Hi, In SCCM 2007 I had one primary site for native mode/https workstation clients and a separate primary site for server or http clients.
In SCCM 2012 I have a single primary site to service both https workstation clients and also server clients that should be http. All of the workstations are in the same domain and use https and work fine. My issue is I have server clients that I am intending to use only http. The reason I want the server clients to use http is they are in many different domains, forests and workgroups and trying to get certs on all of them would be a lot of work to try and set up with GPO’s and auto enrollment. The issue I am running into is on the server clients (http) in other domains and forests is that if there is a certificate in the personal store that has client authentication capabilities then the SCCM client is trying to use the cert that it has in the cert store vs. the self-signed certificate. This issue also happens if the client was installed and working but then at a later time somebody installs a cert for some application then the client stops working as the SCCM clients finds a cert and try’s to change to PKI mode. My Primary site is set to https/http. So my question is there any way short of building a new primary site and setting to be only http that I can force server clients to use http and not change to https when I don’t want them to? I see there is a setting called CCMHTTPSSTATE and I’m wondering if that can be set somehow to keep the client from trying to use https? I thinking my only option may be to build a new primary site just for http clients. I would prefer to keep them all in one primary site. I can see In the ClientIDManagerStartup.log where the client is choosing a SSL cert by looking at the thumbprint and that’s not the cert I want it to use or it should be using, I don’t want it to use a certificate but want it to stay http/self-signed. Also the client is trying to perform client registration with https MP’s not http. The clients either also say self-signed or none for the client certificate in the ConfigMgr control panel. Thanks very much, Rob
