SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

In order to check for a valid configuration and start enrolling certificates using ConfigMgr 2012 and Windows Intune, please validate your setup using the steps below.

Update: please consult the newer and more complete blog post:

PART 2 - SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Tasks to check on the NDES Server

Use the registry editor to increase the IIS default URL size limit by setting the following registry keys:

Location: HKEY_LOCAL_MACHINE\ CurrentControlSet\Services\HTTP\Parameters
Set the MaxFieldLength DWORD key to 65534 (Decimal)
Set the MaxRequestBytes DWORD key to 65534 (Decimal)

You can also download the registry file from this location or compressed from here.
image

On the same server, in Internet Information Services (IIS) Manager, modify the request-filtering settings for the /certsrv/mscep application, and then restart the server. In the Edit Request Filtering Settings dialog box, the Request Limits settings should be as follows:

  • Maximum allowed content length (Bytes): 30000000
  • Maximum URL length (Bytes): 65534
  • Maximum query string (Bytes): 65534

For more information about these settings and how to configure them, see Requests Limits in the IIS Reference Library.

clip_image002

clip_image003

Make sure to reboot the server after these changes, an IIS reset is not sufficient.

Assign the Certificate which will be used for NDES Server on Port 443 of the Default Website

clip_image004

If the port 443 does not exist, click “Add Port” instead of “Edit”

clip_image005

In case you pressed “Edit”

clip_image006

In case you pressed “Add”

clip_image007

Now open Internet Explorer and check access to

https://localhost/

clip_image008

In this case you receive a Certificate error, this is expected (remember that in the Certificate Request we have provided Netbios, FQDN and not localhost)

https://<NetbiosName>

clip_image009

">https://<FQDN>

clip_image010

On your ConfigMgr 2012 R2 server:

Create a new Site System Server if not yet part of your ConfigMgr environment

clip_image011

Provide Server name

clip_image012

You might want to provide a “Site Installation Account” if your Site Server does not have local admin rights on the target system

Select Certificate registration point as Site System Role

clip_image013

clip_image014

Add URL and Root CA Certificate. (This would be the Root CA Cert for the CA that signed the certificate that will be used for the NDES server policymodule client auth certificate)

Test if you can access the link using IE before https://<hostname>/certsrv/mscep/mscep.dll

clip_image015

clip_image016

Monitor Sitecomp.log file if the site system role installation has been started

clip_image017

On the Site Server which has been selected to be Certificate Registration Point check CRPSetup.log

clip_image018

Change the Template Name used by MSCEP to the one we have created for NDES Server.
You need to run iisreset on the NDES server for changes to be processed.

clip_image019

NDES can use 3 different templates if you want to issue different certs for different reasons.  Each registry key maps to the “Purpose:” specified on the Request Handling tab of the Certificate template:

  • “Signature and Encryption” purpose maps to the registry key GeneralPurposeTemplate
  • “Signature” purpose maps to the registry key SignatureTemplate
  • “Encryption” purpose maps to the registry key EncryptionTemplate

Note: Make sure to restart IIS (the command is “iisreset”) after changing these registry keys.

Restart the Certificate Registration Point component. Verify crpctrl.log to see if the component is running correctly

clip_image020

On the ConfigMgr Site Server check your CertMgr.log file

clip_image021

Note the entry updated CRP database user account() on … which will have caused the creation of the CRP*.cer file in Program Files\Microsoft Configuration Manager\inboxes\certmgr.box

clip_image022

This Certificate is required for Configuration Manager Policy Module installer. Copy this certificate to your NDES Server.

On the CRP server, in IIS you will now have ConfigMgr CRP Service Pool with CMCertificateRegistration application

clip_image023

Depending on what you’ve changed, do an IISReset

clip_image025

Test NDES related Weblinks which should have following results now:

https://<fqdn>/certsrv/mscep/mscep.dll
Note this 403 error is expected!

clip_image026

/CMCertificateRegistration">https://<fqdn>/CMCertificateRegistration 

If you are testing this on the local server you should get a 403.7
If you are testing this from a remote PC/server you should get a 403 (access denied)

image

Please consider leaving a reply if this post helped you.

Update: please consult the newer and more complete blog post:

PART 2 - SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Comments

  • Anonymous
    January 01, 2003
    Jop: Only the NDES server needs to be internet facing.You do not need a public certificate. You will deploy the root CA certificate first using ConfigMgr, afterwards the devices use SCEP to obtain certificates. Hope this clarifies!
  • Anonymous
    January 01, 2003
    Thanks for the feedback Kevin, I've changed the post according to your comment.
  • Anonymous
    March 11, 2014
    FYI, regarding the beginning of this article, where it has you fix the MaxRequestBytes and MaxFieldLength in the registry, and the equivalent in IIS. This needs to be done on the NDES server, NOT on the Certificate Registration Point (CRP) server.
  • Anonymous
    April 09, 2014
    First of all, great article! We are setting up an environment where we want to do this.
    One question though: the SCEP server should be available online (on the internet) in order for clients to be able to complete a certificate request? And the SCCM CRP need not be, am I correct in assuming that?
    If so, a public certificate is required for the SCEP service (IIS) right?

    Thanks in advance for your reply!
  • Anonymous
    April 11, 2014
    Just a double check while creating the registry keys : HKEY_LOCAL_MACHINE CurrentControlSetServicesHTTPParameters . Make sure you do not have copy/paste error in key names. Otherwise the keys wont be read.
  • Anonymous
    April 25, 2014
    I see part 2 to this blog is out now: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx
  • Anonymous
    June 12, 2017
    Hello Pieter.Thanks for the great article.As far as I understood InTune connector modifies permissions in IIS so it throws 403 error when you try to go to https:///certsrv/mscep/mscep.dll Does this mean that it is not possible to use this NDES server for network/Linux devices with dynamic key?Thank you.