Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles


What does this guide do?
Helps administrators understand how to configure Network Device Enrollment Services (NDES) correctly to assign Simple Certificate Enrollment Protocol (SCEP) certificate profiles to Intune client devices. For information about how to troubleshoot SCEP certificate profile deployment, see Troubleshooting SCEP certificate profile deployment in Microsoft Intune.

Who is it for?
Administrators who implement and oversee a Microsoft Intune environment that uses NDES for SCEP certificate assignment.

How does it work?
This guide provides best practice guidance and examples of how to configure a NDES server so that you can avoid some common issues that might be encountered when you enroll Windows devices in Intune.

Estimated time of completion:
30-45 minutes.

Before you start to configure the NDES server, make sure that you have the following necessary components in your environment:

  • An Active Directory domain

    All servers that are listed in guide must be joined to your Active Directory domain.
  • Access to a domain controller, a domain administrator account, and standard Active Directory tools.
  • A Windows server that has Active Directory Certificate Services (AD CS) installed. This must be an Enterprise certification authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or a later version. For more information about how to install and configure an Enterprise CA, see Install the Certification Authority.

    IMPORTANT A Stand-alone CA isn't supported. If your CA runs Windows Server 2008 R2, you must install hotfix 2483564.
  • A domain-joined computer that runs Windows Server 2012 R2 or a later version to use as the NDES server. You will install the NDES role and the Intune NDES connector on this computer.

    Note Intune doesn’t support installing the NDES connector on the same computer that runs the Enterprise CA.

For more information about these requirements, see Configure and use SCEP certificates with Intune.

To get started, select one of the following, or start with Create and configure an NDES service account and follow each step in order:

Before you start to configure the NDES server, make sure that you have the following necessary components in your environment:

  • An Active Directory domain

    All servers that are listed in guide must be joined to your Active Directory domain.
  • Access to a domain controller, a domain administrator account, and standard Active Directory tools.
  • A Windows server that has Active Directory Certificate Services (AD CS) installed. This must be an Enterprise certification authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or a later version. For more information about how to install and configure an Enterprise CA, see Install the Certification Authority.

    IMPORTANT A Stand-alone CA isn't supported. If your CA runs Windows Server 2008 R2, you must install hotfix 2483564.
  • A domain-joined computer that runs Windows Server 2012 R2 or a later version to use as the NDES server. You will install the NDES role and the Intune NDES connector on this computer.

    Note Intune doesn’t support installing the NDES connector on the same computer that runs the Enterprise CA.

For more information about these requirements, see Configure and use SCEP certificates with Intune.

To get started, select one of the following, or start with Create and configure an NDES service account and follow each step in order:

First, you must create a domain user account as the NDES service account. You will specify this account when you configure templates on the issuing CA before you install and configure NDES.

To do this, follow these steps:

  1. On a doman controller, run DSA.MSC to open the Active Directory Users and Computers MMC, and then create a new domain user account to be used by the Intune NDES connector. Make sure that the password is set to never expire. In the example, the account is named SVC-Intune-NDES.
  2. Log on to the NDES server, and then open the Computer Management console.
  3. Go to Local Users and Groups > Groups, select the IIS_IUSRS group, and then add the service account (for example SVC-Intune-NDES) to this group.

    service account

To configure a certificate template for NDES and publish the template, follow these steps:

  1. Open the Certification Authority MMC by typing certsrv.msc in the Run dialog box, and then press Enter.
  2. In the navigation pane, right-click the name of your CA, and then click Properties.
  3. Click the Security tab, add the NDES service account, grant it the Issue and Manage Certificates permission, and then click OK.

    account permission
  4. Under the name of your CA in the navigation pane, right-click Certificate Templates, and then click Manage.
  5. In the result pane, right-click User, and then click Duplicate Template.
  6. In the Properties of the New Template dialog box, on the General tab, enter a template name such as NDES General Purpose, make sure that Publish certificate in Active Directory isn’t checked.

    Template properties

    Note The value in Template name doesn’t contain spaces.
  7. Click the Request Handling tab, change Purpose to Signature and encryption, and then click Yes at the prompt.
  8. Click the Subject Name tab, select the Supply in the request option, and then click OK at the prompt.
  9. Click the Security tab, add the service account, and then grant Read and Enroll permissions.
  10. On the Security tab, select Authenticated Users, and then grant Read and Enroll permissions.
  11. Click the Extensions tab, select Application Policies, and then make sure that Description of Application Policies includes Client Authentication and Server Authentication. Otherwise, click Edit to add these policies.
  12. On the Extensions tab, select Key Usage. In Description of Key Usage, make sure that Signature is proof of origin isn’t listed and Digital signature is listed. Leave all other defaults as-is.
  13. Click the Compatibility tab, make sure that Certification Authority is set to Windows Server 2003, and that Certificate recipient is set to Windows XP / Server 2003.
  14. Click Apply, and then click OK.
  15. Verify that the NDES General Purpose template is listed together with the other templates.

