PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune


After many feedback from customers and partners, I’ve decided to write another post with more detailed information on how to successfully implement NDES in combination with ConfigMgr and Intune. I hope this helps you implement quicker.

Update 1: Consider reading my other post on adding a reverse proxy.
Update 2: Publish NDES via Azure AD Application Proxy as described in my other post.
Update 3: Updated 16/3/2016 with more detailed info (thanks Kevin Myrup)

NDES Design High level architecture:

Pre-requirements:

  • The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable an higher Windows Server OS.
  • The NDES server needs to be Windows Server 2012 R2.
  • The NDES server needs to be domain joined to the same domain as the issuing CA. Please consult this TechNet article in case you want to deploy in a separate forest, isolated network or internal domain.
  • The NDES server cannot be the same as the issuing CA, even though that configuration is not blocked by setup, the policymodule will not work as expected in those conditions

Update 21/10/2014, please check my "Part 3" blog for more information on how to use an additional Web Application Proxy in front of the domain joined NDES server. 

Network

From internet to DMZ:

  • Allow port 443 from all hosts/IP’s on the internet to the NDES server

From DMZ to trusted:

  • Allow all ports and protocols needed for domain access on the domain joined NDES. The NDES servers needs access to the Certificates Servers, DNS Servers, ConfigMgr Server(s) and Domain Controllers.

Now let’s start with the actual configuring, if something isn’t clear please leave a reply (a reply is always welcome)

Issuing Certificate Authority:

  • Log in as a Enterprise Administrator
  • Install all Windows Updates.
  • If your issuing Certificate Authority is Windows Server 2008 R2, install the hotfix mentioned earlier from here. Preferably use a newer Windows Operating system for your issuing CA.
  • Create certificate template(s) on the CA by duplicating an existing one
    • It’s easiest to duplicate the template from the included “User Template” and modify that.
    • Match purpose NDES template type (sig -> sig, crypt -> crypt, sig/crypt -> generalpurpose)
    • Make sure “Supply in Request” is selected on Subject Name Tab
    • Client Auth must be specified in the application policy
    • Have a look at these template configurationscreenshots.
      • Important note regarding the additional Application Policies (in the 4th screenshot), only add the application policies required. Consult your security department to ensure the appropiate configuration is done.
  • Enable the certificate template on the issuing CA.

NDES Server:

  • Log in as a Enterprise Administrator
  • Install all Windows Updates.
  • Make sure the NDES server is domain joined and has access to DNS, ConfigMgr, Certificate Authority and Domain Controller servers.
  • Go to Add Roles and Features.
  • Install Request Filtering which is located under Web Server (IIS) -> Web Server –> Security
  • Install Active Directory Certificate Services (ADCS)role. (Uncheck Certificate Authority component, and instead check Network Device Enrollment Service)
    • In parallel create a domain user/service account, e.g. “NDESUser”
      • Make sure the user has the "Logon Localy", "Logon as a Service" and "Logon as a batch job" rights. This should be the case by default, however some companies have hardening policies in place to disallow/remove these rights.
    • Make this user a member of the local IIS_IUSRS group.
    • Make sure this user has Enroll permissions on he certificate templates which will be used to issue user certificates via NDES (and which later will be configured in the registry on the NDES server under HKLM\Software\Microsoft\Cryptography\MSCEP).
    • Make sure the ConfigMgr admins who will create SCEP profiles have Read rights to the template so they can browse to it when creating SCEP profile configuration items in the ConfigMgr admin console.
  • Create a Service Principal Name (SPN) for the NDESUser
    • Open an elevated command prompt and type the following command (change the FQDN for the NDES server, Domain and NDESUser account to match your environment)
    • setspn -s http/ndesserver.mydomain.local mydomain\NDESUser

      If the SPN is not created; NDES to CA call may fail Kerberos authentication. If you are truly using a user account (not a service account e.g. network service or local service); then the fallback to NTLM will work just fine and you will not see any issues apart from some entries in security event log. If you block NTLM in your environment, this step is mandatory.

  • Continue to configure the Network Device Enrollment Service
    • CA for NDES – browse and locate your CA server using CA name or Computer name.
    • RA Information – you can leave the defaults.
    • Cryptography for NDES – Configure the CA value to be used by NDES server Make the key length match what is configured in your CA template – 1024 or 2048)
  • The NDES server will receive very long URL’s (queries) and therefore a few changes are needed. Open the registry editor and add two entries:

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Type DWORD
Data: 65534 (decimal)

Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters  
Value: MaxRequestBytes
Type DWORD
Data: 65534 (decimal)

  • Open IIS manager, browse to the Default Web Site and select Request Filtering. On the right side of the console hit Edit Feature Setting and change the Maximum URL length and Maximum query string to 65534

image

  • After this reboot the server. This is mandatory – restarting IIS is not sufficient.
  • Next, browse to http://FQDN/certsrv/mscep/mscep.dll and you should receive a NDES page similar to the one below.

image

If you get an error 503 "Service unavailable", check the eventviewer. It's likely that the application pool is stopped due to a missing right for the NDESuser.

This website will be hardened later on – don’t worry.

