Toolbox3

When using System Center 2012 Configuration Manager, you may find that the Out Of Band (OOB) Management console fails to connect to a client on an 802.1X network if that machine is not switched on or is not booted into a full, running operating system.

When a machine is provisioned in System Center 2012 Configuration Manager, it is issued an 802.1X client authentication certificate based on the settings configured in the 802.1X Wired Network Access Control dialog box. The value in Subject Alternative Name (SAN) of this certificate is used to authenticate to RADIUS server.

clip_image002

As per TechNet documentation here, the SAN should have the Unique Principal Name (UPN) of the provisioned AMT-based computer. The value in SAN is used for 802.1X client authentication.

If your Enterprise Certificate Authority is Windows Server 2003 based, client certificates that are issued using the 802.1X client authentication template may have incorrect alternative subject names. In these cases, the alternative subject name will have the Domain Name System (DNS) name instead of the UPN, thus causing authentication to fail.

For example, here is a correct value:

clip_image003

Here is an incorrect value:

clip_image004[1]

To resolve this issue, install the hotfix documented in KB article 943089 (http://support.microsoft.com/kb/943089) and then re-provision the machine.

Karan Rustagi | Support Escalation Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

App-V Team blog: http://blogs.technet.com/appv/
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
Operations Manager Team blog: http://blogs.technet.com/momteam/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

The Forefront Server Protection blog: http://blogs.technet.com/b/fss/
The Forefront Endpoint Security blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/