none
IIS Servers with same computer certificate causing duplicate GUID?

    Question

  • Hello!

    I have 2 Servers, they are both running Exchange CAS role in a dev environment. They share the same SSL certificate "webmail.****.com", when I setup the configuration manager client it appears they both attempt to use this cert for PKI communication.

    In the SMSCFG.ini the "SMS Certificate Identifier" is the same as well as the "SMS Unique Identifier" all other identifiers including the SID are unique.

    Is the certificate causing the duplicate GUID issue?
    Is there a way to choose what certificate the client uses?

    Thanks

    Wednesday, March 27, 2013 3:47 PM

Answers

  • There's a couple of potential options here.

    You can reprovision the SSL certificates so they only have server authentication rather than client and server authentication (our client will only iterate certificates that are set for client authentication). You may also be able to configure the certificates to disable client authentication from the certificates MMC without reprovisioning them. Obviously make sure you're not using these certs for client authentication, but I'd assume you're not.

    You can also configure client certificate selection criteria in the admin console, but keep in mind this is a setting that applies to the entire site so you need to do this with care to make sure you don't orphan other clients. The documentation should have more details on how to configure certificate selection criteria.

    Finally if your SSL certificates come from a 3rd party while your client certificates are internally issued you can set the trusted root certification authority to be your internal CA and the SSL certificates will be ignored. This would be configured in the same area of the UI that you would configure certificate selection criteria.

    Wednesday, March 27, 2013 6:09 PM

All replies

  • There's a couple of potential options here.

    You can reprovision the SSL certificates so they only have server authentication rather than client and server authentication (our client will only iterate certificates that are set for client authentication). You may also be able to configure the certificates to disable client authentication from the certificates MMC without reprovisioning them. Obviously make sure you're not using these certs for client authentication, but I'd assume you're not.

    You can also configure client certificate selection criteria in the admin console, but keep in mind this is a setting that applies to the entire site so you need to do this with care to make sure you don't orphan other clients. The documentation should have more details on how to configure certificate selection criteria.

    Finally if your SSL certificates come from a 3rd party while your client certificates are internally issued you can set the trusted root certification authority to be your internal CA and the SSL certificates will be ignored. This would be configured in the same area of the UI that you would configure certificate selection criteria.

    Wednesday, March 27, 2013 6:09 PM
  • I disabled the "Client Authentication" through the certificates mmc restarted the SMS Agent Host service and everything works correctly now.

    Thanks

    Wednesday, March 27, 2013 6:45 PM