  • The NDES server will need two certificates (or one with two EKU's – read on for more info), make sure you request those from the CA:
    • Traffic between the NDES server and the CRP (Certificate Registration Point) needs to be encrypted using SSL. The NDES server needs a certificate with Client Authentication Enhanced Key Usages (EKU’s)
    • A certificate using with a Server authentication EKU that it will use as it's SSL certificate for the IIS web server (to supply an https url for NDES so clients can connect using https to NDES server – absolutely recommended but not required).
  • If you request a certificate from your local CA, double check you have the correct EKU's in place.
    • The two mentioned certificates can be the same certificate (if the certificate has both capabilities), but they do not have to be. In case you want to have different expire lifetimes of the certificates e.g. you could generate one SSL certificate to last for 2 years, but client authentication certificate to expire after 1 year.

  • I prefer to take the easy way and requested a certificate with both the Client Authentication and Server Authentication EKU’s and used them for both scenarios.

image

Update 16/3/2016 by request – for both NDES and CRP SSL certificates (and the NDES client auth certificate) some more info related to the Subject Alternative Name (SAN):

CRP:
SAN on the SSL certificate should contain the internal DNS name of the CRP server (which the NDES server will use when contacting it for cert verification requests).  This DNS name should match what is entered as the CRP URL when installing the policymodule on the NDES server.

NDES:
SAN on the SSL certificate should contain the public external DNS name of the NDES server (the one which will be a part of the uURLrl that devices will be provided to use for certificate enrollment requests).  If using a WAP or other reverse proxy, this name should match what is published there.
SAN on the client auth certificate should contain the internal DNS name of the NDES server (which it will use to authenticate itself over the internal network to the CRP server). It may also contain the public DNS name.

  • In IIS manager, go to “Edit Bindings” of the Default Web Site and add a port 443 binding.
  • Add the certificate to the HTTPS binding.
  • Consider changing the SSL settings to “Require” SSL but “Ignore” client certificates.

image

 

CRP Site Server Role in ConfigMgr:

  • Install IIS – if it isn’t installed already.
  • Make sure to add the following optional role services (which will trigger several other dependent components to be added also)
    • Windows Server 2012 R2:
      • ASP .NET 3.5
      • ASP .NET 4.5
      • WCF HTTP Activation

    • Windows Server 2008 R2: 
      • ASP.NET  
      • WCF HTTP Activation 
      • (not in wizard but also do this) aspnet_regiis.exe –i (run this from .NET 4 folder: ex. C:\Windows\Microsoft.NET\Framework\v4.0.30319)
    • IIS 6 Management Compatibility (including IIS 6 Management WMI Compatibility also)
  • Bind the CRP cert to https 443:
  • In IIS Manager select Default Web Site
  • Right-click and choose Edit Bindings
  • Choose https (it will use port 443 by default)
  • Add or choose a CRP SSL certificate. (If you don't have this, request a default webserver certificate and add that)
  • Make sure after the certificate is selected, you see bindings for all IP address – * like in below screenshot below

image

Note: If you are installing CRP to a remote machine from the site server, you will need to add the machine account of site server to the local administrators group on the CRP machine (by default remote site role is installed using site server machine account). Alternatively, you can specify a specific user to install as in the CRP site role installation wizard, and in that case this user would need to be added as a local administrator on the remote CRP site machine.

  • Test if you can browse to the destination CRP server \\ipaddress\c$, if not make sure to enable “File and Sharing” firewall port
  • Deploy CRP as new site system from site server (CAS or Primary Site)
    • Open the Configuration Manager Admin Console
    • Navigate to Administration -> Site Configuration -> Servers and Site System Roles
    • Right click on primary site and select the Add Roles –> CRP
    • If you are installing on a site server not CAS or Primary Site, configure an account that will perform the installation by changing the “Site System Installation Account”

  • Specify the URL for NDES (for at least one NDES server), now this is important:

This URL will be part of the profile send to the devices. This means that the device – out there somewhere on the internet – needs to access this URL. Specify the internet facing URL, not any internal FQDN’s.

E.g. https://ndes.contoso.com/certsrv/mscep/mscep.dll

  • Specify/browse to the exported trusted root certificate (.cer file) for the server who signed the NDES client authentication certificate.  

image

  • Verify that the CRP installed successfully by opening the following logfiles (locations might be different depending on the ConfigMgr installation path):

  • C:\Program Files\Microsoft Configuration Manager\Logs\CRPMSI.log
    • This log must read “Installation success or error status: 0
  • C:\Program Files\Microsoft Configuration Manager\Logs\crpsetup.log
  • This log must read “CRP.msi exited with return code: 0
  • If errors like “GetIISWebServiceStringProperty failed” are listed, make sure the correct SSL certificate is bound and no “hostname” is specified in the “Edit Site Bindings”
  • C:\Program Files\Microsoft Configuration Manager\Logs\crpctrl.log
    • It should show that CRP status is 0 (online) like this line:

    “CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)                SMS_CERTIFICATE_REGISTRATION_POINT          4/25/2014 9:50:21 PM    6496 (0x1960)”

    However, right after installation of CRP, it might not show that yet.  The self-health check runs every 10 minutes, so after 10 minutes it should change from 4 to 0 (online). This can be speed up by restarting the SMS_CERTIFICATE_REGISTRATION_POINT thread if desired.

