Troubleshooting SCEP certificate profile deployment to Android devices in Microsoft Intune

Introduction

---

This guide provides an architectural overview of SCEP certificate profile deployment to Android devices in Microsoft Intune, including how to verify that each step is successful. It also provides troubleshooting suggestions for some of the most common issues that you may encounter during the deployment process.

It's assumed that you have configured the NDES server, the Trusted Root profile and SCEP profile. In the example in this guide, the Trusted Root and SCEP profiles are named as follows:

• Trusted Root Profile: AndroidNorthEndRootCert
• SCEP profile: AndroidSCEP

Overview of SCEP communication flow

---

NDES and SCEP issues are some of the most challenging problems that may be encountered when you use Microsoft Intune. Having a basic understanding of the architecture and the communication flow of the SCEP process helps you identify or narrow the scope of the issue. It's important to understand how to collect logs, what logs to collect and what entries are important in each log during each step of the communication flow.

Before you move into SCEP certificate deployment, let’s look at the log files that log the various activities. These log files provide important insight to problems that might occur and help you understand the overall flow.

Log files on server side:

• Microsoft Intune Connector log files

  Files	Location	Description	Note
  NDESConnector__.svclog (Example: NDESConnector_2018-06-17_010344.svclog)	%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs	Logs communications between the NDES Intune connector and Intune cloud service. The related registry entry: HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus.	We recommend that you use Service Trace Viewer Tool to view the log files.
  CertificateRegistrationPoint__.svclog (Example: CertificateRegistrationPoint_2018-03-07_214704.svclog)	%programfiles%\Microsoft Intune\NDESConnectorSvc\Logs\Logs	Logs NDES receiving and verifying certificate requests.	We recommend that you use Service Trace Viewer Tool to view the log files.
  NDESPlugin.log	%programfiles%\Microsoft Intune\NDESPolicyModule\Logs\	Logs passing and the results of verifying certificate requests to the Certificate Registration Point.

• IIS log files
  Files: u_ex.log (Example: u_ex180629.log)
  Location: %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ 
  Description: Logs mobile devices' certificate requests to NDES.

Log files on Android devices:

The OMA DM log from the Android Company Portal logs contain all the necessary information to troubleshoot SCEP deployment issues on the devices. To get Company Portal logs from an Android device, follow these steps:

1. Open the Company Portal app.
2. Tap Menu > Help > Email Support.
3. Tap Send Email & Upload Logs.

The SCEP certificate deployment process

The following graphic demonstrates a basic overview of the SCEP communication process:

This six-step communication process forms the outline of the troubleshooting process. If you know which step that you’re experiencing a problem, select it from the following list. Otherwise, start with step 1 and review each step in order:

• Step 1: Deploy the SCEP certificate profile
• Step 2: The device gets the SCEP profile and contacts the NDES server
• Step 3: NDES forwards the request to the NDES Connector policy module
• Step 4: NDES passes the request to issue the certificate
• Step 5: The certificate is delivered to the device
• Step 6: The NDES connector reports back to Intune

Step 1: Deploy the SCEP certificate profile

---

Note As a prerequisite for SCEP certificate, you must have already deployed the root certificate through a trusted certificate profile.

In the first step, an Intune SCEP profile is deployed to a group of users.

The profile comes down as SyncML and resemble the following in the OMA DM log from the Android Company Portal Logs:

Sample OMA DM log

Troubleshooting

To verify that the SCEP profile is deployed to the device, follow these steps:

1. Go to the Intune Troubleshooting Blade in the Azure Portal, then verify the following:
   • The profile is assigned to the correct security group.
   • The user is in the targeted security group.
   • The device has successfully checked into Intune.
   The following is an example:
   
   
   
2. Get the SCEP policy ID from Azure Portal.
   
   
   
3. Search the OMA DM log for the policy ID of the SCEP profile. In the example, you can see the SCEP policy ID 39907… is found in the OMA DM log.
   ModelName=AC_51…%2FLogicalName_39907…%3BHash=-1518303401

