image Looks like Carol Bailey wrote up a great post on a couple issues relating to native mode certificate selection.  If you're seeing either of these then you might want to check out the link below:

A couple of issues recently came to our attention from the TechNet forums with regard to native mode certificate selection when there is more than one available certificate that could be used:

  • When a certificate in the certificate store has expired, we log this and Trace32 highlights it as an error, which might be interpreted that it is this certificate that is selected.  This can lead customers to think that their certificate selection criteria isn't working, whereas in fact we always log this condition, even when Configuration Manager has selected a different certificate that is successfully used for native mode.
  • The logging information, even with verbose debug enabled, does not identify which certificate was selected by Configuration Manager.  Only the certificate thumbprint can uniquely identify a certificate, and this is not logged in ClientIDManagerStartup.log or any of the other client logging files.

For all the details see http://blogs.technet.com/configmgrteam/archive/2009/12/15/known-issue-logging-information-for-native-mode-certificate-selection.aspx.

J.C. Hornbeck | System Center Knowledge Engineer