Issue with Windows device reaching SCEP server #238
Comments
|
What are the server side logs showing? In a Google search result it seems like 0x80190194 might possibly be the error code for an HTTP 404 error? Perhaps its not reaching the SCEP server? |
Yep, it's not reaching out to the server even though the url I provided when creating the SCEP profile is public and reachable otherwise. "Failed to Initialize SCEP enrollment with NDES Server" and a bunch of Microsoft Intune related articles make me think it's not able to reach the url because my SCEP server is not an NDES server. |
|
intune managed devices can get certificates only via NDES server ? How to integrate it with any third party CA that has its own SCEP server (say micromdm server itself) and it can do CSR validations with Intune before signing the certificate. Can't we do this ? |
|
@nchinnannava-JNPR it is possible to integrate with third party CAs, and it doesn't require the NDES (admin). The third party CA has to call Intune APIs to verify the incoming SCEP certificate request. Microsoft has this documented here: https://learn.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview. This is how we do it at Smallstep, and there's quite some other CAs supporting it. But that flow only works if the SCEP client manages to connet to the SCEP server, which I think @alamr-JNPR is saying doesn't happen. The error message may be a red herring, as NDES is generally "just SCEP", but with a password obtained through an NDES administrator, which isn't how the flow works with Intune as the MDM in the picture. |
|
@hslatman Thanks for the information. I understand this point. When you sa it is integrated with the Smallstep. Did a Smallstep have the same SCEP server as micro mdm? ( http://127.0.0.1:2016/scep ) and integration work with intune-managed devices? Or do we need to enhance or add an extra capability (such as NDES) to make this server handle managed devices? I think @alamr-JNPR is facing this profile installation where we used (https://127.0.0.1:2016/scep (micromdm server url). SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server 'https://8acb-165-225-242-190.ngrok-free.app/pkiclient.exe', CA cert thumbprint '7646132FDAC7F9BD6AE6DAEBA5CA236AC84ED16E' and server certs".LogError 0x80190194 @alamr-JNPR Can you please confirm the above error? when you try to install the profile? server url is something like https://8acb-165-225-242-190.ngrok-free.app/scep But in error, it is showing as NDES Server 'https://8acb-165-225-242-190.ngrok-free.app/pkiclient.exe', |
|
@nchinnannava-JNPR the MicroMDM SCEP server doesn't integrate with Intune itself. That requires customization, and would have to follow the description on the Microsoft documentation. Our implementation is a custom SCEP server that does have support for that Intune integration, and it works with devices managed by Intune. You generally don't need to add NDES support, which is more of a Microsoft ADCS specific functionality and generally only needed for semi-automated requests. With Intune as the MDM, SCEP requests will be fully automated, and will have to use the Intune integration to verify the incoming request. |
|
Yes. My question was more on whether we needed to have NDES support, and I got the answer. Thank you so much. I understand that we need to have the backend logic at the SCEP server to verify the CSR with Intune (account linking with tenantID with the SCEP Challenge Provider access) and we have kind of figured out these flows. As a first step, to try out something, we wanted to get the requests from intune-managed client devices to the micromdm server (running locally, But reachable using ngrok). we installed the scep profile from intune. But we got stuck with above-mentioned error during profile installation. Maybe we are using Windows and some settings we are missing? And we need to try with MacOS? As you mentioned, Micromdm server (url of type [https://8acb-165-225-242-190.ngrok-free.app/scep) as it is now and without NDES support, should get the request from Intune managed devices provided we install the profile correctly, right? |
|
There's a few possibilities for the Windows SCEP client to not able to reach your server. It's possible that it doesn't trust the server certificate, but I believe Ngrok will provide you with a TLS certificate from Let's Encrypt, so I doubt it's that. It's also possible your SCEP server returns an unexpected CA certificate, and the Windows client reporting a mismatch between what it receives and the CA fingerprint configured in the profile. Another option could be that the Windows client sets a path (i.e. |
|
Thank you for the suggestions. it could be something related to the CA certificate and their fingerprints. we will try to debug on that front and involve the Microsoft Intune team. hopefully, we will get some help. Also, I doubt the other two possible scenarios as any request sent to ngrok url, we will see the packet received information. However, did not see any packet being sent from the device. |
|
Also, I wanted to ask whether the small step uses Microsoft-provided resource access packages to validate the CSR? or has its implementation? in Golang? The below one provides client pacakges in C# and Java. https://github.com/Microsoft/Intune-Resource-Access/tree/develop/src/CsrValidation |
Yes, in our product the CSR is validated against the Intune API (using Golang), similar to what's available in the code/examples at that link. |
Hello everyone,
I want to push a SCEP profile created through Microsoft Intune to a Windows device. The URL that I want to use in the SCEP profile is of a public endpoint of our cloud hosted SCEP Service. It does not have the NDES server role.
Currently, I am seeing this error log in the Event Viewer where it seems like the device is not being able to send a request to the public endpoint of our SCEP service:
SCEPInstallCertificateWithScepHelper:Failed to Initialize SCEP enrollment with NDES Server '{public url of our SCEP server}', CA cert thumbprint '{some_id}' and server certs".LogError 0x80190194
Given that our SCEP server is not an NDES server, are you aware how I can tackle this issue and successfully have the Windows device send a request to the server?
Any help/tip is appreciated.
The text was updated successfully, but these errors were encountered: