May 24

Print this Post

SCCM 2007 client certificate issues with 2008 R2 CA

Microsoft supports running SCCM 2007 SP2 on a 2008 R2 server, but I’m doubting whether or not running SCCM 2007 SP2 in Native mode in an environment using a 2008 R2 CA is supported (and if so, there’s an issue to be aware of).  Specifically, it seems like client certificates created with a 2008 R2 CA (following the instructions on Technet for a 2008 CA) do not work by default in SCCM 2007 when running a site in Native mode (you’ll get MP errors stating that it cannot connect via HTTP, and mpcontrol.log will contain errors that the SAN2 fields have errors).  It seems if you create your 2008 R2 CA with the default Key store provider, the client certificates just do not work.  However, if you create your 2008 R2 CA with the Microsoft Strong cryptography provider (which is the default for 2003 and 2008 CAs), magically the certs created work fine.  If you look at the contents of the certs created between a 2008 and 2008 R2 CA, they “look” identical, but something else must be happening I haven’t dug into yet.

I don’t know if a 2008 R2 CA is technically supported for use with 2007 SCCM certificates, but for those of you who are doing this, be aware that how you set up your CA on it’s initial install will determine if your client certificates work properly or not.  There are workarounds, of course, for those few of you who are already running 2008 R2 CAs from a default installation – in the Site Mode tab of the Site properties, you can change the “If multiple certificates match criteria:” from “Fail selection and send error message” to “Select any certificate that matches”, and set “Certificate criteria:” to “Check only certificate purpose”.  Doing this allows the MP communications to start up again, although I’m not sure of the potential risks (if any) that are taken if you allow this.

Permanent link to this article: http://www.cluberti.com/blog/2010/05/24/sccm-2007-client-certificate-issues-with-2008-r2-ca/

Bad Behavior has blocked 280 access attempts in the last 7 days.