That SAN field is required by Windows; not ISA. In order for a certificate to be valid for authentication, the SAN must contain an entry which represents the domain account being authenticated. Machine accounts are represented as machinename$ in AD. You'll have to build the SAN value as described in the article or ISA will be unable to authenticate the machine account. Jim. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Alan Roberts Sent: Tuesday, June 09, 2009 6:07 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] SCCM Publishing I am trying to set up SSL bridging for interaction between internet based SCCM clients and the SCCM MP and am working through the document at http://technet.microsoft.com/en-us/library/cc707697.aspx. All of our clients are domain joined laptops and we will be using the internet client functionality of SCCM to simply communicate with these domain joined machines when they are off site (e.g. at a users home or on a client site). All computers in the domain are currently automatically issued computer certificates from our Windows 2003 enterprise based PKI. The document above however creates custom certificates for issuance to clients that contain a Subject Alternative Name with the format: upn=<hostname>$@<domain.tld>, something the certificates we currently issue do not include. Is this SAN field required in our scenario or is this only applicable to scenarios including internet clients that aren't domain joined and haven't been automatically enrolled for computer certificates via active directory? Thanks Alan Alan Roberts Senior IT Services Administrator This email and any attachment is for authorised use by the intended recipient(s) only. Its contents may be confidential and/or subject to legal privilege and should be treated as such. It should not be copied, disclosed to, retained or used by any other party. If you are not an intended recipient please notify the sender immediately and then delete this message and any attachments. Any views or opinions presented are solely those of the author and not those of Phoenix IT Group plc or any of its subsidiaries. This email is not intended to be contractually binding. Although we have checked this email for viruses, it is your responsibility to scan the message and attachments prior to opening them. We do not take responsibility for loss or damage caused by viruses. Phoenix IT Group plc Registered in England no. 03476115 Phoenix IT Services Limited Registered in England no. 01466217 Trend Network Services Registered in England no. 01049704 Registered offices: Technology House, Hunsbury Hill Avenue, Northampton NN4 8QS. Servo Limited Registered in England no. 01983540 ICM Business Continuity Services Limited Registered in England no. 02762460 Registered offices: Servo House, Oakwell Way, Oakwell Business Park, Birstall WF17 9LU