SCEP certificate request fails during verification - Intune

相关文章推荐

唠叨的豌豆 · 在JAVA中如何将一个Object转换成Ar ...· 2 天前 ·

怕老婆的钱包 · 解析csv文件,读取百万级数据_51CTO博 ...· 昨天 ·

紧张的香瓜 · c++ string utf16 - CSDN文库· 昨天 ·

强健的碗 · basic_string 类 | ...· 昨天 ·

一身肌肉的板栗 · C++类结构体与json相互转换 - ...· 昨天 ·

英姿勃勃的火柴 · MySQL 中提取 JSON ...· 2 月前 ·

独立的小狗 · Access导出文本文件逗号分隔怎么弄-掘金· 10 月前 ·

刀枪不入的感冒药 · log4net 的简单配置 - ...· 10 月前 ·

面冷心慈的日光灯 · Zabbix系列：SNMP ...· 1 年前 ·

任性的春卷 · Failed to execute ...· 1 年前 ·

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

This article gives two methods to help resolve when a Simple Certificate Enrollment Protocol (SCEP) certificate request fails during verification.

Symptoms

The SCEP certificate request fails during the verification phase on the certificate registration point (CRP). Therefore, Android and iOS devices do not receive SCEP certificates even though NDES is configured.

Additionally, you see error entries in CRP logs.

The default log file location is:

C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs\CertificateRegistrationPoint_xx_xx.svclog

Three log entries specify a Cryptography Exception error, as shown in the following image.

<Source Name="CertificateRegistrationPoint" />
Cryptography Exception: System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle.
at System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfContextInvalid()
at System.Security.Cryptography.X509Certificates.X509Certificate.SetThumbprint()
at System.Security.Cryptography.X509Certificates.X509Certificate.GetCertHashString()
at Microsoft.ConfigurationManager.CertRegPoint.Helper.ValidateChallenge(String base64Encodedtoken, X509Certificate2Collection encryptedCerts, X509Certificate2 SigningCert, String& decodedChallengePassword)

Second error entry

Cryptography Exception: System.Security.Cryptography.CryptographicException: m_safeCertContext is an invalid handle.
at System.Security.Cryptography.X509Certificates.X509Certificate.ThrowIfContextInvalid()
at System.Security.Cryptography.X509Certificates.X509Certificate.SetThumbprint()
at System.Security.Cryptography.X509Certificates.X509Certificate.GetCertHashString()
at Microsoft.ConfigurationManager.CertRegPoint.Helper.ValidateChallenge(String base64Encodedtoken, X509Certificate2Collection encryptedCerts, X509Certificate2 SigningCert, String& decodedChallengePassword)
at Microsoft.ConfigurationManager.CertRegPoint.ChallengeValidation.ValidationPhase1(VerifyChallengeParams value, String& decodedChallenge, PKCSDecodedObject& pkcsObj)

Third error entry

Cause

This issue occurs because the registry keys that are responsible for verification of the certificate request are missing in NDES connector registry settings.

Complete these steps to restart the Intune Connector Service:

On the connector-installed server, open the Services snap-in. To do this, open the Start menu, enter services.msc , and then select Services from the results list.

In the Services snap-in, restart the Intune Connector Service.

Check the HKLM\Software\Microsoft\MicrosoftIntune\NDESConnector registry subkey to verify that the registry keys were created according to the following screenshot.

If restarting the service or computer does not fix the issue, continue to Solution 2.

Solution 2

Complete these steps to clear and reset the template name:

On the NDES computer, open the registry, and locate the following subkey:
HKEY_LOCAL_Machine\Software\Microsoft\Cryptography\MSCEP

Change the template values to the default ( IPSECIntermediateOffline ), and restart the server.

After the server restarts, check the HKEY_LOCAL_Machine\Software\Microsoft\MicrosoftIntune\NDESConnector subkey. You should now see the signing certificates.

After the keys are created, change the template name under HKEY_LOCAL_Machine\Software\Microsoft\Cryptography\MSCEP to the custom template name that was created for SCEP and NDES.