How to Specify the Client Certificate Selection Criteria
When Configuration Manager 2007 is operating in native mode, clients communicate with the site using a client certificate that is managed externally to Configuration Manager 2007. When there is more than one certificate that can be used, it is important that the correct certificate is selected for Configuration Manager 2007 client communication. In this scenario, specify a certificate selection method.
There are two supported procedures you can use for this configuration. Choose the procedure that is suitable for your environment. The two procedures are as follows:
Publish the settings to Active Directory Domain Services. To publish the settings to Active Directory Domain Services, specify the setting on the Site Properties: Site Mode tab. For clients to be configured with the settings using this configuration method, the following conditions must all apply:
Active Directory Domain Services must be extended with the Configuration Manager 2007 schema extensions.
The site must be publishing to Active Directory Domain Services.
Clients must be on the intranet.
Clients must be from the same Active Directory forest as the site server's forest.
Specify the settings using CCMSetup.exe command-line options. You can use CCMSetup options when the client is first installed or when they are supplied as a script to run after installation, which will reinstall the client with the new configuration.
If the client is already installed, you can use the software distribution feature to send the CCMSetup commands to the client or use Configuration Manager 2007 task sequences to achieve this. If the settings supplied with CCMSetup conflict with those published to Active Directory Domain Services, and clients can access the settings in the Active Directory Domain Services, the settings from Active Directory Domain Services will take precedence and the settings specified with CCMSetup will not be used.
Additionally, you can also specify the settings using your in-house client management tools, which might include incorporating the settings in a standard build image and deploying custom scripts to edit the registry.
To specify the client certificate selection criteria by publishing the settings to Active Directory Domain Services:
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.
Right-click <site code> - ** <site name> and then click Properties.
On the Site Mode tab in the site properties dialog box, ensure that the site mode is configured for Native and locate the section Client settings published to Active Directory.
For the Certificate criteria, select one of the following options, and if you select an option that uses a string or attribute match, enter it in the text box:
Check only certificate purpose
Subject or alt name contains:
Subject or alt includes attributes:
For the option If multiple certificates match criteria, select one of these options:
Select any certificate that matches. Select this option if the client should attempt communication with its site by selecting a certificate at random from the list of possible certificates that meet the certificate selection criteria. However, if the client is running Configuration Manager 2007 SP1, the certificate with the longest validity period is selected.
Fail selection and send error message. Select this option if the client should not select a certificate for communication with its site. In this scenario, the client will not attempt to connect to its management point, but it will send an error message to its fallback status point. This is the more secure and more reliable option when more than certificate can be used.
Click OK.
注意
For more information about the options in this dialog box, see Site Properties: Site Mode Tab
To specify the client certificate selection criteria by specifying the settings using CCMSetup.exe command-line options:
- Use CCMSetup.exe with the client.msi parameter CCMCERTSEL. For more information about CCMSetup options, see About Configuration Manager Client Installation Properties.
See Also
Tasks
How to Specify the Client Certificate Store
Concepts
Certificate Requirements for Native Mode
Determine If You Need to Specify Client Certificate Settings (Native Mode)