  • C:\Program Files\SMS_CCM\CRP\Logs\CRP.log
    • This log should not contain any errors.
    • If you see a "Security Exception is thrown in reading inbox path" error, grant the "Network Service" account read permissions to the HKLM\SOFTWARE\Microsoft\SMS\MPFDM\Inboxes registry key.

  • Open a browser on the CRP server and browse to https://FQDN/CMCertificateRegistration
  • You should get a 403 Forbidden error. If you get anything else (e.g. a 404 or 500, stop right there and check all logs files and/or reboot the server)
    • If you receive a 404, open IIS Manager and navigate to CMCertificateRegistration below the Default Website. Change the SSL settings to "Require SSL" and "Require Client Certificates". Restart the SMS_EXEC service.

  • After the CRP is installed, the system will automatically export the certificate that will be used for NDES plugin (could take up to an hour or so) to the certmgr.box folder under inboxes on the site server. Be patient, it will be generated automatically.

image

  • Copy this certificate the NDES server – we will need it soon.
  • Copy the policymodule directory containing the installation files, you will find it in the ConfigMgr installation files under SMSSETUP\PolicyModule\X64 to the NDES server. We will need it at the next step.

image

Back to the NDES Server

  • On the NDES server, start “PolicyModuleSetup.exe” (copied earlier from the ConfigMgr installation files)
  • Specify the URL for the CRP e.g. https://crp.contoso.local/CMCertificateRegistration)
  • Specify the CRP port (if using something other than 443 on CRP).
  • Select a PKI certificate that supports client authentication. You might already have a suitable certificate installed on the computer that you can use, or you might have to (or prefer to) deploy a certificate specifically for this purpose. Hit next.
  • Select the cert that was copied from the CRP’s certmgr.box directory earlier.
  • Open the registry editor and browse to HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
  • Make sure that the values of “EncryptionTemplate”, “GeneralPurposeTemplate” and “SignatureTemplate” match the names of the template on your CA, triple check this!

image

Update 16/3/2016:

They should not all be set to the same thing.  Most configurations will simply use GeneralPurposeTemplate, but they could also be using SignatureTemplate and/or EncryptionTemplate.  If they do, though, those would be set to use a different template name. The mapping of Key Usage to registry key is as follows:

Encryption -> EncryptionTemplate
Signature and Encryption -> GeneralPurposeTemplate
Signature -> SignatureTemplate

  • Open an elevated command prompt and run “iisreset”.
  • Now open Internet Explorer on the NDES server and browse to https://ndesfqdn.com/certsrv/mscep/mscep.dll, you should no longer see the web page but instead you should see an http 403 – Forbidden error. This is expected.

Configure the Certificate Profile on ConfigMgr

  • Logon to your ConfigMgr and open the console.
  • Open the Assets and compliance tab -> Compliance Settings -> Company Resource Access -> Certificate Profiles
  • Create a new profile, choose Trusted CA Certificate and hit next. Import your root CA certificate and hit next. Select which platforms you will be deploying this against. Hit finish at the end.

image

  • Now deploy this profile to your choice of users or devices.

image

  • Create a new Certificate Profile, this time a SCEP profile.
  • Change the desired options in the “enrollment parameters” window, I would go for the defaults.
  • Hit browse in the “Certificate template name”, remember this name must match whatever you entered in the registry on the NDES server!!
  • If the template they created on CA doesn’t show when browsing from this wizard, it could be due to one of two likely causes:
    • The ConfigMgr administrator does not have “Read” permissions to the template in AD (configure this on the template object from MMC on the CA).
    • The template has been created, but not published to AD. (publishing to AD is done using the MMC snapin called “Certification Authority”, and you right-click “Certificate Templates” folder, and choose New -> Certificate Template to Issue”)

image

  • At this point, be-aware that:
    • iOS doesn’t support fully distinguished name as the subject name format or including e-mail address in subject name.
    • You configure the settings according to what you have specified in the template (e.g. SHA-1/SHA-2/SHA-3 and the key-length).
    • If the template name contains non-ASCII characters the cert will not be deployed

image

  • Select the Root CA certificate and you should be good to go!
  • Hit next, select the destination platforms and finish the wizard.
  • Deploy the profile to the desired user or device collection(s).

Communication workflow

  1. Administrator configures policy in SCCM.
  2. Policy is sent to Intune service where details about the cert policy are used to create the challenge for the device(s).
  3. Policy is pushed to mobile device by Intune service during the next check-in. This policy contains the URL of the NDES server as well as the challenge generated by Intune.
  4. Device contacts the NDES server using the URL from #3 and provides the challenge response. (This is why your NDES server needs to be available externally in some way.)
  5. NDES Server (using our SCCM policy module) talks to the SCCM Certificate Registration Point (CRP) to validate challenge. You’ll need to make sure that 443 (SSL) is open between the NDES Server and the CRP for this validation to happen.
  6. CRP responds to NDES server with “true” or “false” to challenge verification. (Again, over 443 SSL.)
  7. If challenge is OK then the NDES server communicates with the CA to get a certificate for the device. You’ll need to make sure that the appropriate ports are open between NDES and CA for this to happen.
  8. NDES delivers certificate to mobile device.

Thanks Bob Roudebush for sharing.

