Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, December 26, 2016 4:57 AM
Hi All,
SCCM is integrated with Intune, built NDES server to have SCEP profile deployed to mobile devices to use Corporate WiFI Network. CA, NDES, SCCM are in different servers and OS is Windows 2012 R2. CRP is installed in SCCM primary server and Policy Module plugin is installed in NDES server. Followed the following blog "https://blogs.technet.microsoft.com/tune_in_to_windows_intune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/" for installing and Configuring NDES server. All outputs were resulted as expected except the below URL.
https://uslndesprd01.corp.usl.in/certsrv/mscep/mscep?operation=GetCACert&message=MyDeviceID
It gives 404 error and does not download cert file. Logged a support case with Microsoft, but they are not able to find the cause even. Tried enabling mscep.log in NDES server by enabling the Load User Profile, but it did not create mscep.log file. It is really disappointing and stopping our production rollout. Please help.
*********************************crpctrl.log*********************************
Checking CRP service availability state SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:07 AM 22376 (0x5768)
Machine name is 'SCCMPMRPRD01.CORP.USL.IN'. SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Begin validation of Certificate [Thumbprint ede92580190188371ab3416ff3ecee6362538397] issued to 'SCCMPMRPRD01.CORP.USL.IN' SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Certificate has "SSL Client Authentication" capability. SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Completed validation of Certificate [Thumbprint ede92580190188371ab3416ff3ecee6362538397] issued to 'SCCMPMRPRD01.CORP.USL.IN' SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Begin validation of Certificate [Thumbprint 79231e2ba317d9d142710a5b0dda668612c6f6f8] issued to 'SCCMPMRPRD01.CORP.USL.IN' SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Certificate doesn't have "SSL Client Authentication" capabilities. SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Completed validation of Certificate [Thumbprint 79231e2ba317d9d142710a5b0dda668612c6f6f8] issued to 'SCCMPMRPRD01.CORP.USL.IN' SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Skipping this certificate which is not valid for ConfigMgr usage. SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
>>> Selected Certificate [Thumbprint ede92580190188371ab3416ff3ecee6362538397] issued to 'SCCMPMRPRD01.CORP.USL.IN' for HTTPS Client Authentication SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
CRP's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined) SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
Completed the CRP availability check against local computer. SMS_CERTIFICATE_REGISTRATION_POINT 12/26/2016 10:07:08 AM 22376 (0x5768)
*********************************crpctrl.log*********************************
*********************************inetpub logs*********************************
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-12-26 02:31:18
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-12-26 02:31:18 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 02:31:20 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 02:31:21 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 158
2016-12-26 02:31:25 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 02:31:25 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 02:31:30 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 109
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-12-26 03:53:05
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-12-26 03:53:05 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 562
2016-12-26 03:53:08 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 03:53:11 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 173
2016-12-26 03:53:16 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 03:53:17 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 03:53:19 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 109
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-12-26 04:14:07
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-12-26 04:14:07 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 1533
2016-12-26 04:14:11 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 15
2016-12-26 04:14:15 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 31
2016-12-26 04:14:20 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 0
2016-12-26 04:14:25 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 0
2016-12-26 04:14:31 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 0
2016-12-26 04:14:44 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 3219
2016-12-26 04:14:49 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 0
2016-12-26 04:14:54 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - ::1 Dalvik/2.1.0+(Linux;+U;+Android+6.0;+Lenovo+A7020a48+Build/MRA58K) - 200 0 0 0
2016-12-26 04:15:23 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 04:15:23 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 04:15:25 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 124
2016-12-26 04:15:35 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 04:15:35 ::1 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=SCEP%20Authority 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 0
2016-12-26 04:15:38 ::1 GET /certsrv/mscep/mscep.dll ... 443 - ::1 profiled/1.0+CFNetwork/808.2.16+Darwin/16.3.0 - 200 0 0 124
2016-12-26 04:20:29 ::1 GET /certsrv/mscep/mscep operation=GetCACert&message=MyDeviceID 443 - ::1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) - 404 0 2 2031
*********************************inetpub logs*********************************
All replies (11)
Tuesday, December 27, 2016 5:40 AM
Hi,
1.If you receive a 404, open IIS Manager and navigate to CMCertificateRegistration below the Default website. Change the SSL settings to "Require SSL" and "Require Client Certificates". Restart the SMS_EXEC service.
