Troubleshooting SCEP certificate profile deployment to Android devices in Microsoft Intune
Introduction
This guide provides an architectural overview of SCEP certificate profile deployment to Android devices in Microsoft Intune, including how to verify that each step is successful. It also provides troubleshooting suggestions for some of the most common issues that you may encounter during the deployment process.
It's assumed that you have configured the NDES server, the Trusted Root profile and SCEP profile. In the example in this guide, the Trusted Root and SCEP profiles are named as follows:
- Trusted Root Profile: AndroidNorthEndRootCert
- SCEP profile: AndroidSCEP
Overview of SCEP communication flow
NDES and SCEP issues are some of the most challenging problems that may be encountered when you use Microsoft Intune. Having a basic understanding of the architecture and the communication flow of the SCEP process helps you identify or narrow the scope of the issue. It's important to understand how to collect logs, what logs to collect and what entries are important in each log during each step of the communication flow.
Before you move into SCEP certificate deployment, let’s look at the log files that log the various activities. These log files provide important insight to problems that might occur and help you understand the overall flow.
Log files on server side:
- Microsoft Intune Connector log files
Files Location Description Note NDESConnector__ (Example: NDESConnector_2018-06-17_010344.svclog)%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs
Logs communications between the NDES Intune connector and Intune cloud service. The related registry entry: HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
.We recommend that you use Service Trace Viewer Tool to view the log files. CertificateRegistrationPoint__ (Example: CertificateRegistrationPoint_2018-03-07_214704.svclog)%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs
Logs NDES receiving and verifying certificate requests. We recommend that you use Service Trace Viewer Tool to view the log files. NDESPlugin.log %programfiles%\Microsoft Intune\NDESPolicyModule\Logs\
Logs passing and the results of verifying certificate requests to the Certificate Registration Point. - IIS log files
Files: u_ex
Log files on Android devices:
The OMA DM log from the Android Company Portal logs contain all the necessary information to troubleshoot SCEP deployment issues on the devices. To get Company Portal logs from an Android device, follow these steps:
- Open the Company Portal app.
- Tap Menu > Help > Email Support.
- Tap Send Email & Upload Logs.
The SCEP certificate deployment process
The following graphic demonstrates a basic overview of the SCEP communication process:
This six-step communication process forms the outline of the troubleshooting process. If you know which step that you’re experiencing a problem, select it from the following list. Otherwise, start with step 1 and review each step in order:
- Step 1: Deploy the SCEP certificate profile
- Step 2: The device gets the SCEP profile and contacts the NDES server
- Step 3: NDES forwards the request to the NDES Connector policy module
- Step 4: NDES passes the request to issue the certificate
- Step 5: The certificate is delivered to the device
- Step 6: The NDES connector reports back to Intune
Step 1: Deploy the SCEP certificate profile
Note As a prerequisite for SCEP certificate, you must have already deployed the root certificate through a trusted certificate profile.
In the first step, an Intune SCEP profile is deployed to a group of users.
The profile comes down as SyncML and resemble the following in the OMA DM log from the Android Company Portal Logs:
Troubleshooting
To verify that the SCEP profile is deployed to the device, follow these steps:
- Go to the Intune Troubleshooting Blade in the Azure Portal, then verify the following:
- The profile is assigned to the correct security group.
- The user is in the targeted security group.
- The device has successfully checked into Intune.
- Get the SCEP policy ID from Azure Portal.
- Search the OMA DM log for the policy ID of the SCEP profile. In the example, you can see the SCEP policy ID 39907… is found in the OMA DM log.ModelName=AC_51…%2FLogicalName_39907…%3BHash=-1518303401
Step 2: The device gets the SCEP profile and contacts the NDES server
In the second step, the device uses the URI in the SCEP profile and contacts the IIS/NDES server. When this happens, you can find entries that resemble the following in the OMA DM log from the Android device:
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:09.5530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.8220000 VERB Event org.jscep.message.PkiMessageEncoder 18327 10 Encoding message: org.jscep.message.PkcsReq@2b06f45f[messageData=org.spongycastle.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,senderNonce=Nonce [D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF996FC31FF]
2018-02-27T05:16:21.8790000 VERB Event org.jscep.message.PkiMessageEncoder 18327 10 Signing pkiMessage using key belonging to [dn=CN=; serial=1]
2018-02-27T05:16:21.9580000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Sending org.spongycastle.cms.CMSSignedData@ad57775
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:09.5530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.8220000 VERB Event org.jscep.message.PkiMessageEncoder 18327 10 Encoding message: org.jscep.message.PkcsReq@2b06f45f[messageData=org.spongycastle.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,senderNonce=Nonce [D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF996FC31FF]
2018-02-27T05:16:21.8790000 VERB Event org.jscep.message.PkiMessageEncoder 18327 10 Signing pkiMessage using key belonging to [dn=CN=
2018-02-27T05:16:21.9580000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Sending org.spongycastle.cms.CMSSignedData@ad57775
The connection is also logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder. The following is an example:
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421 0
Troubleshooting
To verify that step 2 is completed successfully, open the most current log file in the %SystemDrive%\inetpub\logs\logfiles\w3svc1\ folder, then look for entries that resemble the following:
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0
If the status code for the GET request for mscep.dll is 200, the connection with the NDES server is successful. For more information about the HTTP status code, see The HTTP status code in IIS 7 and later versions.