To do this, follow these steps:

  1. On the issuing CA, in the Certification Authority MMC, click Certificate Templates.
  2. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
  3. In Enable Certificate Templates, click the name of the certificate template that you configured (NDES General Purpose in the example), and then click OK.

To do this, follow these steps:

  1. On the NDES server, sign in as an Enterprise Administrator and use the Add Roles and Features Wizard to install NDES.
  2. On the Select server roles page, check Active Directory Certificate Services, and then click Next.
  3. On the Select role services page under AD CS, check Network Device Enrollment Service, clear Certification Authority, and then follow the wizard to finish the installation.
  4. On the Installation progress page, click Configure Active Directory Certificate Services on the destination server to open the AD CS Configuration wizard. After the AD CS Configuration wizard opens, you can close the Add Roles and Features wizard.

    configure AD CS
  5. In the AD CS Configuration wizard, on the Credentials page, accept the default credentials, and then click Next.
  6. On the Role Services page, check Network Device Enrollment Service, and then click Next.
  7. On the Service Account for NDES page, click Select… to select your NDES service account, and then click Next.

    Select service account
  8. On the CA for NDES page, leave the selection on the default CA Name setting, click Select… to select the issuing CA, and then click Next.
  9. On the RA Information page, accept the default values and click Next.
  10. On the Cryptography for NDES page, accept the default values and click Next.

    Note Only CryptoAPI Service Providers are supported for the registration authority keys. Cryptography API: Next Generation (CNG) providers aren't supported.
  11. On the Confirmation page, click Configure and wait until the configuration is completed, and then exit the wizard.

    IMPORTANT If any errors are encountered during the process, restart the computer and repeat the steps to configure the NDES server role again.
  12. On the NDES server, open an elevated Command Prompt, and then run the following command to set the SPN of the NDES service account:

    setspn -s http/<DNS name of the NDES server> <Domain name>\<NDES service account name>

    For example:

    setspn -s http/FC-CM01.fourthcoffee.local fourthcoffee\SVC-Intune-NDES
  13. After the installation is complete, open Registry Editor, and then set the following values of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\ registry key:
    • Name: EncryptionTemplate
      Type: REG_SZ
      Data: <Name of the NDES certificate template> (without spaces)
    • Name: GeneralPurposeTemplate
      Type: REG_SZ
      Data: <Name of the NDES certificate template> (without spaces)
    • Name: SignatureTemplate
      Type: REG_SZ
      Data: <Name of the NDES certificate template> (without spaces)
    Here is an example:

    Registry

  14. Restart the NDES server.

To do this, follow these steps:

  1. When the NDES role is added to the server, IIS is also installed. Make sure that the server has the following IIS features installed:
    • Web Server > Security > Request Filtering
    • Web Server > Application Development > ASP.NET 3.5

      Installing ASP.NET 3.5 will install .NET Framework 3.5. When You Install .NET Framework 3.5, install both the core .NET Framework 3.5 feature and HTTP Activation.
    • Web Server > Application Development > ASP.NET 4.5

      Installing ASP.NET 4.5 will install .NET Framework 4.5. When You Install .NET Framework 4.5, install the core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.
    • Web server (IIS) > Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility
    • Web server (IIS) > Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility.
    Or, you can run the following PowerShell command to install and configure the IIS related features on the NDES server:

    Add-WindowsFeature -Name @("ADCS-Device-Enrollment","Web-Server","Web-WebServer","Web-Common-Http","Web-Default-Doc","Web-Dir-Browsing","Web-Http-Errors","Web-Static-Content","Web-Http-Redirect","Web-Health","Web-Http-Logging","Web-Log-Libraries","Web-Request-Monitor","Web-Http-Tracing","Web-Performance","Web-Stat-Compression","Web-Security","Web-Filtering","Web-Windows-Auth","Web-App-Dev","Web-Net-Ext","Web-Net-Ext45","Web-Asp-Net","Web-Asp-Net45","Web-ISAPI-Ext","Web-ISAPI-Filter","Web-Mgmt-Tools","Web-Mgmt-Console","Web-Mgmt-Compat","Web-Metabase","Web-WMI","NET-Framework-Features","NET-Framework-Core","NET-HTTP-Activation","NET-Framework-45-Features","NET-Framework-45-Core","NET-Framework-45-ASPNET","NET-WCF-Services45","NET-WCF-HTTP-Activation45","NET-WCF-TCP-PortSharing45","RSAT-ADCS-Mgmt","WAS","WAS-Process-Model","WAS-NET-Environment","WAS-Config-APIs")

