Troubleshooting SCEP certificate profile deployment in Microsoft Intune


What does this guide do?
Helps administrators understand the deployment process for Simple Certificate Enrollment Protocol (SCEP) certificates in Microsoft Intune, including how to verify that each step is successful. It also helps administrators troubleshoot problems during the deployment process.

This guide doesn’t provide instructions for implementing the Network Device Enrollment Service (NDES) infrastructure that's required to deploy SCEP certificates to client devices. For information about how to configure your NDES infrastructure, see Configure and use SCEP certificates with Intune.

Who is it for?
Administrators who implement and oversee a Microsoft Intune environment.

How does it work?
This guide describes the details of each step of the SCEP certificate profile deployment process. It includes methods to identify that each step is successful, and provides suggestions for troubleshooting each step when problems are encountered.

Estimated time of completion
30-45 minutes.

NDES and SCEP issues are some of the most challenging problems that may be encountered when you use Microsoft Intune. Having a basic understanding of the architecture and the communication flow of the SCEP process helps you identify or narrow the scope of the issue. This guide describes how to collect logs, what logs to collect and what entries are important in each log during each step of the communication flow.

Before you start, make sure that your NDES infrastructure is already configured as described in Configure your infrastructure. If certificates aren’t delivered to client devices, we recommend that you first validate the NDES server configuration by using the Validate-NDESConfig.ps1 PowerShell script to identify common problems. For more information about the script and instructions, see Certificate Authority script samples.

The troubleshooting processes vary depending on the kind of devices. Select your device to continue:

NDES and SCEP issues are some of the most challenging problems that may be encountered when you use Microsoft Intune. Having a basic understanding of the architecture and the communication flow of the SCEP process helps you identify or narrow the scope of the issue. This guide describes how to collect logs, what logs to collect and what entries are important in each log during each step of the communication flow.

Before you start, make sure that your NDES infrastructure is already configured as described in Configure your infrastructure. If certificates aren’t delivered to client devices, we recommend that you first validate the NDES server configuration by using the Validate-NDESConfig.ps1 PowerShell script to identify common problems. For more information about the script and instructions, see Certificate Authority script samples.

The troubleshooting processes vary depending on the kind of devices. Select your device to continue:

The following graphic demonstrates a basic overview of the SCEP communication process:

SCEP process

This six-step communication process forms the outline of the troubleshooting process. If you know which step that you’re experiencing a problem, select it from the following list. Otherwise, start with step 1 and review each step in order.

step1

In the first step, an Intune SCEP profile is deployed to a group of users. When a user receives the profile, Intune generates a challenge string, then the device checks in and receives the profile.

To verify that the SCEP profile is deployed to the device, go to the Intune Troubleshooting Blade in the Azure Portal, and then verify the following:

  • The profile is assigned to the correct security group.
  • The user is in the targeted security group.
  • The device has successfully checked into Intune

Here’s an example:

Troubleshooting blade

step 2

In the second step, the device uses the URI in the SCEP profile and contacts the IIS/NDES server. When this happens, the connection is logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder.

To verify that step 2 is completed successfully, follow these steps:

  1. Open the most current log file in the  %SystemDrive%\inetpub\logs\logfiles\w3svc1\ folder.
  2. Look for entries that resemble the following:
     
  3. If the request from the device reaches the IIS/NDES server, you will see an HTTP GET request for mscep.dll. If you can’t find the GET request, the device’s request may be blocked by some network devices somewhere between the device and the IIS/NDES server.
  4. Check the status code for the GET request. If the status code is 200, the connection with the NDES server is successful.

Select one of the following to continue:

If you receive a status code that's neither 200 nor 500, follow these steps:

  1. Find the SCEP server URL from the SCEP certificate profile.

    SCEP server URL
  2. Open a web browser, and then browse to the SCEP server URL. The expected result is the HTTP Error 403.0 – Forbidden error.

    403 error

Select one of the following to continue:

When you browse to the SCEP server URL, you receive the following Network Device Enrollment Service message:

NDES message

This problem is usually caused by an issue with the Microsoft Intune Connector installation.

Mscep.dll is an ISAPI extension that intercepts incoming request and displays the HTTP 403 error if it's installed correctly. Examine the SetupMsi.log file to determine whether Microsoft Intune Connector is successfully installed. Entries that resemble the following indicate a successful installation:

If the installation fails, remove the Microsoft Intune Connector and then reinstall it.

When you browse to the SCEP server URL, you receive the following error:

503 error

This issue is usually because the SCEP application pool in IIS isn’t started.