Now what if it doesn’t work? Check these things first:

  1. The device time should be accurate. If it’s off 5 minutes or more, you will not get SCEP certificate.
  2. Did the Root CA (of the issuing CA) certificate you deployed in ConfigMgr got pushed to the device?
  3. Can you access the NDES URL from the internet using a browser?
    1. Are you getting any certificate errors?
    2. Make sure the URL corresponds with what is listed on the certificate (https://ndes.yourdomain.com and not https://ndes.yourinternaldomain.local)
  4. Visit https://ndes.externalfqdn.com/certsrv/mscep?operation=GetCACert&message=MyDeviceID You should get a response and the option to download a file.
  5. Push a certificate profile to a Windows device and check in the registry whether the request arrived.
    1. Open the registry editor and locate the following key: HKCU\Software\Microsoft\Windows\CurrentVersion\MDM
    2. The request will be visible as a subkey like shown in the screenshow below.
  6. The certificate thumbprint will be populated when the actual certificate is received.

  7. Open the CRPCTRL.LOG on the ConfigMgr server. The "previous status" should be 0.

    Check out the file C:\Program Files\Configuration Manager\Logs\crpctrl.log (could also be in x86 program files folder)

    There should be an entry as follows:
    CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)

  8. Do you get any requests logged on the IIS server of the NDES? What is the status code? Should be 200 in most cases!    
    Check out the last modified log in C:\inetpub\logs\LogFiles\W3SVC1

    Entries should look similair to this (notice the port number 443):
    2014-07-07 13:45:27 10.0.0.6 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=MDM 443 – 80.81.82.83 – – 200 0 0 0

  9. Do you see any requests logged in the NDES.log?
    Check out the the log at C:\Program Files\Microsoft Configuration Manager\Logs\NDESPlugin.log

    Entries should look similair to this:

    <![LOG[==========[ NDES policy module started in process 2332 ]==========]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:195">
    <![LOG[Calling Initialize…]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:226">
    <![LOG[certificate registration point web server is sccm.internaldomain.local]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:250">
    <![LOG[NDES thumbprint is 874b8e5864139ad337be36fdd86937fbce1aff9f.]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:272">
    <![LOG[certificate registration point webservice URL is CMCertificateRegistration]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:314">
    <![LOG[CA Issuer Name is ca01.internaldomain.local\\pcitdemo-CA01-CA]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:356">
    <![LOG[Certificate registration port number is 443]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:387">
    <![LOG[Exiting Initialize with 0x0]LOG]!><time="22:37:15.204+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:396">
    <![LOG[Calling VerifyRequest …]LOG]!><time="22:37:19.978+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:646">
    <![LOG[Sending request to certificate registration point.]LOG]!><time="22:37:19.978+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="httprequest.cpp:114">
    <![LOG[Verify challenge returns false]LOG]!><time="22:37:20.563+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:834">
    <![LOG[Exiting VerifyRequest with 0x0]LOG]!><time="22:37:20.563+00" date="03-18-2014" component="NDESPlugin" context="" type="1" thread="1356" file="ndesplugin.cpp:874">


  10. Do you see any request logged on the IIS server of the CRP? What is the status code? Should be 200 in most cases!    
    Check out the last modified log in C:\inetpub\logs\LogFiles\W3SVC1
  11. Do you see any request logged in the CRP log on the CRP server?
    C:\Program Files\SMS_CCM\CRP\Logs\crp.log
  12. Are you getting this error: 

    CRP's previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined)
    Health check request failed, status code is 403, 'Forbidden'.

    Make sure you change IIS on your ConfigMgr server – CMCertificateRegistration SSL Settings to Ignore Client Certificates

  13. Do you see a certificate being issued on the issuing CA?

image

14. Are you getting this output in the ndes logfile?

<![LOG[Failed to retrieve client certificate. Error -2147467259]LOG]!><time="20:48:44.215+00" date="08-17-2015" component="NDESPlugin" context="" type="3" thread="4064" file="httprequest.cpp:240">
<![LOG[Exiting VerifyRequest with 0x80004005]LOG]!><time="20:48:44.215+00" date="08-17-2015" component="NDESPlugin" context="" type="1" thread="4064" file="ndesplugin.cpp:874">

The client auth cert needs to have the internal dns name to present to the CRP.The easiest way to do this is to put both DNS names in the SAN of the certificate. See this technet post for more info.

14. Are you getting Event ID 29 in the NDES Plugin Log? The eventlog might give you this entry:

Event ID: 29
The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.
Internal Name: EVENT_MSCEP_INVALID_PASSWORD
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Description: The Network Device Enrollment Service failed to process a client device's request because the submitted password is invalid.
Diagnose: Check the IIS log to find out what query string was submitted.
Check the device configuration to ensure that the correct password is being submitted as part of the request.
Use certutil to check whether the PKCS7 package from the client is valid (certutil -v p7request.txt, where p7request.txt is a file in which the query string is captured).
Otherwise, enable CAPI2 diagnostics and, if possible, reproduce the error.
Resolve: If necessary, contact the vendor of the SCEP client and ensure that the request is being submitted correctly.

