Check all SAN (Subject Alternative Name) entries for FQDN hostname or NETBIOS name when trying to validate a PKI certificate for Client Auth
Currently, SCCM has a limitation by which it only checks the first entry in a client authentication PKI cert for the FQDN hostname or NETBIOS name. If the first entry does not include either of these, then even though the cert may still be valid, SCCM wont use it.
For example, for systems we have that sit behind Network Load Balancers, the first entry in their PKI client authentication certs is normally the NLB VIP. While additional entries are present to include the system's FQDN hostname and NETBIOS names, SCCM won't check and therefore won't use the valid PKI cert.
This is currently called out as a limitation in the following document:
Windows client computers
Enhanced Key Usage value must contain Client Authentication (188.8.131.52.184.108.40.206.2).
Client computers must have a unique value in the Subject Name field or in the Subject Alternative Name field.
Note: If you are using multiple values for the Subject Alternative Name, only the first value is used.
The SHA-2 hash algorithm is supported.
Maximum supported key length is 2,048 bits.
By default, Configuration Manager looks for computer certificates in the Personal store in the Computer certificate store.
Except for the software update point and the Application Catalog website point, this certificate authenticates the client to site system servers that run IIS and that are set up to use HTTPS.