If the status code is 500, for example:
2017-08-08 20:22:16 IP_address GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - 10.5.14.22 profiled/1.0+CFNetwork/811.5.4+Darwin/16.6.0 - 500 0 1346 31
The issue occurs if the Impersonate a client after authentication user right isn’t assigned to the IIS_IURS group.
To fix this issue, follow these steps:
- Open Local Security Policy by typing secpol.msc in the Run dialog box, and then press ENTER.
- Expand Local Policies, and then click User Rights Assignment.
- Double-click Impersonate a client after authentication in the right pane.
- Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.
- Click OK.
- Restart the IIS/NDES server, and then try again.
If the status code is neither 200 nor 500, follow these steps:
- Find the SCEP server URL from the SCEP certificate profile.
- Open a web browser, and then browse to the SCEP server URL. The expected result is the HTTP Error 403.0 – Forbidden error.
If you don't receive the HTTP Error 403.0 – Forbidden error, select the error message that you receive:
Important Before the SCEP certificate can be successfully installed on the Android device, you must have root CA and intermediate CA certificates deployed to the device. For more information, see Missing intermediate certificate authority.
If there is a missing intermediate certificate, you receive the following errors in the OMA DM log:
org.jscep.transport.TransportException: Error connecting to server
The exception of interest was: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
The exception of interest was: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Step 3: NDES forwards the request to the NDES Connector policy module
In step 3, NDES forwards the request to the NDES Connector policy module which validates the request.
To verify that this step is successful, check the following:
- On the IIS/NDES server, look for entries that resemble the following in NDESPlugin.log:
Calling VerifyRequest ... NDESPlugin
Sending request to certificate registration point. NDESPlugin - Look for entries that resemble the following in CertificateRegistrationPoint.svclog:
- Look for an entry that resembles the following in the IIS log:
fe80::f53d:89b8:c3e8:5fec%13 POST /CertificateRegistrationSvc/Certificate/VerifyRequest - 443 - fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 201 0 0 341 875
Troubleshooting
- If you don’t see the expected entries in NDESPlugin.log, verify that you have performed all troubleshooting steps in Step 2: The device gets the SCEP profile and contacts the NDES server.
- Check whether you receive error 12175 in NDESplugin.log:WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
Failed to send http request /CertificateRegistrationSvc/Certificate/VerifyRequest. Error 12175Modern browsers and browsers on mobile devices ignore the Common Name on an SSL certificate if there are Subject Alternative Names present.
To fix the issue, issue the web server SSL certificate with the following attributes for Common Name and Subject Alternative Name, and then bind it to port 443 in IIS:- Subject name
CN = external server name - Subject Alternative name
DNS Name= external server name
DNS Name= internal server name
- Subject name
- Check whether you receive error "403.16 – Forbidden: Access is denied" in NDESPlugin.log:Sending request to certificate registration point.
Verify challenge returns403 - Forbidden: Access is denied. The following is logged in IIS log:POST /CertificateRegistrationSvc/Certificate/VerifyRequest - 443 -NDES_Plugin - 403 16 2148204809 453 Error 403.16 means that client certificate is untrusted or invalid.
This issue occurs if there are intermediate CA certificates in the NDES server's Trusted Root Certification Authorities certificate store.
If a certificate has the same Issued to and Issued by values, it's a root certificate. Otherwise, it's an intermediate certificate.
To fix the issue, identify and remove the intermediate CA certificates from the Trusted Root Certification Authorities certificate store. - If you see "Verify challenge returns false" in NDESPlugin.log, check CertificateRegistrationPoint.svclog for errors. For example, you may see a "Signing certificate could not be retrieved" error that resemble the following:
Signing certificate could not be retrieved. System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle. at System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfContextInvalid() at System.Security.Cryptography.X509Certificates.X509Certificate.GetCertHashString() at Microsoft.ConfigurationManager.CertRegPoint.CRPCertificate.RetrieveSigningCert(String certThumbprintTo fix the issue, open Registry Editor, locate theHKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector
registry key, and then check whether the SigningCertificate value exists.
