System Center Mobile Device Manager 2008 SP1 device certificate renewal request fails after 12 months

Article ID: 2273458
Expand all | Collapse all

SYMPTOMS

After being enrolled for a year, a System Center Mobile Device Manager (SCMDM) managed device may fail to renew its client certificate.  As a result it will fail to connect to the SCMDM VPN successfully. 

Additionally, the issuing Certificate Authority Application Event Log contains a warning similar to the following:

Event Type: Warning
Event Source: CertSvc
Event ID: 53
Description:
Certificate Services denied request 97 because The request contains conflicting template information. 0x80094802 (-2146875390).  The request was for CN=device.contoso.com.  Additional information: Denied by Policy Module  0x80094802, The request specifies conflicting certificate templates: 1.3.6.1.4.1.311.21.8.13101452.6590778.3820446.1524682.2069567.226.1027488195.1669196290/SCMDMMobileDevice(MDM1).

CAUSE

When the SCMDM managed device requests to renew its client certificate, the space character in the template name is dropped.  As a result, the certification authority cannot process the request and results in the above error.

RESOLUTION

1, Open up the ‘Certificate Authority’ console for the machine which is the issuing CA for SCMDM.

2, Right Click ‘Certificate Templates’ and click ‘Manage’.

3, In the ‘certtmpl’ window, locate the template with the Template Display Name of “SCMDMMobileDevice (instance)”.  The instance name in brackets will be the name of the SCMDM instance. Right Click this template and click ‘Duplicate Template’.

4, In the ‘Properties of New Template’ window, make the following changes to the Template display name:
-          Remove ‘Copy of’
-          Delete the space in between the name and the opening bracket.
For example, change “Copy of SCMDMMobileDevice (MDM1)” to “SCMDMMobileDevice(MDM1)”.

- If you are using a Windows Server 2008 Certificate Authority, please ensure that you set the ‘Minimum key size’ of the new certificate template to 1024, rather than 2048.
- On the 'Subject Name' tab, please ensure that on the new certificate template (without the space), the “Subject name format” is set to "Common Name".

Once you have made these changes, click OK then close the ‘certtmpl’ window.

5, In the same domain as the CA, open up ADSIEdit.msc.
Please follow these steps, adapting the domain name contoso.local to your domain:
-          Expand ‘Configuration [dc.contoso.local]
-          Expand ‘CN=Configuration,DC=CONTOSO,DC=local’
-          Expand ‘CN=Services’
-          Expand ‘CN=Public Key Services’
-          Click ‘CN=Certificate Templates’

6, Looking at the list in ‘CN=Certificate Templates’, locate the original template with the space in.
For example ‘CN=SCMDMMobileDevice (MDM1)’
-          Right click this and click Properties
-          Tick the ‘Show only attributes that have values’ check box.
-          In the list of attributes, locate ‘msPKI-Cert-Template-OID’ and click Edit
-          Copy this value into notepad.
-          Click cancel in the ‘String attribute Editor’ window and click Cancel in the template properties.

7, Now, locate the new template in the ‘CN=Certificate Templates’ list.
For example ‘CN=SCMDMMobileDevice(MDM1)’
-          Right click this and click Properties
-          Tick the ‘Show only attributes that have values’ check box.
-          In the list of attributes, locate ‘msPKI-Cert-Template-OID’ and click Edit
-          Delete the Value then Paste in the value, which you copied in step 6.  Click OK.
-          Click OK in the template properties window

8, Open up the ‘Certificate Authority’ console for the machine which is the issuing CA for SCMDM, as you did in step 1.
-          Right Click ‘Certificate Templates’ and click ‘New’ > ‘Certificate Template to Issue’
-          In the list, select the new template without the space, for example “SCMDMMobileDevice(MDM1)” and click OK.
-          The new certificate is now ready for issuing when requested by a device.


Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2273458 - Last Review: July 12, 2010 - Revision: 2.0
Keywords: 
KB2273458

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com