Back to top

Step 2: The device gets the SCEP profile and contacts the NDES server

---

In the second step, the device uses the URI in the SCEP profile and contacts the IIS/NDES server. When this happens, you can find entries that resemble the following in the OMA DM log from the Android device:

2018-02-27T05:16:08.2500000    VERB    Event     com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager    18327       10    There are 1 requests
2018-02-27T05:16:08.2500000    VERB    Event     com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager    18327       10    Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:09.5530000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Received '200 OK' when sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.8220000    VERB    Event     org.jscep.message.PkiMessageEncoder    18327       10    Encoding message: org.jscep.message.PkcsReq@2b06f45f[messageData=org.spongycastle.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,senderNonce=Nonce [D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF996FC31FF]
2018-02-27T05:16:21.8790000    VERB    Event     org.jscep.message.PkiMessageEncoder    18327       10    Signing pkiMessage using key belonging to [dn=CN=; serial=1]
2018-02-27T05:16:21.9580000    VERB    Event     org.jscep.transaction.EnrollmentTransaction    18327       10    Sending org.spongycastle.cms.CMSSignedData@ad57775

The connection is also logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder. The following is an example:

fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421 0

Troubleshooting

To verify that step 2 is completed successfully, open the most current log file in the %SystemDrive%\inetpub\logs\logfiles\w3svc1\ folder, then look for entries that resemble the following:

fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0

If the status code for the GET request for mscep.dll is 200, the connection with the NDES server is successful. For more information about the HTTP status code, see The HTTP status code in IIS 7 and later versions.

If the status code is 500, for example:

2017-08-08 20:22:16 IP_address GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - 10.5.14.22 profiled/1.0+CFNetwork/811.5.4+Darwin/16.6.0 - 500 0 1346 31

The issue occurs if the Impersonate a client after authentication user right isn’t assigned to the IIS_IURS group.

To fix this issue, follow these steps:

1. Open Local Security Policy by typing secpol.msc in the Run dialog box, and then press ENTER.
2. Expand Local Policies, and then click User Rights Assignment.
3. Double-click Impersonate a client after authentication in the right pane.
4. Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.
5. Click OK.
6. Restart the IIS/NDES server, and then try again.

If the status code is neither 200 nor 500, follow these steps:

1. Find the SCEP server URL from the SCEP certificate profile.
   
   
   
2. Open a web browser, and then browse to the SCEP server URL. The expected result is the HTTP Error 403.0 – Forbidden error.
   
   
   

If you don't receive the HTTP Error 403.0 – Forbidden error, select the error message that you receive:

Show all

I receive a general Network Device Enrollment Service message

I receive "HTTP Error 503. The service is unavailable"

I receive the "GatewayTimeout" error

I receive "HTTP 414 Request-URI Too Long"

I receive "This page can't be displayed"

I receive "500 - Internal server error"

Important Before the SCEP certificate can be successfully installed on the Android device, you must have root CA and intermediate CA certificates deployed to the device. For more information, see Missing intermediate certificate authority.

If there is a missing intermediate certificate, you receive the following errors in the OMA DM log:

org.jscep.transport.TransportException: Error connecting to server
The exception of interest was: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Back to top

Step 3: NDES forwards the request to the NDES Connector policy module

---

In step 3, NDES forwards the request to the NDES Connector policy module which validates the request.

To verify that this step is successful, check the following:

1. On the IIS/NDES server, look for entries that resemble the following in NDESPlugin.log:
    
   Calling VerifyRequest ...    NDESPlugin
   Sending request to certificate registration point.    NDESPlugin
2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:
   
   
   
3. Look for an entry that resembles the following in the IIS log:
    
   fe80::f53d:89b8:c3e8:5fec%13 POST /CertificateRegistrationSvc/Certificate/VerifyRequest - 443 - fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 201 0 0 341 875

Troubleshooting

• If you don’t see the expected entries in NDESPlugin.log, verify that you have performed all troubleshooting steps in Step 2: The device gets the SCEP profile and contacts the NDES server.
• Check whether you receive error 12175 in NDESplugin.log:
  WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID
  Failed to send http request /CertificateRegistrationSvc/Certificate/VerifyRequest. Error 12175
  Modern browsers and browsers on mobile devices ignore the Common Name on an SSL certificate if there are Subject Alternative Names present.
  