    More information about Windows PowerShell can be found here.
  2. Open Registry Editor, locate the HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters registry key, and then add the following values:
    • Name: MaxFieldLength
      Type: DWORD
      Data: 65534 (decimal)
    • Name: MaxRequestBytes
      Type: DWORD
      Data: 65534 (decimal)

To do this, follow these steps:

  1. On the NDES server, start Internet Explorer and browse to the following URL:

    http://<FQDN of NDES server >/certsrv/mscep/mscep.dll

    Note This URL isn’t available from an external network.
  2. Confirm that the result resembles the following:

    NDES message
  3. Open Internet Information Services (IIS) Manager, go to Sites > Default Web Site, and then double-click Request Filtering.
  4. On the Actions pane, click Edit Feature Settings….
  5. Confirm the following settings in the Edit Request Filtering Settings dialog box:

    Request filtering setting


    If these values aren't set, set the following values and restart the NDES server:
    • Maximum allowed content length (Bytes): 30000000
    • Maximum URL length (Bytes): 65534
    • Maximum query string (Bytes): 65534
  6. Go to Sites > Default Web Site, and then click Bindings… under the Actions pane.
  7. Make sure that HTTPS is specified.
  8. Select HTTPS, click Edit and make sure that HTTPS is set to port 443 which is the only supported port for Intune. Also make sure that the SSL certificate that's requested from your CA is specified.

    Site bindings
  9. Browse to the following HTTPS URL:

    https://<FQDN of NDES server >/certsrv/mscep/mscep.dll

    It should return the same page as step 2.
  10. Click the padlock icon, and then click View certificates to check the certificate properties.

    View certificate
  11. Click the Details tab, locate and select Enhanced Key Usage. Verify that the value is set to Server Authentication and Client Authentication.

    certificate

To do this, follow these steps:

  1. Before you install the connector, verify that the following roles are installed on the NDES server:
    • Web Server ASP.NET
    • IIS 6 WMI Compatibility
    • .Net Framework 3.5
  2. If you have SQL Server Reporting Services running on your NDES server, stop and disable the service before you install the NDES connector. After the installation is complete, you can enable and start the service.
  3. Open the Intune admin portal, go to Device Configuration > Certification Authority, click Add, and then click Download the certificate connector software to download NDESConnectorSetup.exe.

    Download certificate connector
  4. After the download is complete, right-click NDESConnectorSetup.exe, and then select Run as administrator to start the setup.
  5. On the Installation Options page, select SCEP and PFX Profile Distribution, and then click Next.

    Installation options
  6. On the Client certificate for Microsoft Intune Connector page, click Select...
  7. On the Select a Certificate page, select your certificate. Select Click here to view certificate properties and make sure that Enhanced Key Usage includes at least Client Authentication.
  8. Click OK, and then click Next.
  9. On the Client Certificate for the NDES Policy Module page, review the certificate details, and then click Next.
  10. On the Ready to install Microsoft Intune NDES Connector page, click Install to start the installation process.
  11. When the installation is complete, check the Launch Intune NDES Connector check box, and then click Finish.

    Install complete
  12. On the NDES Connector window, click Sign In under the Enrollment tab, and then sign in with a user account that's a Global Admin for your Intune tenant and that has an Intune License.

    Sign in
  13. On the Sign In page, enter your Microsoft Intune credentials, and then click Sign in. If it asks you whether to remember the password, click Yes.
  14. When you are prompted with the Successfully enrolled message, click OK.
  15. On the Advanced tab, select the default SYSTEM account or specify an account that has permissions to revoke certificates on the CA, and then click Apply.

    Enter credentials


    Note The account that you specify (typically the NDES service account) must have the Issue and Manage Certificates permission on the CA, this permission is required to revoke certificates.

