Computer name and cert validity question
- If I image a machine that uses a script using certreq.exe and certutil.exe to automatically request and install its client and trusted root certs, and later on the computer name changes, will that computer lose the ability to download policy since the hostname no longer matches the subject name on the client certificate?
I would think it would, but I have a client that seems to be downloading policy anyway... any ideas?
Ответы
Hi Tim! Check the certificate requirements for native mode: http://technet.microsoft.com/en-us/library/bb680733.aspx
There is no requirement that the client certificate contains the hostname of the computer. The requirement is that the value is unique in the certificate subject or SAN, and the FQDN of the computer is one of the easiest ways to do this. It's the uniqueness that helps to identify this client from other clients. If you have multiple clients that share the same value then they are likely to end up sharing the same identity as far as Configuration Manager goes - which is not a good thing and why it's not supported. So while clients might continue to download policy, advertisements might go to the wrong client and fail to go to the right client, hardware inventory is from multiple clients ....etc.
If any part of the computer name changes (eg hostname or domain) but the computer retains a certificate with the old computer name, it will continue to be recognized in Configuration Manager as the same client - providing that the value in the certificate remains unique in the enterprise.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Помечено в качестве ответа.Tim Harrison 4 ноября 2009 г. 21:36
Все ответы
Hi Tim! Check the certificate requirements for native mode: http://technet.microsoft.com/en-us/library/bb680733.aspx
There is no requirement that the client certificate contains the hostname of the computer. The requirement is that the value is unique in the certificate subject or SAN, and the FQDN of the computer is one of the easiest ways to do this. It's the uniqueness that helps to identify this client from other clients. If you have multiple clients that share the same value then they are likely to end up sharing the same identity as far as Configuration Manager goes - which is not a good thing and why it's not supported. So while clients might continue to download policy, advertisements might go to the wrong client and fail to go to the right client, hardware inventory is from multiple clients ....etc.
If any part of the computer name changes (eg hostname or domain) but the computer retains a certificate with the old computer name, it will continue to be recognized in Configuration Manager as the same client - providing that the value in the certificate remains unique in the enterprise.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Помечено в качестве ответа.Tim Harrison 4 ноября 2009 г. 21:36