  To fix the issue, issue the web server SSL certificate with the following attributes for Common Name and Subject Alternative Name, and then bind it to port 443 in IIS:
  • Subject name
    CN = external server name
  • Subject Alternative name
    DNS Name= external server name
    DNS Name= internal server name
• Check whether you receive error "403.16 – Forbidden: Access is denied" in NDESPlugin.log:
  Sending request to certificate registration point.
  Verify challenge returns  
  
  The following is logged in IIS log:
  POST /CertificateRegistrationSvc/Certificate/VerifyRequest - 443 - NDES_Plugin - 403 16 2148204809 453  
  Error 403.16 means that client certificate is untrusted or invalid.
  
  This issue occurs if there are intermediate CA certificates in the NDES server's Trusted Root Certification Authorities certificate store.
  
  If a certificate has the same Issued to and Issued by values, it's a root certificate. Otherwise, it's an intermediate certificate.
  
  To fix the issue, identify and remove the intermediate CA certificates from the Trusted Root Certification Authorities certificate store.
• If you see "Verify challenge returns false" in NDESPlugin.log, check CertificateRegistrationPoint.svclog for errors. For example, you may see a "Signing certificate could not be retrieved" error that resemble the following:
   
  Signing certificate could not be retrieved. System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle. at System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfContextInvalid() at System.Security.Cryptography.X509Certificates.X509Certificate.GetCertHashString() at Microsoft.ConfigurationManager.CertRegPoint.CRPCertificate.RetrieveSigningCert(String certThumbprint
  To fix the issue, open Registry Editor, locate the HKLM\SOFTWARE\Microsoft\MicrosoftIntune\NDESConnector registry key, and then check whether the SigningCertificate value exists. 
  
  If this value doesn’t exist, restart the Intune Connector Service in services.msc, and then check whether the value appears in registry. If the value is still missing, it’s usually because of a network connectivity issue between the IIS/NDES server and the Intune service.

Back to top

Step 4: NDES passes the request to issue the certificate

---

In this step, NDES passes the certificate request to the certification authority (CA) and requests the certificate on behalf of the client.

To verify that this step is successful, check the following on the IIS/NDES server:

1. Look for entries that resemble the following in NDESPlugin.log:
   Verify challenge returns true
   Exiting VerifyRequest with 0x0
2. Look for entries that resemble the following in CertificateRegistrationPoint.svclog:
   
   
   

Troubleshooting

If you don’t see the entries that are listed above, follow these steps:

1. Look for problems that are logged in CertificateRegistrationPoint.svclog when the certificate registration point verifies the challenge. To do this, check the entries between the following lines:
   • VerifyRequest Started.
   • VerifyRequest Finished with status False
2. Open the Certification Authority MMC on the CA, and then select Failed Requests to see whether there are any errors. The following is an example:
   
   
   
3. Check the application event log on the CA for errors. Usually you can see errors that match those that you see in the Failed Requests in step 2. The following is an example:
   
   
   

Back to top

Step 5: The certificate is delivered to the device

---

In this step, the certificate is delivered back to the device.

If this step is successful, you will see the issued certificate on the Certification Authority as shown in the following example:

You will also see the certificate on the user’s device as shown in the following example:

• Here is the notification:
   
  
  
  
  Note If you use Samsung KNOX devices, you won’t be prompted to install certificates.
• Here is the ROOT certificate that comes down before the SCEP certificate.
  
