SCCM 2007 client certificates issues

<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;"><a href&equals;"http&colon;&sol;&sol;wincert&period;net&sol;wp-content&sol;uploads&sol;2015&sol;01&sol;windows-server2&period;jpg"><img class&equals;"alignnone size-full wp-image-551" src&equals;"http&colon;&sol;&sol;wincert&period;net&sol;wp-content&sol;uploads&sol;2015&sol;01&sol;windows-server2&period;jpg" alt&equals;"Windows Server&comma;access&comma;permission&comma;ipsec fails&comma;printers offline&comma;printer installation&comma;trusted sites&comma;item&comma;installation file missing&comma;user profiles&comma;terminal services&comma;dhcp superscope" width&equals;"720" height&equals;"340" &sol;><&sol;a><&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">Microsoft supports running SCCM 2007 SP2 on a 2008 R2 server&comma; but I’m doubting whether or not running SCCM 2007 SP2 in Native mode in an environment using a 2008 R2 CA is supported &lpar;and if so&comma; there’s an issue to be aware of&rpar;&period;  Specifically&comma; it seems like client certificates created with a 2008 R2 CA &lpar;following the <a style&equals;"color&colon; &num;2970a6&semi; text-decoration&colon; none&semi;" href&equals;"http&colon;&sol;&sol;technet&period;microsoft&period;com&sol;en-us&sol;library&sol;cc872789&period;aspx" target&equals;"&lowbar;blank">instructions on Technet<&sol;a> for a 2008 CA&rpar; do not work by default in SCCM 2007 when running a site in Native mode &lpar;you’ll get MP errors stating that it cannot connect via HTTP&comma; and mpcontrol&period;log will contain errors that the SAN2 fields have errors&rpar;&period;  <&excl;--more--><&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">It seems if you create your 2008 R2 CA with the default Key store provider&comma; the client certificates just do not work&period;  However&comma; if you create your 2008 R2 CA with the Microsoft Strong cryptography provider &lpar;which is the default for 2003 and 2008 CAs&rpar;&comma; magically the certs created work fine&period;  If you look at the contents of the certs created between a 2008 and 2008 R2 CA&comma; they &OpenCurlyDoubleQuote;look” identical&comma; but something else must be happening I haven’t dug into yet&period;<&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">I don’t know if a 2008 R2 CA is technically supported for use with 2007 SCCM certificates&comma; but for those of you who are doing this&comma; be aware that how you set up your CA on it’s initial install will determine if your client certificates work properly or not&period;<&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">There are workarounds&comma; of course&comma; for those few of you who are already running 2008 R2 CAs from a default installation &&num;8211&semi; in the Site Mode tab of the Site properties&comma; you can change the &OpenCurlyDoubleQuote;If multiple certificates match criteria&colon;” from &OpenCurlyDoubleQuote;Fail selection and send error message” to &OpenCurlyDoubleQuote;Select any certificate that matches”&comma; and set &OpenCurlyDoubleQuote;Certificate criteria&colon;” to &OpenCurlyDoubleQuote;Check only certificate purpose”&period;<&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">Doing this allows the MP communications to start up again&comma; although I’m not sure of the potential risks &lpar;if any&rpar; that are taken if you allow this&period;<&sol;p>&NewLine;<p style&equals;"padding&colon; 0px&semi; margin&colon; 0px 0px 10px 0px&semi;">&lbrack;<a href&equals;"http&colon;&sol;&sol;www&period;cluberti&period;com&sol;blog&sol;2010&sol;05&sol;24&sol;sccm-2007-client-certificate-issues-with-2008-r2-ca&sol;" target&equals;"&lowbar;blank">cluberti<&sol;a>&rsqb;<&sol;p>&NewLine;