Native Mode Certificate Selection Criteria Cannot Use Attributes with Spaces

It’s recently come to our attention that if you are using certificate selection criteria with certificate attributes that include spaces, the spaces can be stripped out and so certificate selection for a valid certificate will fail. Certificate selection is required on clients if there is more than one valid certificate with client authentication capability in the local computer certificate store, and you have not configured the option to select any certificate that matches.

For more information about client certificate selection in native mode, see Determine If You Need to Specify Client Certificate Settings (Native Mode). This topic contains a list of certificate attributes that can be used to identify which certificate to use when there is more than one. For example, your certificate might include the OU attribute to help identify its logical position in its Active Directory domain. Or, in a multiple-domain forest, it might include the domain component so that you can specify its exact location in the forest. Or it might include the name of your organization. The subject alternative name (SAN) is another commonly used attribute to help identify a specific certificate. These attributes must be specified in the certificate when it is issued.

There are three different places in Configuration Manager where certificate selection can happen:

· When running the Native Mode Readiness tool, sccmnativemodereadiness.exe. See How to Determine Whether Client Computers Are Ready for Native Mode for more information and examples of using certificate selection.

· During client installation. See the client.msi property CCMCERTSEL in About Configuration Manager Client Installation Properties for more information and examples of using certificate selection.

· During native mode operation after client installation, if the client can read the site configuration published to Active Directory Domain Services. See the Certificate Selection Criteria section in the Site Properties: Site Mode Tab.

Whereas client installation does not strip out spaces, the other two mechanisms do. This can make the problem harder to identify. For example:

1. You use a certificate selection that identifies the OU of “Managed Workstations”.

2. You install a domain-joined client using the client.msi property CCMCERTSEL="SubjectAttr:OU = Managed Workstations" – and the certificate selection successfully chooses the correct certificate, a mutually authenticated connection is made with the native mode management point to download the client installation files, and the client successfully installs.

3. The client assigns to the native mode site that is publishing to Active Directory, reads the Active Directory site configuration where the certificate selection criteria is also specified as OU=Managed Workstations in the Subject or alt includes attributes option – and subsequent client native mode communication fails, because the Configuration Manager client is now looking for a certificate with “ManagedWorkstations” as the OU attribute. You will see the error There are no certificate(s) that meet the criteria in the client logClientIDManagerStartup.Log.

4. You install a workgroup client using the same client.msi property CCMCERTSEL="SubjectAttr:OU = Managed Workstations". This time, the client continues to work after installation because it cannot read the site configuration in Active Directory Domain Services.

5. You run the Native Mode Readiness tool on both clients, and despite the workgroup client operating successfully, the results say that neither client is ready for native mode.

The number of customers that this will affect is probably very small, because native mode customers often do not have to specify certificate selection criteria, and when they do they infrequently use certificate attributes as the selection criteria (instead, selecting the option to use any certificate that is valid). Even when customers do configure certificate attributes for their selection criteria, they might not use attributes that contain spaces. For all these reasons, the product group is unlikely to fix this problem in the near future. If this does apply to you, the workaround is to select attributes that do not contain spaces.

- Carol

This posting is provided AS IS with no warranties and confers no rights.