Forum Discussion
Most of the settings in the client and server SSL profile deal with how to handle the cryptographic functions on an SSL session. It is entirely possible to "filter" on an EKU value, but something you'd have to go out of your way to build. I'm using a simple client SSL profile in my testing with default values. Does your CA certificate (or and CA in a chain of CAs) apply any policy constraints? If the administrators are telling you that Server Authentication is not allowed, there may be an Application Policy defined in one of the CAs that specifically defines this.
http://technet.microsoft.com/en-us/library/cc737026%28v=ws.10%29.aspx
This may also be a good time for something a bit stronger than an ssldump. Your best bet is to install WireShark and capture the SSL/TLS data. If you provide it the private key used in the client SSL profile, it can decrypt the traffic as well. An ssldump capture can do the same thing, but WireShark will give you much more information inside the SSL handshakes.