排查 SCEP 向 Microsoft Intune 中的设备传递 SCEP 预配的证书的问题
本文提供了故障排除指南,帮助你调查使用简单证书注册协议 (SCEP) 在 Intune 中预配证书时向设备传递证书的问题。 网络设备注册服务 (NDES) 服务器从证书颁发机构 (CA) 收到请求的设备证书后,它会将该证书传回设备。
本文适用于 SCEP 通信工作流的步骤 5;将证书传送到提交证书请求的设备。
查看证书颁发机构
CA 颁发证书后,你将在 CA 上看到类似于以下示例的条目:
查看设备
Android
对于设备管理员注册的设备,你将看到类似于下图的通知,提示你安装证书:
对于 Android Enterprise 或 Samsung Knox,证书安装是自动且无提示的。
若要在 Android 上查看已安装的证书,请使用第三方证书查看应用。
还可以查看 设备 OMADM 日志。 查找类似于以下示例的条目,这些条目在安装证书时记录:
根证书:
2018-02-27T04:50:52.1890000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 9 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2018-02-27T04:53:31.1300000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 0 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T04:53:32.0390000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 14 Root cert '17…' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS
通过 SCEP 预配的证书
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:20.6150000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:20.6530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:21.7460000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.7890000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:28.0340000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Response: org.jscep.message.CertRep@3150777b[failInfo=<null>,pkiStatus=SUCCESS,recipientNonce=Nonce [GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=CERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
2018-02-27T05:16:28.2440000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 10 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to CERT_INSTALL_REQUESTED
2018-02-27T05:18:44.9820000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 0 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T05:18:45.3460000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 14 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
2018-02-27T05:20:15.3520000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 21 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
iOS/iPadOS
在 iOS/iPadOS 或 iPadOS 设备上,可以在“设备管理配置文件”下查看证书。 向下钻取以查看已安装证书的详细信息。
还可以在 iOS 调试日志中找到类似于以下内容的条目:
Debug 18:30:53.691033 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=SCEP%20Authority\
Debug 18:30:54.640644 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=SCEP%20Authority\
Debug 18:30:55.487908 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZjBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxGDAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BAQEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaamkjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQG
Debug 18:30:57.285730 -0500 profiled Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295 in domain ManagedProfileToManagingProfile to system\
Default 18:30:57.320616 -0500 profiled Profile \'93www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295\'94 installed.\
Windows
在 Windows 设备上,验证证书是否已送达:
运行 eventvwr.msc 以打开事件查看器。 转到应用程序和服务日志>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostic-Provider>管理员并查找事件 39。 此事件的一般说明应为: SCEP:证书安装成功。
若要查看设备上的证书,请运行 certmgr.msc 以打开证书 MMC,并验证是否已在个人存储中的设备上正确安装根证书和 SCEP 证书:
- 转到 “证书 (本地计算机) >受信任的根证书颁发机构>证书”,并验证 CA 中的根证书是否存在。 “颁发给”和“颁发者”的值将相同。
- 在“证书”MMC 中,转到 “证书 - 当前用户>个人>证书”,并验证请求的证书是否存在,并且 颁发者 等于 CA 的名称。
排查失败问题
Android
若要排查证书传递问题,请查看 OMA DM 日志中记录的错误。
iOS/iPadOS
若要排查证书传递问题,请查看设备调试日志中记录的错误。
Windows
若要排查设备上未安装证书的问题,请在 Windows 事件日志中查找建议问题的错误:
- 在设备上,运行 eventvwr.msc 打开事件查看器,然后转到“应用程序和服务日志>”“Microsoft>Windows>DeviceManagement-Enterprise-Diagnostic-Provider>管理员”。
向设备传递和安装证书的错误通常与 Windows 操作有关,而不是Intune。
后续步骤
如果证书成功部署到设备,但Intune未报告成功,请参阅 NDES 报告给Intune以排查报告问题。