  
  
  When you check the OMA DM log from the Android device, you can see entries that resemble the following for the installation of the root certificate:
  2018-02-27T04:50:52.1890000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine     9595        9    Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
  2018-02-27T04:53:31.1300000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine     9595        0    Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
  2018-02-27T04:53:32.0390000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine     9595       14    Root cert '17…' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS
• Here is the SCEP certificate that comes down to the device:
  
  
  
  
  
  
  
  
  
  When you check the OMADM log from the Android device, you can see entries that resemble the following for the installation of the SCEP certificate:
   
  2018-02-27T05:16:08.2500000    VERB    Event     com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager    18327       10    There are 1 requests
  2018-02-27T05:16:08.2500000    VERB    Event     com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager    18327       10    Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
  2018-02-27T05:16:20.6150000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Sending GetCACert(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
  2018-02-27T05:16:20.6530000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Received '200 OK' when sending GetCACert(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
  2018-02-27T05:16:21.7460000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
  2018-02-27T05:16:21.7890000    VERB    Event     org.jscep.transport.UrlConnectionGetTransport    18327       10    Received '200 OK' when sending GetCACaps(ca) to https://breezeappproxy-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
  2018-02-27T05:16:28.0340000    VERB    Event     org.jscep.transaction.EnrollmentTransaction    18327       10    Response: org.jscep.message.CertRep@3150777b[failInfo=,pkiStatus=SUCCESS,recipientNonce=Nonce [GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=CERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
  2018-02-27T05:16:28.2440000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine    18327       10    SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to CERT_INSTALL_REQUESTED
  2018-02-27T05:18:44.9820000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine    18327        0    SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
  2018-02-27T05:18:45.3460000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine    18327       14    SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
  2018-02-27T05:20:15.3520000    INFO    Event     com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine    18327       21    SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED

Troubleshooting

The key to troubleshoot this step is identifying and understanding errors that are logged in the OMA DM log. Sometimes the errors are caused by an incorrect configuration.

Back to top

Step 6: The NDES connector reports back to Intune

---

In this last step, the NDES Connector reports back to Intune that the certificate has been delivered to the user’s device.

If this step is successful, you will see the following on the IIS/NDES server:

1. In NDESPlugin.log, you can see entries that resemble the following:
    
   Calling Notifyrequest ... 
   Sending request to certificate registration point. 
   Exiting Notify with 0x0
2. In CertificateRegistrationPoint.svclog, you can see entries that resemble the following:
   
   
   
3. In IIS log, you can see an entry that resembles the following for the SCEP process:
    
   fe80::f53d:89b8:c3e8:5fec%13 POST /CertificateRegistrationSvc/Certificate/Notify - 443 - fe80::f53d:89b8:c3e8:5fec%13 NDES_Plugin - 204 0 0 277 15
4. In NDESConnector.svclog, you can see entries that resemble the following:
   
5. In the %ProgramFiles%\Microsoft Intune\CertificateRequestStatus folder, you can see the Failed, Processing and Succeed folders that contain certificate request status files.
6. If the certificate request is successfully processed, you can see new files in the Succeed folder as shown in the following example:
   
   
   
   
   
   You can open one of the files to see the type of data that's uploaded to the Intune Service by the NDES Connector, such as CertificateSerialNumber, UserID, DeviceID, and Thumbprint. The following is an example:
   
   
   

In Intune in the Azure portal, you can see that the SCEP certificate profile is successfully deployed to the device.

Troubleshooting

If you don’t see any new files being created in the Succeed folder, check whether there are any files stuck in the Processing folder. 

If this is the case, verify that the Intune Connector Service is started on the IIS/NDES server, and there are no errors in Ndesconnector.svclog.

Back to top

More Information

---

If you’re still looking for a solution to a related problem, or you’re looking for more information about Intune, post a question in our Microsoft Intune forum here. Many support engineers, MVPs and members of our development team frequent the forums. So, there’s a good chance that you can find someone with the information you need.

If you want to open a support request with the Microsoft Intune product support team, you can find information on how to do that here:

How to get support for Microsoft Intune

For more information about SCEP certificate profiles in Microsoft Intune, see the following:

• Configure and use SCEP certificates with Intune
• Support Tip - How to configure NDES for SCEP certificate deployments in Intune
• Troubleshooting NDES configuration for use with Microsoft Intune certificate profiles

For all the latest news, information and tech tips, visit our official Intune blogs:

• The Microsoft Intune Support Team Blog
• The Microsoft Enterprise Mobility and Security Blog