So what's up with that? Your service certificate (e.g. for Client Authentication) expired or was revoked.
Note: the registry value of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint needs to be MANUALLY update with the thumbprint of the new service certificate, replacing the old certificate’s thumbprint, else NDES will continue trying to use the old certificate, even if it’s archived. Thanks Mr. Hammami for getting to this solution.

————–

Hope this post helped you implement NDES with Microsoft Intune, please consider leaving a reply if it did!


Comments (57)

  1. Tom_Floor says:

    Thanks, great guide. Got the infrastructure working to push certificates to iOS devices 🙂

  2. Great interesting posts about different servers

  3. Hi Joel, the 200 is expected (success). This means the device will reach out to the correct NDES server and perform 3 GET requests. You should be able to see at least two of them. The third request is huge in size, about 31kb and could be blocked by many
    reasons (do you have a reverse proxy in front of the NDES? Did you change the registry and IIS 65543 entries correctly?). If you see the first two 200 success messages but the third one is not shown in IIS logs, the request is blocked – either by the NDES
    server itself or something in front of it (reverse proxy/firewall etc.).

  4. If the IIS log doesn’t show any request at all, it means that 1) the URL to your NDES server in the configuration of the CRP (https://ndes.contoso.com/) is incorrect/not resolvable 2) Something in between like a
    proxy or firewall is blocking the requests.
    Enroll a Windows 8.1 tablet and look in the registry what the NDES URL is, paste that in your browser and check the IIS logs on the NDES servers. Something is preventing that part of the communication.

  5. Q: Must my NDES web server certificate be publicly trusted??
    A: No, but you must deploy the root certificate via Intune/ConfigMgr to the device. The 403 error forbidden is expected, the test device (windows 8.1 in this case) should trust the certificate in Internet Explorer, if it’s not trusted the issuing root CA certificate
    has not arrived yet, which is very unlikely.

  6. Hi Phil S, there are a few locations to troubleshoot that, first of all the eventlog (to see if the CRP is running without issues). The open NDESConnector_2015-04-29_XXXXX.svclog with svctraceviewer.exe (seperate download) to decode the contents. Also
    check the ndesplugin.log. If you see any major errors in those logs, thats where to investigate.

  7. Anonymous says:

    In order to check for a valid configuration and start enrolling certificates using ConfigMgr 2012 and

  8. Rob says:

    Hello! Thanks for the great article. Hoping you can help with a problem I’m seeing: SCCM 2012 R2 (sIngle site/primary). When attempting to choose my enterprise CA, I can select it from the list and also select the template name, but the wizard gives me a red exclamation point saying I need to select an enterprise CA. The CA is published in AD. The only difference I see is that other CA’s we’ve created are published with the FQDN while this particular CA is published as the short name. Thoughts? Thanks for your time!!

  9. Matt W says:

    Thank you for this very timely article! I’m not sure how it would be possible to setup NDES without it.
    Regarding the two certificates needed for NDES (1 client, 1 server, or 1 client and server), it is not very clear how those certificates are meant to be obtained. I’m not sure if what I did is correct, but here are my steps:
    -On the CA, duplicate the Web Server certificate, name the new template NDES Server.
    -Extension Tab, Application Policies: Add Client Authentication (Server is already part of the Web Server template).
    -Security: Add NDES server with Read and Enroll.
    -Subject Name: Supply in the request.
    Publish the new certificate template.
    Then on the NDES server, I manually requested a new certificate using the MMC Snapin, Local computer.
    -Personal, Request new certificate
    -Choose NDES Server template, expand Details, Properties
    -Subject Name: Common Name, Value: Public-facing FQDN

    These steps seemed to work for me, but I’m not sure if they are all needed or even if they are the correct steps. I’d appreciate any comments. Thank you!

  10. Miha Pecnik says:

    I’d just like to extend my thank you for this excellent guide.

  11. christoph says:

    Thanks for the great guide! I get folliwing error in IIS log: 2014-07-30 22:07:26 112.14.0.1 GET /certsrv/mscep/mscep.dllhttps:/externalFQDN.cloudapp.net/certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=MDM 443 – 158.12.123.185 – – 404
    0 2 73
    All other logs OK, bitt CRP.log shows only "Perf Test Hook, Challenge is read from registry"

    Testlab: SCCM 2012 R2 /CU2; CA; NDES with SCEP and Policy Modul

    Can anyone help?

  12. Pwigle says:

    Hi Christoph, It sounds like the device is not going to the correct URL (error 404). Check the URL you provided during the CRP configuration.

  13. christoph says:

    Hy Pwigle! Thanks for reply. Yes it was a wrong URL 🙁 copy paste…. Now i have no errors in the log
    2014-08-02 18:57:41 fe80::10b7:f62:ec3c:605d%12 POST /CMCertificateRegistration/certificate/generatechallenge – 443 – fe80::10b7:f62:ec3c:605d%12 SMS_CERTIFICATE_REGISTRATION_POINT – 201 0 0 3502

    2014-08-02 14:07:40 172.16.0.8 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=MDM 443 – 144.11.115.119 – – 200 0 0 68

    But in SCCM i have following error: 0X87D1FDE8 Remediation failed (Certificate Profile – Deployment)

    I copied the IPSec (offline request) Certificate, edit the 3 registry entries to the template Name (CustomIPSecV2). In the security tab i added the NDES Service Account for read and enrol).