To fix the issue, follow these steps:

  1. Open IIS Manager, and then make sure that the SCEP application pool is started:

    application pool
  2. If the SCEP application pool isn’t started, check the application event log on the IIS/NDES server and look for an event that resembles the following:
  3. If you see the event, it means the application pool crashes when a request is received. This error occurs if IIS permissions on CertificateRegistrationSvc has Windows Authentication enabled. 

    IIS permissions


    To fix this issue, enable Anonymous Authentication and disable Windows Authentication, and then restart the IIS/NDES server and try again.
     

 

When you browse to the SCEP server URL, you receive the following error:

gatewaytimeout error

This issue is usually because the Microsoft AAD Application Proxy Connector service isn’t started.

To fix the issue, start services.msc, and then make sure that the Microsoft AAD Application Proxy Connector service is running and Startup Type is set to Automatic.

AAD application proxy connector service

When you browse to the SCEP server URL, you receive the following error:

To fix the issue, follow these steps:

  1. On the IIS/NDES server, open Registry Editor, locate the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters key, and then make sure that the following values exist:
     

    Name: MaxFieldLength
    Type: DWORD
    Data: 65534 (decimal)

    Name: MaxRequestBytes
    Type: DWORD
    Data: 65534 (decimal)

    Registry

  2. Open IIS manager, locate Default Web Site, and then double-click Request Filtering.
  3. Click Edit Feature Setting… in the Actions pane, and then change the Maximum URL length and Maximum query string values to 65534.
  4. Restart the IIS/NDES server, and then try again.

Note You can validate these IIS settings by using the Validate-NDESUrl.ps1 PowerShell script at Certificate Authority script samples.

A status code 500 is returned for the HTTP GET request for mscep.dll. The following is an example:

This issue occurs if the Impersonate a client after authentication user right isn’t assigned to the IIS_IURS group.

To fix this issue, follow these steps:

  1. Open Local Security Policy by typing secpol.msc in the Run dialog box, and then press ENTER.
  2. Expand Local Policies, and then click User Rights Assignment.
  3. Double-click Impersonate a client after authentication in the right pane.
  4. Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.
  5. Click OK.
  6. Restart the IIS/NDES server, and then try again.

step 3

In step 3, NDES forwards the request to the NDES Connector policy module which validates the request.

To verify that this step is successful, check the following:

  1. On the IIS/NDES server, look for entries that resemble the following in NDESPlugin.log:
     
  2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:

    CertificateRegistrationPoint.svclog
  3. Look for an entry that resembles the following in the IIS log:
     

If you don’t see the entries that are listed above, follow these steps:

  1. Check whether you receive error 12175 in NDESplugin.log:
     

    Modern browsers and browsers on mobile devices ignore the Common Name on an SSL certificate if there are Subject Alternative Names present.

    In this case, issue the web server SSL certificate with the following attributes for Common Name and Subject Alternative Name, and then bind it to port 443 in IIS:

    • Subject name
      CN = external server name
    • Subject Alternative name
      DNS Name= external server name
      DNS Name= internal server name
  2. If the problem persists, check CertificateRegistrationPoint.svclog for errors. For example, you may see a "Signing certificate could not be retrieved" error that resemble the following:
     

    If you receive this error, open Registry Editor, locate the HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector registry key, and then check whether the SigningCertificate value exists. If this value doesn’t exist, restart the Intune Connector Service in services.msc, and then check whether the value appears in registry. If the value is still missing, it’s usually because of a network connectivity issue between the IIS/NDES server and the Intune service.

step 4

In this step, NDES passes the certificate request to the certification authority (CA) and requests the certificate on behalf of the client.

To verify that this step is successful, check the following on the IIS/NDES server:

  1. Look for an entry that resembles the following in NDESPlugin.log:
     
  2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:

    CertificateRegistrationPoint.svclog

If you don’t see the entries that are listed above, follow these steps:

  1. Open the Certification Authority MMC on the CA, and then select Failed Requests to see whether there are any errors. The following is an example:

    Failed requests
  2. Check the application event log on the CA for errors. Usually you can see errors that match those that you see in the Failed Requests. The following is an example:

    Event log


     

step 5

In this step, the certificate is delivered back to the device.

If this step is successful, you will see the issued certificate on the Certification Authority as shown in the following example:

Issued certificate

You will also see the certificate on the user’s device as shown in the following example:

certificate on device


certificate on device

 

step 6

In this last step, the NDES Connector reports back to Intune that the certificate has been delivered to the user’s device.

