排查将 SCEP 预配的证书传送到 Microsoft Intune 中的设备的问题
本文提供故障排除指南,帮助你调查使用简单证书注册协议(SCEP)在 Intune 中预配证书时将证书传送到设备。 网络设备注册服务(NDES)服务器从证书颁发机构(CA)接收设备请求的证书后,它会将该证书传回设备。
本文适用于 SCEP 通信工作流的步骤 5;将证书传送到提交证书请求的设备。
查看证书颁发机构
CA 颁发证书后,会看到类似于 CA 上以下示例的条目:
查看设备
Android
对于设备管理员注册的设备,你将看到类似于下图的通知,这提示你安装证书:
对于 Android Enterprise 或 Samsung Knox,证书安装是自动且无提示的。
若要查看 Android 上安装的证书,请使用第三方证书查看应用。
还可以查看 设备 OMADM 日志。 查找类似于以下示例的条目,这些条目在证书安装时记录:
根证书:
2018-02-27T04:50:52.1890000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 9 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2018-02-27T04:53:31.1300000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 0 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T04:53:32.0390000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 14 Root cert '17…' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS
通过 SCEP 预配的证书
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:20.6150000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:20.6530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:21.7460000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.7890000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:28.0340000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Response: org.jscep.message.CertRep@3150777b[failInfo=<null>,pkiStatus=SUCCESS,recipientNonce=Nonce [GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=CERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
2018-02-27T05:16:28.2440000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 10 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to CERT_INSTALL_REQUESTED
2018-02-27T05:18:44.9820000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 0 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T05:18:45.3460000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 14 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
2018-02-27T05:20:15.3520000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 21 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
iOS/iPadOS
在 iOS/iPadOS 或 iPadOS 设备上,可以在设备管理配置文件下查看证书。 向下钻取以查看已安装证书的详细信息。
还可以在 iOS 调试日志中找到类似于以下内容的条目:
Debug 18:30:53.691033 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=SCEP%20Authority\
Debug 18:30:54.640644 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=SCEP%20Authority\
Debug 18:30:55.487908 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZjBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxGDAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BAQEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaamkjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQG
Debug 18:30:57.285730 -0500 profiled Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295 in domain ManagedProfileToManagingProfile to system\
Default 18:30:57.320616 -0500 profiled Profile \'93www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295\'94 installed.\
Windows
在 Windows 设备上,验证证书是否已传递:
运行 eventvwr.msc 以打开事件查看器。 转到应用程序和服务日志>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostic-Provider>管理员并查找事件 39。 此事件应具有一般说明:SCEP: 已成功安装证书。
若要查看设备上的证书,请运行 certmgr.msc 打开证书 MMC,并验证是否已在个人存储中的设备上正确安装根证书和 SCEP 证书:
- 转到证书(本地计算机)>受信任的根证书颁发机构>证书,并验证 CA 中的根证书是否存在。 “颁发给”和“颁发者”的值将相同。
- 在证书 MMC 中,转到“证书 – 当前用户>个人>证书”,并验证请求的证书是否存在,颁发者等于 CA 的名称。
排查失败
Android
若要排查证书传送问题,请查看 OMA DM 日志中记录的错误。
iOS/iPadOS
若要排查证书传送问题,请查看设备调试日志中记录的错误。
Windows
若要排查设备上未安装证书的问题,请在 Windows 事件日志中查找建议问题的错误:
- 在设备上,运行 eventvwr.msc 以打开事件查看器,然后转到应用程序和服务日志>Microsoft>Windows>DeviceManagement-Enterprise-Diagnostic-Provider>Admin。
将证书传送和安装到设备的错误通常与 Windows 操作相关,而不是与 Intune 相关。
后续步骤
如果证书成功部署到设备,但 Intune 未报告成功,请参阅 向 Intune 报告 NDES 以排查报告问题。