    I deployed the Certificate Profile in SCCM.

  14. Roy W says:

    Hi Pieter,

    Very good article. I was curious if you could eleborate (perhaps a link to an article/KB) on why the NDES service should be seperated from the CA issuing server as the policy module would behave unexpectedly? I was not able to find any references about that.

    Cheers,
    Roy

  15. Pwigle says:

    Hi Roy, as far as I know the reason has not been published anywhere – however I do know it simply wont work. There a are a few registry keys missing when you combine the CA and NDES on the same box. It’s not tested, supported and therefore definitely not
    recommended. They should be on separate servers and joined to the same domain.

  16. Jens Mander says:

    Fantastic article – thx alot!!!!

  17. S.Mason says:

    Thanks for the article, perhaps the fullest I seen for this type of deployment. I do have a question, I have an error in the CRPMSI log file as follows; ERROR: Certificate is not configured on the website for SSL.. The MSI fails to run. I think this is
    because of SSL not being enabled on the CM server? You mention a CRP certificate, does this need to have any specific EKU?

  18. Pwigle says:

    Hi S. Mason, I’ve seen that error. If i remember correctly you have to make sure a normale webserver certificate is imported on the configmgr server. Try adding a https binding to iis with that cert if it isn’t there already.

  19. S.Mason says:

    Quick note of thanks. Your comment against my last post sorted the issue I had, CRP certificate created and policy module installed. fingers crossed the testing goes without further issue.

  20. Björn says:

    Hi, I did have some serious issues to generate certificates to my devices (iOS8, Android 4.4). Then I changed the policy to "include email address in subject name" and then it all started to work just fine.

  21. Björn says:

    Hi again, as I wrote 2:nd october. The certificate enrollment works just fine. But there seems to be issues with iDevices and re-enroll certificates. So basically I have got my certs for two diffrent accounts towards my iPad. But when I try to remove the
    intune account and then re-enroll the device to intune. It doesnt generate any certificate.

    When looking in the logfiles it seems good.

    When an allready enrolled before device with an allready enrolled user re-enrolls the device (after selective wipe or removal inside intune app) the crp.log files says.

    VerifyRequest Started. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Reading Template Permission Check from registry. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 1 started. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 1 finised with status True. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 2 started for device and user . CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 2 finished. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 3 started for device 9830942a-60e8-432f-bbee-2e68019d9734 and user 8990afa9-9690-4830-9438-fcba63e87691. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Get Challenge Parameters from DB using query: Execute CRP_VerifyRequestParameters @vchCertificateRequestID = ‘ModelName=ScopeId_96A5566A-0E75-4EFB-8670-3B4266DDD18C/ConfigurationPolicy_8e3a6dfd-ab68-4eb5-8bb6-79af10623f1e;Version=5;Hash=-850744603’, @vchDeviceID
    = ‘9830942a-60e8-432f-bbee-2e68019d9734’, @vchUserID = ‘8990afa9-9690-4830-9438-fcba63e87691’, @DeviceType = 9 CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    Validation Phase 3 finished with status True. CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)
    VerifyRequest Finished with status True CertificateRegistrationPoint 10/4/2014 11:19:45 AM 28 (0x001C)

  22. Björn says:

    When the crp is able to generate the certificate the logfile looks like this
    VerifyRequest Started. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Reading Template Permission Check from registry. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 1 started. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 1 finised with status True. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 2 started for device and user . CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 2 finished. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 3 started for device 9830942a-60e8-432f-bbee-2e68019d9734 and user 8990afa9-9690-4830-9438-fcba63e87691. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Get Challenge Parameters from DB using query: Execute CRP_VerifyRequestParameters @vchCertificateRequestID = ‘ModelName=ScopeId_96A5566A-0E75-4EFB-8670-3B4266DDD18C/ConfigurationPolicy_8e3a6dfd-ab68-4eb5-8bb6-79af10623f1e;Version=5;Hash=-850744603’, @vchDeviceID
    = ‘9830942a-60e8-432f-bbee-2e68019d9734’, @vchUserID = ‘8990afa9-9690-4830-9438-fcba63e87691’, @DeviceType = 9 CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Validation Phase 3 finished with status True. CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    VerifyRequest Finished with status True CertificateRegistrationPoint 10/4/2014 11:29:49 AM 28 (0x001C)
    Notify Started. CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Creating state message CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Retrieveing the CRP certificate CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Retrieving the GWP or MP certificate. CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Success state message CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    StateMessage D:Program FilesMicrosoft Configuration Managerinboxesauthstatesys.boxincomingeld033fqrfb.SMX is dropped. CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Successfully sent state message CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)
    Notify Finished. CertificateRegistrationPoint 10/4/2014 11:30:33 AM 28 (0x001C)

    On the NDES server I seem to get these kind of logs when it doesnt manage to enroll certificates.
    – System
    – Provider
    [ Name] Microsoft-Windows-NetworkDeviceEnrollmentService
    ErrorCode 0x80010108
    ErrorMessage The object invoked has disconnected from its clients.

    And before this happens I get the schannel 36887 as stated in this KB
    http://support2.microsoft.com/kb/2801679/en-us

    The servers are all 2012 R2. ndes is in Windows Azure, the CRP is in my LAN and I have a lan2lan vpn tunnel with allow all all 10.0.0.0/24 <-> 192.168.1.0/24

    I would be glad if you can shed some light over this issue.

