針對 SCEP 布建的憑證傳遞至 Intune Microsoft 中的裝置進行疑難解答
本文提供疑難解答指引,協助您在使用簡單憑證註冊通訊協定 (SCEP) 在 Intune 中布建憑證時,調查將憑證傳遞至裝置。 網路裝置註冊服務 (NDES) 伺服器從證書頒發機構單位 (CA) 收到裝置的要求憑證之後,會將該憑證傳回裝置。
本文適用於 SCEP 通訊工作流程的步驟 5;將憑證傳遞至提交憑證要求的裝置。
檢閱證書頒發機構單位
當 CA 發行憑證時,您會看到類似 CA 上下列範例的專案:
檢閱裝置
Android
針對裝置系統管理員註冊的裝置,您會看到類似下圖的通知,這會提示您安裝憑證:
針對 Android Enterprise 或 Samsung Knox,憑證安裝是自動且無訊息的。
若要在Android上檢視已安裝的憑證,請使用第三方憑證檢視應用程式。
您也可以檢閱 裝置 OMADM 記錄。 尋找類似下列範例的專案,這些範例會在憑證安裝時記錄:
跟憑證:
2018-02-27T04:50:52.1890000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 9 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALL_REQUESTED
2018-02-27T04:53:31.1300000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 0 Root cert '17…' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T04:53:32.0390000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeRootCertInstallStateMachine 9595 14 Root cert '17…' state changed from CERT_INSTALLING to CERT_INSTALL_SUCCESS
透過SCEP布建的憑證
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 There are 1 requests
2018-02-27T05:16:08.2500000 VERB Event com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager 18327 10 Trying to enroll certificate request: ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787
2018-02-27T05:16:20.6150000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:20.6530000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACert(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=ca
2018-02-27T05:16:21.7460000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.7890000 VERB Event org.jscep.transport.UrlConnectionGetTransport 18327 10 Received '200 OK' when sending GetCACaps(ca) to https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:28.0340000 VERB Event org.jscep.transaction.EnrollmentTransaction 18327 10 Response: org.jscep.message.CertRep@3150777b[failInfo=<null>,pkiStatus=SUCCESS,recipientNonce=Nonce [GUID],messageData=org.spongycastle.cms.CMSSignedData@27cc8998,messageType=CERT_REP,senderNonce=Nonce [GUID],transId=TRANSID]
2018-02-27T05:16:28.2440000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 10 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ENROLLED to CERT_INSTALL_REQUESTED
2018-02-27T05:18:44.9820000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 0 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALL_REQUESTED to CERT_INSTALLING
2018-02-27T05:18:45.3460000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 14 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_INSTALLING to CERT_ACCESS_REQUESTED
2018-02-27T05:20:15.3520000 INFO Event com.microsoft.omadm.platforms.android.certmgr.state.NativeScepCertInstallStateMachine 18327 21 SCEP cert 'ModelName=AC_51…%2FLogicalName_39907…;Hash=1677525787' state changed from CERT_ACCESS_REQUESTED to CERT_ACCESS_GRANTED
iOS/iPadOS
在 iOS/iPadOS 或 iPadOS 裝置上,您可以在 裝置管理 配置檔下檢視憑證。 向下切入以查看已安裝憑證的詳細數據。
您也可以在 iOS 偵錯記錄中找到類似下列專案:
Debug 18:30:53.691033 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=SCEP%20Authority\
Debug 18:30:54.640644 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=SCEP%20Authority\
Debug 18:30:55.487908 -0500 profiled Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZjBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxGDAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BAQEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaamkjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQG
Debug 18:30:57.285730 -0500 profiled Adding dependent Microsoft.Profiles.MDM to parent www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295 in domain ManagedProfileToManagingProfile to system\
Default 18:30:57.320616 -0500 profiled Profile \'93www.windowsintune.com.SCEP.ModelName=AC_51bad41f.../LogicalName_1892fe4c...;Hash=-912418295\'94 installed.\
Windows
在 Windows 裝置上,確認憑證已傳遞:
執行 eventvwr.msc 以開啟 事件檢視器。 移至 [應用程式和服務記錄>] Microsoft>Windows>DeviceManagement-Enterprise-Diagnostic-Provider>Admin,然後尋找事件 39。 此事件應該有一般描述: SCEP:已成功安裝憑證。
若要檢視裝置上的憑證,請執行 certmgr.msc 來開啟憑證 MMC ,並確認已在個人存放區中的裝置上正確安裝根和 SCEP 憑證:
- 移至憑證 (本機計算機)>受信任的跟證書授權單位>憑證,並確認 CA 的跟證書是否存在。 [發行到] 和 [發行者] 的值會相同。
- 在 [憑證 MMC] 中,移至 [憑證 – 目前的使用者>個人>憑證],並確認要求的憑證存在,且 [發行者] 等於 CA 的名稱。
疑難排解失敗
Android
若要針對憑證傳遞進行疑難解答,請檢閱 OMA DM 記錄檔中記錄的錯誤。
iOS/iPadOS
若要針對憑證傳遞進行疑難解答,請檢閱在裝置偵錯記錄檔中記錄的錯誤。
Windows
若要針對裝置上未安裝憑證的問題進行疑難解答,請查看 Windows 事件記錄檔中是否有建議問題的錯誤:
- 在裝置上,執行 eventvwr.msc 以開啟 事件檢視器,然後移至 Windows DeviceManagement-Enterprise-Diagnostic-Provider>Admin Microsoft>>Applications and Services Logs。>
傳遞憑證並安裝到裝置時發生錯誤,通常與 Windows 作業相關,而不是與 Intune 相關。
下一步
如果憑證成功部署到裝置,但 Intune 未回報成功,請參閱 向 Intune 回報 NDES 以針對報告進行疑難解答。