If this step is successful, you will see the following on the IIS/NDES server:

  1. In NDESPlugin.log, you can see entries that resemble the following:
     
  2. In CertificateRegistrationPoint.svclog, you can see entries that resemble the following:

    successful log
  3. In IIS log, you can see an entry that resembles the following for the SCEP process:
     
  4. In the %ProgramFiles%\Microsoft Intune\CertificateRequestStatus folder, you can see the Failed, Processing and Succeed folders that contain certificate request status files.
  5. If the certificate request is successfully processed, you will see new files in the Succeed folder as shown in the following example:

    succeed folder


    You can open one of the files to see the type of data that's uploaded to the Intune Service by the NDES Connector, such as CertificateSerialNumber, UserID, DeviceID, and Thumbprint. The following is an example:

    CRS file

  6. If you don’t see any new files being created in the Succeed folder, check whether there are any files stuck in the Processing folder. If this is the case, verify that the Intune Connector Service is started on the IIS/NDES server, and there are no errors in Ndesconnector.svclog.

Congratulations! Your SCEP certificate profile deployment problem is resolved. For more information about certificate profiles and Microsoft Intune, see the following:

You can also post a question in our Microsoft Intune forum here.

For all the latest news, information and tech tips, visit our official Intune blogs:

For more information about certificate profiles and Microsoft Intune, see the following:

You can also post a question in our Microsoft Intune forum here.

For all the latest news, information and tech tips, visit our official Intune blogs:

The following graphic demonstrates a basic overview of the SCEP communication process:

SCEP process

This six-step communication process forms the outline of the troubleshooting process. If you know which step that you’re experiencing a problem, select it from the following list. Otherwise, start with step 1 and review each step in order.

step1

In the first step, an Intune SCEP profile is deployed to a group of users. The profile comes down as SyncML and resemble the following in the OMA DM log from the Android Company Portal Logs:

To get Company Portal logs from an Android device, follow these steps:

  1. Open the Company Portal app.
  2. Tap Menu > Help > Email Support.
  3. Tap Send Email & Upload Logs.

After you have the OMA DM log from the Android Company Portal Logs, verify that the SCEP profile is deployed to the device. To do this, follow these steps:

  1. Go to the Intune Troubleshooting Blade in the Azure Portal, and then verify the following:
    • The profile is assigned to the correct security group.
    • The user is in the targeted security group.
    • The device has successfully checked into Intune.
    The following is an example:

    Troubleshooting Blade
  2. Get the SCEP policy ID from Azure Portal.

    Policy ID
  3. Search the OMA DM log for the policy ID of the SCEP profile. In the example, you can see the SCEP policy ID 39907… is found in the OMA DM log.

step 2

In the second step, the device uses the URI in the SCEP profile and contacts the IIS/NDES server. When this happens, you can find entries that resemble the following in the OMA DM log from the Android device:
 

The connection is also logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder.

To verify that step 2 is completed successfully, follow these steps:

  1. Open the most current log file in the  %SystemDrive%\inetpub\logs\logfiles\w3svc1\ folder.
  2. Look for entries that resemble the following:
     
  3. If the request from the device reaches the IIS/NDES server, you will see an HTTP GET request for mscep.dll. If you can’t find the GET request, the device’s request may be blocked by some network devices somewhere between the device and the IIS/NDES server.
  4. Check the status code for the GET request. If the status code is 200, the connection with the NDES server is successful.

Select one of the following to continue:

When you browse to the SCEP server URL, you receive the following Network Device Enrollment Service message:

NDES message

This problem is usually caused by an issue with the Microsoft Intune Connector installation.

Mscep.dll is an ISAPI extension that intercepts incoming request and displays the HTTP 403 error if it's installed correctly. Examine the SetupMsi.log file to determine whether Microsoft Intune Connector is successfully installed. Entries that resemble the following indicate a successful installation:

If the installation fails, remove the Microsoft Intune Connector and then reinstall it.

When you browse to the SCEP server URL, you receive the following error:

503 error

This issue is usually because the SCEP application pool in IIS isn’t started.

To fix the issue, follow these steps:

  1. Open IIS Manager, and then make sure that the SCEP application pool is started:

    application pool
  2. If the SCEP application pool isn’t started, check the application event log on the IIS/NDES server and look for an event that resembles the following:
  3. If you see the event, it means the application pool crashes when a request is received. This error occurs if IIS permissions on CertificateRegistrationSvc has Windows Authentication enabled. 

    IIS permissions


    To fix this issue, enable Anonymous Authentication and disable Windows Authentication, and then restart the IIS/NDES server and try again.

When you browse to the SCEP server URL, you receive the following error:

gatewaytimeout error

This issue is usually because the Microsoft AAD Application Proxy Connector service isn’t started.

To fix the issue, start services.msc, and then make sure that the Microsoft AAD Application Proxy Connector service is running and Startup Type is set to Automatic.

AAD application proxy connector service

When you browse to the SCEP server URL, you receive the following error:

To fix the issue, follow these steps:

  1. On the IIS/NDES server, open Registry Editor, locate the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters key, and then make sure that the following values exist:
     

    Name: MaxFieldLength
    Type: DWORD
    Data: 65534 (decimal)

    Name: MaxRequestBytes
    Type: DWORD
    Data: 65534 (decimal)

    Registry

  2. Open IIS manager, locate Default Web Site, and then double-click Request Filtering.
  3. Click Edit Feature Setting… in the Actions pane, and then change the Maximum URL length and Maximum query string values to 65534.
  4. Restart the IIS/NDES server, and then try again.

Note You can validate these IIS settings by using the Validate-NDESUrl.ps1 PowerShell script at Certificate Authority script samples.

A status code 500 is returned for the HTTP GET request for mscep.dll. The following is an example:

This issue occurs if the Impersonate a client after authentication user right isn’t assigned to the IIS_IURS group.

To fix this issue, follow these steps:

  1. Open Local Security Policy by typing secpol.msc in the Run dialog box, and then press ENTER.
  2. Expand Local Policies, and then click User Rights Assignment.
  3. Double-click Impersonate a client after authentication in the right pane.
  4. Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.
  5. Click OK.
  6. Restart the IIS/NDES server, and then try again.

step 3

In step 3, NDES forwards the request to the NDES Connector policy module which validates the request.

To verify that this step is successful, check the following:

  1. On the IIS/NDES server, look for entries that resemble the following in NDESPlugin.log:
     
  2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:

    CertificateRegistrationPoint.svclog
  3. Look for an entry that resembles the following in the IIS log:
     

If you don’t see the entries that are listed above, follow these steps:

  1. Check whether you receive error 12175 in NDESplugin.log:
     

    Modern browsers and browsers on mobile devices ignore the Common Name on an SSL certificate if there are Subject Alternative Names present.

    In this case, issue the web server SSL certificate with the following attributes for Common Name and Subject Alternative Name, and then bind it to port 443 in IIS:

    • Subject name
      CN = external server name
    • Subject Alternative name
      DNS Name= external server name
      DNS Name= internal server name
  2. If the problem persists, check CertificateRegistrationPoint.svclog for errors. For example, you may see a "Signing certificate could not be retrieved" error that resemble the following:
     

    If you receive this error, open Registry Editor, locate the HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector registry key, and then check whether the SigningCertificate value exists. If this value doesn’t exist, restart the Intune Connector Service in services.msc, and then check whether the value appears in registry. If the value is still missing, it’s usually because of a network connectivity issue between the IIS/NDES server and the Intune service.

step 4

In this step, NDES passes the certificate request to the certification authority (CA) and requests the certificate on behalf of the client.

To verify that this step is successful, check the following on the IIS/NDES server:

  1. Look for an entry that resembles the following in NDESPlugin.log:
     
  2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:

    CertificateRegistrationPoint.svclog

If you don’t see the entries that are listed above, follow these steps:

  1. Open the Certification Authority MMC on the CA, and then select Failed Requests to see whether there are any errors. The following is an example:

    Failed requests
  2. Check the application event log on the CA for errors. Usually you can see errors that match those that you see in the Failed Requests. The followingis an example:

    Event log

step 5

In this step, the certificate is delivered back to the device.

If this step is successful, you will see the issued certificate on the Certification Authority as shown in the following example:

Issued certificate

You will also see the certificate on the user’s device as shown in the following example:

  • Here is the notification:
     

    Notification


    Note If you use Samsung KNOX devices, you won’t be prompted to install certificates.

  • Here is the ROOT certificate that comes down before the SCEP certificate.

    Root CA

    When you check the OMA DM log from the Android device, you can see entries that resemble the following for the installation of the root certificate:
     

  • Here is the SCEP certificate that comes down to the device:

    SCEP certificate


    SCEP certificate


    When you check the OMADM log from the Android device, you can see entries that resemble the following for the installation of the SCEP Certificate:
     

If you receive a status code that's neither 200 nor 500, follow these steps:

  1. Find the SCEP server URL from the SCEP certificate profile.

    SCEP server URL
  2. Open a web browser, and then browse to the SCEP server URL. The expected result is the HTTP Error 403.0 – Forbidden error.

    403 error

Select one of the following to continue: