pradeeprawat85
posted this
21 February 2017
Yes, ensure that NDES service account or whatever account you are using to enroll certificates have both read/enroll permissions on NDES certificate templates.

Yes, the CA certs is pushed to the devices.
My initial attempt to manually enroll failed:
SCEP: fd00 -> fd00
Network Device Enrollment Service
Network Device Enrollment Service
Network Device Enrollment Service allows you to obtain certificates for routers
or other network devices using the Simple Certificate Enrollment Protocol (SCEP)
.
You do not have sufficient permission to enroll with SCEP.
Please contact your system administrator.
For more information see
http://go.microsoft.com/fwlink/?LinkId=67852
Using Network Device Enrollment Service
Certificate Request Processor: Access denied 0x191 (HTTP: 401 HTTPSTATUSDENIED
)
C:\Temp>
Where should permissions be added? The cert template for NDES?
Jan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Pradeep Rawat
Sent: tirsdag 14. februar 2017 19.27
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] SCEP certificate enrolling using ConfigMgr 2016, CRP, NDES and Intune
Do you see the Root or Issuing CAs pushed to devices?
Also, if you try to enroll the certificate manually, does that works?
https://blogs.technet.microsoft.com/configmgrdogs/2015/08/24/so-you-want-to-test-your-ndesscep-certificate-enrollment/
On Tue, Feb 14, 2017 at 10:25 PM, Jan Egil Ring <jan.egil.ring@xxxxxxxxxxxxxxxx> wrote:
Hi,
I get this response in both environments:
Renewal
SHA-512
SHA-256
SHA-1
DES3
Jan
From:
ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org]
On Behalf Of Pradeep Rawat
Sent: tirsdag 14. februar 2017 17.25
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] SCEP certificate enrolling using ConfigMgr 2016, CRP, NDES and Intune
Hi Jan,
What do you get when you try to access this URL in non-working v/s working environment?
https://<your scep server>/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
On Tue, Feb 14, 2017 at 4:06 PM, Jan Egil Ring <jan.egil.ring@xxxxxxxxxxxxxxxx>
wrote:
Hi,
We have setup SCEP certificate enrolling using ConfigMgr 2016, CRP, NDES and Intune according to:
https://blogs.technet.microsoft.com/tuneintowindowsintune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/
This is setup in environments (test and prod). It`s working as intended in one environment, but not the other.
The log-file in the working environment is showing the following when a certificate request is triggered and succeeds on a mobile device:

In the non-working environment, the GetCACaps operation is never triggered:

Does anyone have any input on how to troubleshoot this?
Jan Egil Ring
Cloud and Datacenter Management MVP
Blog:
http://www.powershell.no
Twitter: http://twitter.com/janegilring
LinkedIn:
http://www.linkedin.com/in/janegilring
--
Thanks,
Pradeep Rawat
--
Thanks,
Pradeep Rawat
--
Thanks,
Pradeep Rawat