SCEP certificate enrolling using ConfigMgr 2016, CRP, NDES and Intune

  • 218 Views
  • Last Post 21 February 2017
janegilring posted this 14 February 2017

Hi,   We have setup SCEP certificate enrolling using ConfigMgr 2016, CRP, NDES and Intune according to: https://blogs.technet.microsoft.com/tuneintowindowsintune/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune/

  This is setup in environments (test and prod). It`s working as intended in one environment, but not the other.   The log-file in the working environment is showing the following when a certificate request is triggered and succeeds on a mobile device:     In the non-working environment, the GetCACaps operation is never triggered:   Does anyone have any input on how to troubleshoot this?   Jan Egil Ring Cloud and Datacenter Management MVP Blog: http://www.powershell.no
Twitter: http://twitter.com/janegilring

LinkedIn: http://www.linkedin.com/in/janegilring

   

Order By: Standard | Newest | Votes
pradeeprawat85 posted this 14 February 2017

Hi Jan,
What do you get when you try to access this URL in non-working v/s working environment?
https://<your scep server>/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca


show

janegilring posted this 14 February 2017

Hi,



 

I get this response in both environments:

Renewal

SHA-512

SHA-256

SHA-1

DES3

 

Jan

 

show

pradeeprawat85 posted this 14 February 2017

Do you see the Root or Issuing CAs pushed to devices?Also, if you try to enroll the certificate manually, does that works?
https://blogs.technet.microsoft.com/configmgrdogs/2015/08/24/so-you-want-to-test-your-ndesscep-certificate-enrollment/


show

janegilring posted this 18 February 2017

Yes, the CA certs is pushed to the devices.

 

My initial attempt to manually enroll failed:

SCEP: fd00 -> fd00

 

Network Device Enrollment Service

Network Device Enrollment Service

Network Device Enrollment Service allows you to obtain certificates for routers

or other network devices using the Simple Certificate Enrollment Protocol (SCEP)

.

You do not have sufficient permission to enroll with SCEP.

Please contact your system administrator.

For more information see

http://go.microsoft.com/fwlink/?LinkId=67852

Using Network Device Enrollment Service

Certificate Request Processor: Access denied 0x191 (HTTP: 401 HTTPSTATUSDENIED

)

 

C:\Temp>

 

Where should permissions be added? The cert template for NDES?

 

Jan

 

show

pradeeprawat85 posted this 21 February 2017

Yes, ensure that NDES service account or whatever account you are using to enroll certificates have both read/enroll permissions on NDES certificate templates.


show

Close