table.
| OID Attribute | Distinguished Name Attribute | Attribute Definition |
|---|---|---|
0.9.2342.19200300.100.1.25 |
DC |
Domain component |
1.2.840.113549.1.9.1 |
E or E-mail |
E-mail address |
2.5.4.3 |
CN |
Common name |
2.5.4.4 |
SN |
Subject name |
2.5.4.5 |
SERIALNUMBER |
Serial number |
2.5.4.6 |
C |
Country code |
2.5.4.7 |
L |
Locality |
2.5.4.8 |
S or ST |
State or province name |
2.5.4.9 |
STREET |
Street address |
2.5.4.10 |
O |
Organization name |
2.5.4.11 |
OU |
Organizational unit |
2.5.4.12 |
T or Title |
Title |
2.5.4.42 |
G or GN or GivenName |
Given name |
2.5.4.43 |
I or Initials |
Initials |
2.5.29.17 |
(no value) |
Subject Alternative Name |
If more than one suitable certificate is located even after the selection criteria is applied, you can specify the client behavior with regard to certificate selection. When a certificate cannot be uniquely selected, the default setting is that no certificate is selected, which results in failed communication with the management point. In this scenario, the client will send an error message to its assigned fallback status point to alert you to the certificate selection failure so that you can modify or refine your certificate selection criteria.
Alternatively, you can configure clients to select any of the suitable and matching certificates. If the client is running Configuration Manager 2007 SP1, the certificate with the longest validity period is selected, which might be required if you are using Network Access Protection and IPsec enforcement. This setting might result in successful native mode communication but is a less reliable configuration because there is no control over which client certificate will be used.
See Also
Tasks
How to Specify the Client Certificate Selection Criteria
How to Specify the Client Certificate Store
Concepts
Certificate Requirements for Native Mode
How to Install Configuration Manager Clients Manually