2.By default, IIS 7 installs with "Request Filtering" enabled, and the default maximum query string size (the length of the GET request string, it seems) is set to 2048 bytes, while the PKIOperation URL is closer to 3000 bytes. Setting the maxQueryString parameter for the NDES web site to 4096.
And it seems you already opened a case with Microsoft,please understand, we can only provide some general suggestions here.
And debugging is beyond what we can do in the forum, a support call to our product service team is needed for the debugging service. We'd like to recommend that you contact Microsoft Customer Support Service (CSS) for assistance so that this problem can be resolved efficiently. To obtain the phone numbers for specific technology request please take a look at the web site listed below:
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers
Best Regards,
Cartman
Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, December 27, 2016 7:37 AM
Hi Cartman,
Thanks for the update.
1.If you receive a 404, open IIS Manager and navigate to CMCertificateRegistration below the Default website. Change the SSL settings to "Require SSL" and "Require Client Certificates". Restart the SMS_EXEC service. --> It is already set.
2.By default, IIS 7 installs with "Request Filtering" enabled, and the default maximum query string size (the length of the GET request string, it seems) is set to 2048 bytes, while the PKIOperation URL is closer to 3000 bytes. Setting the maxQueryString parameter for the NDES web site to 4096. --> You meant to set this at NDES Server IIS manager default website?. We have set this to 65534 in IIS manager default website in NDES server.
We have already opened a premium ticket with Microsoft, but due to unavailability of resource in long holidays, they are unable to help in time.
Meena, MDM SME
Tuesday, December 27, 2016 9:53 AM
It sounds like your site server doesn't have a client certificate that it can use to connect to the MP. mpcontrol connects like a client, and it looks like the only certificate that's in the store isn't a client auth certificate.The way to work around this issue is to have a client certificate provisioned to your site server. That way it can connect using SSL to the management point. modified the certificate to use "Fully distinguished name" instead, the client push that should worked correctly.
N.b: Test before deploying in production.
Tuesday, December 27, 2016 9:54 AM
It sounds like your site server doesn't have a client certificate that it can use to connect to the MP. mpcontrol connects like a client, and it looks like the only certificate that's in the store isn't a client auth certificate.The way to work around this issue is to have a client certificate provisioned to your site server. That way it can connect using SSL to the management point. modified the certificate to use "Fully distinguished name" instead, the client push that should worked correctly.
Monday, January 2, 2017 5:57 AM
Hi Sunny,
I am not SCCM Expert, it may be silly, not sure what do you mean by MP? Is it CRP? If yes, then we have already client certificate enabled and FQDN.
Meena, MDM SME
Thursday, January 5, 2017 1:47 AM
Hi,
I am checking to see if the problem has been resolved?
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Thursday, January 5, 2017 11:49 AM
MP is management point
Wednesday, January 11, 2017 5:05 AM
We have not used management point, used Certificate Registration Point.
Meena, MDM SME
Wednesday, January 11, 2017 5:12 AM
Hi Cartman,
Microsoft involved and done the following changes.
1. Changed the key size from 1024 to 2048 in SCEP profile created in SCCM. 2048 is the key size given during NDES configuration and the same key size has to be given in SCEP profile.
2. The issuing template had Signature is proof of origin
After then, deployed two networks A - Username & Password based authentication & B - Cert based authentication.
A - Username & Password based authentication --> Working fine in android devices, but not in iOS Devices**
**
B - Cert based authentication --> Working fine in iOS devices, but not in android Devices
Still the investigation is going on.
**
**
Meena, MDM SME
Tuesday, January 17, 2017 2:00 AM
Hi,
Thank you for sharing to us.Please update if you get something new.Thank you.
Best Regards
Cartman
Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected]
Tuesday, January 17, 2017 5:05 PM
while investigating this, client did mistake, issued a new root certificate. Instead of renewing existing root certificate, issued a new root certificate. This is now completely messed up and no wifi & vpn profiles are applying to any devices. Is there any possibilities to upload new root cert in NDES and CRP and any where else required. I dont think so the new root cert can be uploaded. Hope, need to do the NDES & CRP configuration from the beginning. Any idea?
Meena, MDM SME