question

ritmo2k avatar image
0 Votes"
ritmo2k asked AllenLiu-MSFT commented

Config Manager client https security certificate handling

I am using Config Manager 2107 and have enabled HTTPS-only client communication. I have several scenarios where clients with existing certificates have the wrong certificate selected and the connection fails.

Given the options available with the client (an alternate store or subject attribute prerequisites), how can we deploy auto-enrolled certificates using an Active Directory integrated certificate authority with templates?

I am not aware of any facility on the template to specify any of the criteria that the clients could use?

mem-cm-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ritmo2k avatar image
0 Votes"
ritmo2k answered AllenLiu-MSFT commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you very much for the update and we're glad the problem is solved now. Please accept your reply as answer, we believe this will be very beneficial for other community members who have similar questions.

0 Votes 0 ·
yannara avatar image
0 Votes"
yannara answered

I have this old strong believe, that in PKI, you should keep your certificates at minimun and try utilize same cert for multiple purposes. For example, CM https and DirectAccess utlize same cert. How many different certs you have deployed to your computer store into your workstations?

I also suggest take a closer look at ms docs documentation about certificate templates need to be created for CM and make sure you have created the workstation template exacly as MS says. It is also common mistake in PKI, that admins just create default template without reading documentation.

In ClientAuth.log you can see by cert thumbprint, which cert it selected for CM services and what happends during the autherization.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ritmo2k avatar image
0 Votes"
ritmo2k answered

The client certificates have been created exactly as per the documentation, and the incorrect selection was inferred from the client logs.

In most cases, clients only have the single certificate that was auto-enrolled as per Config Manager's requirement. However, it's naive to think that in an enterprise, even servers will only have a single certificate, web servers, Exchange, and other servers have similar certificate requirements.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RahulJindal-2267 avatar image
0 Votes"
RahulJindal-2267 answered

Microsoft introduced EHTTP to address such issues and reduce the overhead involved in managing PKI certificates. I am not saying that EHTTP replaces the security the PKI offers, but at the end of the day the goal should be to secure client communication and EHTTP does exactly that. Maybe something to think about.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenLiu-MSFT avatar image
1 Vote"
AllenLiu-MSFT answered AllenLiu-MSFT commented

Hi, @ritmo2k
Thank you for posting in Microsoft Q&A forum.

We may try to configure the "Client certificate selection criteria when more than one certificate is available" in the site setting to manage the certificate selection.

We can go through this path: CM console > Administration > Site Configuration > Sites > right-click the site and choose Properties > select Communication Security tab.
And then, modify the Client certificate selection Settings.

For more details:
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/configure-security#client-pki-certificates

For more information about the client certificate selection method, see Planning for PKI client certificate selection.
https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/plan-for-certificates#pki-client-certificate-selection


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

It seems there is no update for a couple of days. May we know the current status of the problem? Is there any other assistance we can provide?

0 Votes 0 ·