I have one https only primary site, but all my dev, qual and test installs of sccm are managed by the prod site. Everything is in the same domain so I don’t have to worry too much about certs. Luckily, certs aren’t site specific, but they are “CA specific”.
I have had issues with clients on servers picking the wrong cert to use, simply because it has “Client Authentication” as a purpose. SQL servers, hyper-v vmm servers and domain controllers can have these for perfectly reasonable reasons. This is mostly on servers in other domains though where there is a separate PKI/cert infrastructure. As long as certmgmt.msc for the computer only has one cert in “Personal” that has Client Authentication as a purpose, you should be ok. There is an interface for picking certs in the site properties on the site server, but the criteria there aren’t very extensive. The options there only present you a few choices. [cid:[email protected]] The best of which is putting the cert for sccm in its own store then specifying it here and leaving “Client authentication capability”. Then you don’t have to worry about selecting the right one because there should only ever be one in its own store. Or you could monkey around with the cert template on the CA for the other two options. Todd From: [email protected] [mailto:[email protected]] On Behalf Of Tim Amico Sent: Wednesday, August 6, 2014 6:21 AM To: [email protected] Subject: RE: [mssms] SCCM client on servers that manage a different infrastructure Yes David that is the correct scenario. And thanks for the sanity check guys. Figured as much, but wasn't sure if there was something I was overlooking mainly around certs. Sent from my Windows Phone ________________________________ From: CE5AR.ABREG0<mailto:[email protected]> Sent: 8/6/2014 1:10 AM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] SCCM client on servers that manage a different infrastructure No conflict at all. Clients can only talk to one site. You need to really manage your boundaries though. Cesar A. Meaning is NOT in words, but inside people! Dr. Myles Munroe My iPad takes half the blame for misspells. On Aug 5, 2014, at 9:05 PM, David O'Brien <[email protected]<mailto:[email protected]>> wrote: So your servers are hosting roles for Site XYZ and you want to install a client on them which is assigned to site ABC? Never done it myself, but as far as I heard, it works. Cheers David From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Tim Amico Sent: Wednesday, 6 August 2014 1:55 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] SCCM client on servers that manage a different infrastructure Haven’t had a chance to test this out in a lab yet so curios if anyone has some insight first. I have a client that doesn’t want to use RBA to separate the server and workstation management in one hierarchy. They want two completely separate infrastructures for servers and workstations, but they want to be able to manage the servers that host the workstation infrastructure roles with the infrastructure for the servers. Is there any conflict with installing the SCCM client on servers for one site that host roles from another site? Both sites are SCCM 2012 R2 with HTTPS only, so if anything I would think the servers that host the management points would have conflicts with the client authentication certificates.
