Having some issues with a few of our undeployed clients. The error in the ccmsetup.log files is stating that there are X number of certificates that match and then the one chosen fails.
I have read numerous articles and seen some peoples suggestions to change the radio button from "Fail selection and send error message" to "Select any certificate that matches". This helped a few but I read that this method has SCCM default to choosing the Cert with the longest validity period. Well the SCCM Client Authentication one isn't always the longest valid cert.
So in short, I have found that I prob need to specify certain criteria for SCCM to select the appropriate client certificate.
Now comes the problem. This microsoft technet article HERE
shows the supported attribute values. However, to me, these look like AD schema values. Not all of them can be seen in the Certificate. I have searched all over the web and it seems that no one has a great write up on how to pick a pretty solid, best practice, attribute to distinguish with and how to apply that. I don't know why it wouldn't be as easy as telling SCCM to look for the certificate that came from the original template that Microsoft walks you through creating. This would be a failsafe way of SCCM picking the correct one every time.
I also saw there is a way to deploy the certs to different cert store and then having SCCM look there but for now it seems that the selection criteria is easier.
Can anyone help me out to get this problem resolved?