If this value doesn’t exist, restart the Intune Connector Service in services.msc, and then check whether the value appears in registry. If the value is still missing, it’s usually because of a network connectivity issue between the IIS/NDES server and the Intune service.
Step 4: NDES passes the request to issue the certificate
In this step, NDES passes the certificate request to the certification authority (CA) and requests the certificate on behalf of the client.
To verify that this step is successful, check the following on the IIS/NDES server:
- Look for entries that resemble the following in NDESPlugin.log:Verify challenge returns true
Exiting VerifyRequest with 0x0 - Look for entries that resemble the following in CertificateRegistrationPoint.svclog:
Troubleshooting
If you don’t see the entries that are listed above, follow these steps:
- Look for problems that are logged in CertificateRegistrationPoint.svclog when the certificate registration point verifies the challenge. To do this, check the entries between the following lines:
- VerifyRequest Started.
- VerifyRequest Finished with status False
- Open the Certification Authority MMC on the CA, and then select Failed Requests to see whether there are any errors. The following is an example:
- Check the application event log on the CA for errors. Usually you can see errors that match those that you see in the Failed Requests in step 2. The following is an example:
Step 5: The certificate is delivered to the device
In this step, the certificate is delivered back to the device.
If this step is successful, you will see the issued certificate on the Certification Authority as shown in the following example:
You will also see the certificate on the user’s device as shown in the following example:
- Here is the notification:
Note If you use Samsung KNOX devices, you won’t be prompted to install certificates. - Here is the ROOT certificate that comes down before the SCEP certificate.
When you check the OMA DM log from the Android device, you can see entries that resemble the following for the installation of the root certificate:2018-02-27T04:50:52.1890000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 9 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2018-02-27T04:53:31.1300000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 0 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T04:53:32.0390000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 14 Root cert '17…' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS - Here is the SCEP certificate that comes down to the device:
When you check the OMADM log from the Android device, you can see entries that resemble the following for the installation of the SCEP certificate:
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:20.6150000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACert(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:20.6530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACert(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:21.7460000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.7890000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:28.0340000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Response: org.jscep.message.CertRep@3150777b[failInfo=,pkiStatus=SUCCESS,recipientNonce=Nonce [GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=CERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
2018-02-27T05:16:28.2440000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 10 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to CERT_INSTALL_REQUESTED
2018-02-27T05:18:44.9820000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 0 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T05:18:45.3460000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 14 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
2018-02-27T05:20:15.3520000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 21 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
Troubleshooting
The key to troubleshoot this step is identifying and understanding errors that are logged in the OMA DM log. Sometimes the errors are caused by an incorrect configuration.
Step 6: The NDES connector reports back to Intune
In this last step, the NDES Connector reports back to Intune that the certificate has been delivered to the user’s device.
If this step is successful, you will see the following on the IIS/NDES server:
- In NDESPlugin.log, you can see entries that resemble the following:
Calling Notifyrequest ...
Sending request to certificate registration point.
Exiting Notify with 0x0 - In CertificateRegistrationPoint.svclog, you can see entries that resemble the following:
- In IIS log, you can see an entry that resembles the following for the SCEP process:
fe80::f53d:89b8:c3e8:5fec%13 POST /CertificateRegistrationSvc/Certificate/Notify - 443 - fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 204 0 0 277 15 - In NDESConnector.svclog, you can see entries that resemble the following:
- In the %ProgramFiles%\Microsoft Intune\CertificateRequestStatus folder, you can see the Failed, Processing and Succeed folders that contain certificate request status files.
- If the certificate request is successfully processed, you can see new files in the Succeed folder as shown in the following example:
You can open one of the files to see the type of data that's uploaded to the Intune Service by the NDES Connector, such as CertificateSerialNumber, UserID, DeviceID, and Thumbprint. The following is an example:
In Intune in the Azure portal, you can see that the SCEP certificate profile is successfully deployed to the device.
Troubleshooting
If you don’t see any new files being created in the Succeed folder, check whether there are any files stuck in the Processing folder.
If this is the case, verify that the Intune Connector Service is started on the IIS/NDES server, and there are no errors in Ndesconnector.svclog.
More Information
If you’re still looking for a solution to a related problem, or you’re looking for more information about Intune, post a question in our Microsoft Intune forum here. Many support engineers, MVPs and members of our development team frequent the forums. So, there’s a good chance that you can find someone with the information you need.
If you want to open a support request with the Microsoft Intune product support team, you can find information on how to do that here:
For more information about SCEP certificate profiles in Microsoft Intune, see the following:
- Configure and use SCEP certificates with Intune
- Support Tip - How to configure NDES for SCEP certificate deployments in Intune
- Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles
For all the latest news, information and tech tips, visit our official Intune blogs:
Comments
Post a Comment