    Permission
  16. When you are prompted with The CA account details were saved, click OK.
  17. Click Close to exit the NDES Connector window.
  18. Open a command prompt, type services.msc, and then press Enter.
  19. Right-click Intune Connector Service, and then click Restart.
  20. Restart the World Wide Web Publishing service.
  21. In Internet Explorer, browse to the following HTTPS URL:

    https://<FQDN of NDES server>/certsrv/mscep/mscep.dll

    It should return the HTTP 403 error that resembles the following:

    HTTP 403
  22. Click the padlock icon, and then click View certificates.
  23. Click the Details tab, and then check the Enhanced Key Usage field. The value should be set to Server Authentication and Client Authentication.

    certificate

Congratulations! Your Intune NDES connector issue is resolved.

If you’re still looking for a solution to another problem, or you’re looking for more information about Intune, post a question in our Microsoft Intune forum here. Many support engineers, MVPs and members of our development team frequent the forums. So, there’s a good chance that you can find someone with the information you need.

For more information about NDES and Intune, see Configure and use SCEP certificates with Intune.

For all the latest news, information and tech tips, visit our official Intune blogs:

If you’re still looking for a solution to another problem, or you’re looking for more information about Intune, post a question in our Microsoft Intune forum here. Many support engineers, MVPs and members of our development team frequent the forums. So, there’s a good chance that you can find someone with the information you need.

For more information about NDES and Intune, see Configure and use SCEP certificates with Intune.

If all else fails and you want to open a support request with the Microsoft Intune product support team, you can find information on how to do that here:

How to get support for Microsoft Intune

For all the latest news, information and tech tips, visit our official Intune blogs:

An SSL certificate is required for the IIS/NDES server to help secure the connection from the Intune client or the proxy. To do this, a new certificate is requested from the PKI and bound in IIS. The steps can vary significantly, depending on the PKI that's used. In most cases, your organization’s PKI administrator is the best resource if you are unsure how to obtain the SSL certificate.

The following is an example to create the appropriate certificate template, and then request and configure an SSL certificate when you use Azure AD App Proxy:

  1. Connect to the CA server, open the Certification Authority MMC by typing certsrv.msc in the Run dialog box, and then press Enter.
  2. Under the name of your CA in the navigation pane, right-click Certificate Templates, and then click Manage.
  3. In the result pane, right-click Web Server, and then click Duplicate Template.

    Note If you are prompted to select Windows Server 2003 or Windows Server 2008 compatibility, select Windows Server 2003.
  4. In the Properties of the New Template dialog box, click the Compatibility tab, make sure that Certification Authority is set to Windows Server 2003, and that Certificate recipient is set to Windows XP / Server 2003.
  5. Click the General tab, and then enter a name for the new template, for example NDESIIS.
  6. Click the Request Handling tab, select Signature and encryption in Purpose.
  7. Click the Extensions tab, select Application Policies, and then make sure that Description of Application Policies includes Client Authentication and Server Authentication. Otherwise, click Edit to add these policies.

    Extension
  8. Click the Subject Name tab, and then select the Supply in the request option.
  9. Click the Security tab, make sure that both Domain Computers and Domain Admins have Read, Write and Enroll permissions.

    Permissions
  10. Click Apply, and then click OK to create the certificate template.

After the template is configured, use it to request the SSL certificate from the NDES/IIS server. To do this, follow these steps:

  1. From the NDES/IIS server, type certlm.msc in the Run dialog box, and then press Enter.
  2. Under Certificates - Local Computer, expand Personal, right-click Certificates, point to All Tasks, and then click Request New Certificate….
  3. In the Certificate Enrollment wizard, on the Request Certificates page, select the certificate template that you created, and then click More information is required to enroll for this certificate. Click here to configure settings.

    Select certificate
  4. In the Certificate Properties dialog box, click the Subject tab, and do the following:
    • Under Subject name, select Common name in the Type drop-down list. In the Value box, enter the external fully qualified domain name (FQDN) that the clients connect to, such as the public interface of the proxy, and then click Add.
    • Under Alternative name, select DNS in the Type drop-down list. In the Value box, enter the external FQDN (for example ndes.contoso.com) and internal FQDN (for example ndes.contoso.local), and then click Add.
    The following is an example:

    Subject of certificate
  5. Click the General tab, enter a Friendly name such as IIS NDES so that the certificate can be easily recognized as soon as it's issued, and then click OK to close the Certificate Properties dialog box.
  6. On the Request Certificates page, select the certificate from the list of displayed certificates, and then click Enroll.

    Enroll certificate
  7. On the Certificate Installation Results page, wait until the certificate is installed, and then click Finish.
  8. Verify that the certificate is listed under Certificates - Local Computer > Personal > Certificates.