This article has been archived. It is offered "as is" and will no longer be updated.
After being enrolled for a year, a System Center Mobile Device Manager (SCMDM) managed device may fail to renew its client certificate. As a result it will fail to connect to the SCMDM VPN successfully.
Additionally, the issuing Certificate Authority Application Event Log contains a warning similar to the following:
Event Type: Warning Event Source: CertSvc Event ID: 53 Description: Certificate Services denied request 97 because The request contains conflicting template information. 0x80094802 (-2146875390). The request was for CN=device.contoso.com. Additional information: Denied by Policy Module 0x80094802, The request specifies conflicting certificate templates: 22.214.171.124.4.1.3126.96.36.19901452.6590778.3820446.1524682.2069567.226.1027488195.1669196290/SCMDMMobileDevice(MDM1).
When the SCMDM managed device requests to renew its client certificate, the space character in the template name is dropped. As a result, the certification authority cannot process the request and results in the above error.
1, Open up the ‘Certificate Authority’ console for the machine which is the issuing CA for SCMDM.
2, Right Click ‘Certificate Templates’ and click ‘Manage’.
3, In the ‘certtmpl’ window, locate the template with the Template Display Name of “SCMDMMobileDevice (instance)”. The instance name in brackets will be the name of the SCMDM instance. Right Click this template and click ‘Duplicate Template’.
4, In the ‘Properties of New Template’ window, make the following changes to the Template display name: - Remove ‘Copy of’ - Delete the space in between the name and the opening bracket. For example, change “Copy of SCMDMMobileDevice (MDM1)” to “SCMDMMobileDevice(MDM1)”.
- If you are using a Windows Server 2008 Certificate Authority, please ensure that you set the ‘Minimum key size’ of the new certificate template to 1024, rather than 2048. - On the 'Subject Name' tab, please ensure that on the new certificate template (without the space), the “Subject name format” is set to "Common Name".
Once you have made these changes, click OK then close the ‘certtmpl’ window.
5, In the same domain as the CA, open up ADSIEdit.msc. Please follow these steps, adapting the domain name contoso.local to your domain: - Expand ‘Configuration [dc.contoso.local] - Expand ‘CN=Configuration,DC=CONTOSO,DC=local’ - Expand ‘CN=Services’ - Expand ‘CN=Public Key Services’ - Click ‘CN=Certificate Templates’
6, Looking at the list in ‘CN=Certificate Templates’, locate the original template with the space in. For example ‘CN=SCMDMMobileDevice (MDM1)’ - Right click this and click Properties - Tick the ‘Show only attributes that have values’ check box. - In the list of attributes, locate ‘msPKI-Cert-Template-OID’ and click Edit - Copy this value into notepad. - Click cancel in the ‘String attribute Editor’ window and click Cancel in the template properties.
7, Now, locate the new template in the ‘CN=Certificate Templates’ list. For example ‘CN=SCMDMMobileDevice(MDM1)’ - Right click this and click Properties - Tick the ‘Show only attributes that have values’ check box. - In the list of attributes, locate ‘msPKI-Cert-Template-OID’ and click Edit - Delete the Value then Paste in the value, which you copied in step 6. Click OK. - Click OK in the template properties window
8, Open up the ‘Certificate Authority’ console for the machine which is the issuing CA for SCMDM, as you did in step 1. - Right Click ‘Certificate Templates’ and click ‘New’ > ‘Certificate Template to Issue’ - In the list, select the new template without the space, for example “SCMDMMobileDevice(MDM1)” and click OK. - The new certificate is now ready for issuing when requested by a device.