    BR.
    Björn

  23. ckuever says:

    I have the same Problem than Christoph:

    All logs OK, but CRP.log shows only "Perf Test Hook, Challenge is read from registry"

    Any ideas?

    thanks,

    ckuever

  24. Anonymous says:

    As you might have learned from my previous blog post about certificate deployment to mobile devices via

  25. ACushen says:

    Hi,

    This hasn’t been noted anywhere that I could see but to get my NDES service to function correctly I had to give the NDES service account permission to the private keys assigned to the NDES server. Before this I was getting Windows Event Viewer Schannel errors.

    Thanks,

    Andrew

  26. Anonymous says:

    My role has previously primarily focused on Microsoft Intune, nowadays it’s more towards our whole Enterprise

  27. Anonymous says:

    There are several ways to initiate a revocation of a certificate on a mobile device, in this post we

  28. Matt D says:

    In portion "Add CRP SSL certificate. (It should be already listed in the drop-down) " you don’t specify where this certificate comes from, is it the one created prior with client/server authentication OID’s or one generated elsewhere, can you please elaborate

  29. pwigle says:

    Matt D, if I remember correctly this is a default webserver certificate, depending on previous sccm usage already configured (else do that manually). If the cert is ok for usage you will see this in the crpctrl.log as selected (thumbprint).

  30. pwigle says:

    "Perf Test Hook, Challenge is read from registry" is not an error. Its waiting for action. Could be that the larger request doesn’t make it through IIS, check all required registry and IIS adjustments.

  31. Matt D says:

    @pwigle thanks for the reply, we have a requirement to split the CRP portion of SCCM off to a separate server so we’ll proceed with creating a certificate for that for use in section -> "Specify the URL for the CRP e.g.
    https://crp.contoso.local/CMCertificateRegistration"

  32. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  33. Sean says:

    Hi Pieter,

    I’m stuck in a bit of a loop… Hope you can enlighten me:

    After installing the CRP, I get this error:
    CRP’s previous status was 1 (0 = Online, 1 = Failed, 4 = Undefined)
    Health check request failed, status code is 403, ‘Forbidden’

    So I followed your troubleshooting instructions – Make sure you change IIS on your ConfigMgr server – CMCertificateRegistration SSL Settings to Ignore Client Certificates

    But then when I browse thttps://fqdn.contoso.com/CMCertificateRegistration, I get a 404 error, which you advise to bypass by changing CMCertificateRegistration SSL Settings to Require Client Certificates.

    My second issue gets resolved, but the first one comes back.. Anyway – you see my problem

    What’s the best thing to do?

    Cheers,
    Sean

  34. Pieter says:

    Hi Sean, which OS are you using? I’ve seen that issue when using Server 2008 (not tested/supported).

  35. Sean says:

    Hi Pieter,
    Unfortunately I’m using Server 2012 R2 on all devices!

    It may be worth noting that the issue is raised by asp.net, not by iis? Although I’m not sure how to interpret this

  36. Joel says:

    Greetings

    Excellent blogpost, thank you so much for all this useful information.
    I believe I am close to the end.. I followed your instructions and it seems everything is working as per what is written here, but it seems my NDES Server never gets requests for the SCEP certificate.

    The IIS logs show no requests beside my manual test ones, and the NDESplugin.log only shows:
    Calling Initialize…
    (…)
    Exiting Initialize with 0x0

    Never calls "Verify Request", never sends anything to the CRP.

    Which other logs can I check to understand why my SCEP profile is not getting deployed? (The RootCA gets deployed correctly)

    Regards

  37. Joel says:

    Thanks for your reply.
    I pushed my SCEP profile to a Win8.1 tablet, and the registry shows the correct URL.

    When I paste it in a browser I get a cert error then a 403 Forbidden error as I believe is expected.
    The IIS logs on the NDES server show a request line with a 200.

    Must my NDES web server certificate be publicly trusted??

  38. Joel says:

    Thanks for your help! All working now.
    Turns out the CN on my NDES server certificate was faulty.

  39. Phil S says:

    Do you have a similar walk through for standalone Intune with NDES and Azure App Proxy? I’ve gone through essentially the same process as you detail, but the CA is not issuing device certs to the iOS devices and I’m having trouble tracking down where the
    process is failing. Instead of being a ConfigMgr site role, the CRP appears to be handled by the NDES server in IIS (CertificateRegistrationSvc directory, using Microsoft Intune CRP Service Pool app pool).

    I can hit the NDES server externally via the Azure App Proxy. I can verify that the iOS device has received the root cert from our internal CA, but it doesn’t appear to be completing the SCEP process to received a device cert. Any ideas?

  40. Phil S says:

    Thanks, Pieter. Just to update, I was actually able to resolve the issue. I had only put the public URL for the NDES server itself in the SCEP server URL field for the SCEP policy…not the full path to the mscep.dll (https:///certsrv/mscep/mscep.dll).
    Once I updated the policy, I saw the successful requests come through in the IIS logs and verified that the certs were issued by the CA and were installed on the device.

    Tons of great info in these posts and comments. Many thanks for your patience and support!

