Monthly Archive: May 2010

May 24

SCCM 2007 client certificate issues with 2008 R2 CA

Microsoft supports running SCCM 2007 SP2 on a 2008 R2 server, but I’m doubting whether or not running SCCM 2007 SP2 in Native mode in an environment using a 2008 R2 CA is supported (and if so, there’s an issue to be aware of).  Specifically, it seems like client certificates created with a 2008 R2 CA (following the instructions on Technet for a 2008 CA) do not work by default in SCCM 2007 when running a site in Native mode (you’ll get MP errors stating that it cannot connect via HTTP, and mpcontrol.log will contain errors that the SAN2 fields have errors).  It seems if you create your 2008 R2 CA with the default Key store provider, the client certificates just do not work.  However, if you create your 2008 R2 CA with the Microsoft Strong cryptography provider (which is the default for 2003 and 2008 CAs), magically the certs created work fine.  If you look at the contents of the certs created between a 2008 and 2008 R2 CA, they “look” identical, but something else must be happening I haven’t dug into yet.

Permanent link to this article: http://www.cluberti.com/blog/2010/05/24/sccm-2007-client-certificate-issues-with-2008-r2-ca/

Bad Behavior has blocked 396 access attempts in the last 7 days.