Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles

-
Before you start to configure the NDES server, make sure that you have the following necessary components in your environment:
  • An Active Directory domain

    All servers that are listed in guide must be joined to your Active Directory domain.
  • Access to a domain controller, a domain administrator account, and standard Active Directory tools.
  • A Windows server that has Active Directory Certificate Services (AD CS) installed. This must be an Enterprise certification authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or a later version. For more information about how to install and configure an Enterprise CA, see Install the Certification Authority.

    IMPORTANT A Stand-alone CA isn't supported. If your CA runs Windows Server 2008 R2, you must install hotfix 2483564.
  • A domain-joined computer that runs Windows Server 2012 R2 or a later version to use as the NDES server. You will install the NDES role and the Intune NDES connector on this computer.

    Note Intune doesn’t support installing the NDES connector on the same computer that runs the Enterprise CA.
For more information about these requirements, see Configure and use SCEP certificates with Intune.
To get started, select one of the following, or start with Create and configure an NDES service account and follow each step in order:
To do this, follow these steps:
  1. On the NDES server, start Internet Explorer and browse to the following URL:

    http:///certsrv/mscep/mscep.dll

    Note This URL isn’t available from an external network.
  2. Confirm that the result resembles the following:

    NDES message
  3. Open Internet Information Services (IIS) Manager, go to Sites > Default Web Site, and then double-click Request Filtering.
  4. On the Actions pane, click Edit Feature Settings….
  5. Confirm the following settings in the Edit Request Filtering Settings dialog box:

    Request filtering setting


    If these values aren't set, set the following values and restart the NDES server:
    • Maximum allowed content length (Bytes): 30000000
    • Maximum URL length (Bytes): 65534
    • Maximum query string (Bytes): 65534
  6. Go to Sites > Default Web Site, and then click Bindings… under the Actions pane.
  7. Make sure that HTTPS is specified.
  8. Select HTTPS, click Edit and make sure that HTTPS is set to port 443 which is the only supported port for Intune. Also make sure that the SSL certificate that's requested from your CA is specified.

    Site bindings
  9. Browse to the following HTTPS URL:

    https:///certsrv/mscep/mscep.dll

    It should return the same page as step 2.
  10. Click the padlock icon, and then click View certificates to check the certificate properties.

    View certificate
  11. Click the Details tab, locate and select Enhanced Key Usage. Verify that the value is set to Server Authentication and Client Authentication.

    certificate

Comments

Post a Comment

Popular posts from this blog

Troubleshooting Netlogon Error Codes

-
Image
Quick Reference: Troubleshooting Netlogon Error Codes ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ January 28, 2013   by  Mark Morowczynski [MSFT]   //   24 Comments 0 0 Hi this is Brandon Wilson and today I will be providing you with a quick reference for troubleshooting Netlogon error codes. I say “quick reference” very loosely here, because this is one of those sticky subjects that can easily expand into many more areas and become a very long discussion. So, I’m going to do my best to focus on just the codes and possible solutions for the error codes that are more common to see. Anyone who has dealt with some of these issues knows that some of these outlined areas can lead to huge revenue loss for a business, or at the very least an annoying authentication prompt J I welcome you to leave comments and questions, or suggestions for articles that you as the reader would be interested in seeing us do on AskPFE Platforms ( http://blogs.tech...
Read more

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

-
Image
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) Table of Contents SPN Purpose SPN Format SetSPN Viewing or Checking SPN Registrations SPN Registration Errors Related to SPN Registration or Configuration Manually Registering SPNs Troubleshooting SPN Issues Resolving SPN Registration Issues SPN Lookup Errors Delegation External Articles SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. ↑  Return to T...
Read more

Troubleshooting AD Active Directory Replication Error 8456 or 8457: "The source | destination server is currently rejecting replication requests"

-
Symptoms  This article describes the symptoms, cause, and resolution steps for situations where Active Directory operations fail with error 8456 or 8457: "The source | destination server is currently rejecting replication requests" The DCPROMO promotion of a new domain controller in an existing forest fails with the error "The source server is currently rejecting replication requests."  Dialog title text:    Active Directory Installation Wizard   Dialog message text:   The operation failed because:   Active Directory could not transfer the remaining data in directory partition   to domain controller .  "The source server is currently rejecting replication requests." DCDIAG reports the error "The source server is currently rejecting replication requests" or "The destination server is currently rejecting replication requests." Testing server: Default-First-Site-Name\     ...
Read more