  41. Anonymous says:

    There are several ways to initiate a revocation of a certificate on a mobile device, in this post we

  42. Anonymous says:

    There are several ways to initiate a revocation of a certificate on a mobile device, in this post we

  43. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  44. Anonymous says:

    In the past few months I published a series of posts on setting up certificate distribution to mobile

  45. Anonymous says:

    Bookmark this! http://aka.ms/PkiLinks
    Having taken some recent internal PKI training, I decided to

  46. Miha Pecnik says:

    Have there been any changes regarding SCEP in Windows 10, it doesn’t get deployed in our case but works for 8.x, iOS, WP, Android. We’re using SCCM 2012 R2 SP1.

    I don’t even see anything related to certificate deployment under HKCU…MDM, VPN profile gets deployed as does the root CA. I created a new Certificate Profile and made sure Windows 10 is under Supported Platforms, but nothing happens.

  47. MikeFi says:

    Hi all,
    Everything seems to be working just fine (Root CA and Wireless Profile are sent to ios device). However, the SCEP cert is not being issued and i see the below errors in the NDESPlugin.log file. Any idea what those errors are referencing?

  48. Bechir says:

    Hi,
    In our NDES Server we have this error:
    Event ID 29 – ‘The password in the certificate request cannot be verified’
    Can you help?
    Regards,
    Bechir

  49. DanielSt says:

    Hi all,
    I have set up our environment according to this excellent post and SCEP certs are issued to iPADs but my problem is that SCEP certificates are issued twice every time when a device is enrolled or re-mediated non-compliant devices according to policy. On FW
    I can see that device is hitting twice URL for NDES certificate request and on CA that it issued two certificates for same user, from same SCEP certificate template, for same requester(SCEP service account) and issued in same minute. Have anybody encountered
    same behavior with certificate issuance?

  50. Kevin Myrup says:

    Bechir-
    When the policymodule for SCCM or Intune is installed onto an NDES server, then Event ID 29 usually means that the CRP has denied the request. If you are using Intune Hybrid with SCCM, check the CRP.log on the SCCM server where CRP is installed. If you are
    using Intune Standalone, check the CertificateRegisrationSvc_xxx.svclog (viewable using svctraceviewer.exe – separate download) to see why it was denied.

    DanielSt-
    I believe you are hitting known issue with iOS devices due to the way cert profile must be embedded inside the VPN or Wifi profile for which you are using it for authentication. This means the devices get the SCEP profile, plus a 2nd SCEP profile embedded inside
    your wifi or VPN profile. Not sure there’s much you can do about it though.

    Kevin

  51. Philipp_R says:

    Hi,
    someone seen these Errors in NDESPLugin.log?
    Failed to retrieve client certificate. Error -2147024809
    Exiting VerifyRequest with 0x80070057
    thanks
    Phil

  52. kar.koziel says:

    Hallo Guys,

    i have a similar problem as Daniel…only worse. My certificates for iOS devices are also being multiply issued but additionally they are being constantly renewed. One device requests up to 30 certificates a day.

    NDES and CRP servers are working properly (certificates are corrrectly issued) – the only question is why are they requested in the first place. What is more, the "old" certificates are not revoked, thus users have multiple active certificates.

    Here is my SCEP certificate template info:
    1) Purpose – Signature and Encryption
    2) Application Policies – Client Authentication
    3) Key usage – Digital Signature, non-repudiation
    4) Key Size = 2048
    5) Windows 2003 Compatible

    I use this certificate for our company VPN (F5). Conncetion is possible with these certificates and VPN works perfectly, but only until a new certificate arrives (the user has to type in his logon and password).

    Any ideas what could be the cause of the problem?

    Thanks in advance
    Karol

    PS. we also used this guide to configure our environment – thanks:)

  53. Dr Sylvester Benson says:

    GET YOUR PROBLEM SOLVE TODAY WITH MY PROFESSION IN ANY SPIRITUAL SPELL OR ANY KIND OF PHYSICAL BATTLE THAT NEED, MY NAME IS DR SYLVESTER AND THIS IS MY EMAIL FOR CONTACT (stbenson391@gmail.com) OR YOU CAN FOLLOW HIM UP ON FACEBOOK BY MY NAME (SYLVESTER E BENSON)
    ON FACEBOOK OR CALL ME ON MY MOBILE NUMBER +2348136090988, AM ALWAYS AVAILABLE TO RENDER YOU HELP WITH EXPERIENCE OF 32 YEARS IN SPELL CASTING AND HERBAL MEDICURE TO CURE ANY KIND OF DISEASE THAT YOU MAY HAVE, CONTACT ME ON ANY KIND OF ISSUES.

  54. Hey @kar.koziel.
    I know it’s been a while since this comment was posted (Oct 2015), however there was a bug with the F5 VPN app that caused continual SCEP certificate requests. It has been fixed in November though, so you shouldn’t be seeing multiple certs issued anymore. Please
    raise a free Intune support case if you’re still having issues. Matt

  55. Santhosh says:

    For the Issue on MaxQueryString Setting the maxQueryString and maxUrl is not enough. We need to set the httpruntime maxUrlLength and maxQueryStringLength. The compete web.config in this case will look like below

Skip to main content