Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (2023)

Welcome topart 5of the seriesIntune PKI made easy with joy.

Today's post is about the various Intune SCEP HTTP errors you may encounter when working with Intune SCEP certificate deployments - how to identify their likely causes to help troubleshoot faster and ensure less downtime.

Disclaimer:The Intune SCEP HTTP root causes listed in this article are based solely on experience dealing with the production environment and may not match the order that MS listed in theirsTroubleshootingdocument.

Previous articles in this seriesIntune PKI made easy with joy

  • Part 1 - Learn the basics of PKI
  • Part 2 - Getting to know SCEP - The general workflow
  • Part 3 - An in-depth look at Intune's SCEP PKI implementation
  • Part 4 - Intune SCEP Certificate Workflow Verification

Let us begin.

Demystifying HTTP SCEP errors in Intune

In order for an internet-connected device to send the SCEP request to NDES, the request must go through a proxy. In most configurations, Azure AD Application Proxy (recommended by Microsoft) exposes the internal NDES URL mscep.dll.

So let's start with the HTTP errors that we can probably get due to Azure AD Application Proxy.

Intune-SCEPHTTP error- AAD application proxy error

504-Gateway-Timeout

This occurs especially when theAAD Application Proxy Connectorit isnoon oneoperationstate or theServerhosting the connector has disappearedout.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (2)

startup typeagainMicrosoft AAD Application Proxy Connector Serviceby default it is set toAutomatic (delayed start).

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (3)

So if the server went through a restart cycle recently, be sure to check whether the connector service has started or not.

502 Bad Gateway

That mainlyoccurs due to a typonoInternal URLTherefore, when creating/configuring the App Proxy application in Azure, the connector cannot resolve the internal URL, which leads to the error.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (4)

This page cannot be displayed / This page cannot be accessed

Occurs due toincorrect application proxy configurationto publish the SCEP URL.

If you want to use your custom verified domain in Azure as a mscep url domain instead of the default msappproxy.net domain, you need oneCNAMERecord created at the DNS provider for the custom domain to map requests.

(Video) NDES SCEP Demystified and Simplified

By default, Azure App Proxy requires no additional configuration to use the default value„-.msappproxy.net“Domain. Even if you choose to use a custom domain other than the default domain„-msappproxy.net“domain, you would need to provide an SSL certificate.

In this case I went with the default configuration to save myself the extra work, but I still got the error. generate aDiagnosefor the app proxy app in Azure reports the source of the error.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (5)

When configuring the app proxy application, I have thepre-authenticationdefined asAzure Active Directory.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (6)

For NDES,pre-authenticationConfiguration within the AAD app proxy app in Azuremust be definedto theRun throughas no real AAD users will be accessing the app.

As long as we're good on the proxy side and the AAD app proxy can resolve the external requests to the internal NDES MSCEP URL, the HTTP errors we'll encounter from now on will depend on the physical infrastructure settings (NDES and PKI ) away.

Intune HTTP SCEP Error - Configuration Issues

Intune-SCEPHTTP Error 500 - Internal server error

There can be multiple causes for this particular error and you need to check multiple things to narrow down the actual cause.

NDES service account permissions/rights issue

ÖPool-SCEPno IISaccording tounderIdentity of the NDES service account.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (7)

You need to check and make sure that the NDES service account

  • is not in onecloggedFederal State,
  • passwordis notExpired,
  • is a member of the siteIIS_IURSGroup in NDES field (make sure no GPO changes specific group membership),
  • aIIS_IURSgroup is assignedImpersonate a client after authenticationUser right (by default the right is present unless changed),
Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (8)
  • temLerpermission for theMSCEP RA certifies the private key
Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (9)

If the above conditions are not met, you will receive Intune SCEP HTTP Error 500 - Internal Server Error.

MSCEP RA certificates have expired (or been deleted or revoked)

Starting the NDES service depends on MSCEP RA certificates. [More details on the NDES service startup sequence will be discussed laterin this post]

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (10)

If the certificates are expired, deleted, or revoked by the issuing CA for any reason, the NDES service fails to start, resulting in Intune SCEP HTTP Error 500 - Internal Server Error.

(Video) Microsoft Endpoint Manager Intune Configuration Profiles Part V Working with Certificates

CRP in IIS has Windows Authentication set to On

To guaranteeCertificateRegistrationSvcInsideIIS[CRP]-TermWindows authenticationdefined asDisabled.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (11)

When it's setAble toas shown in the snapshot above, can result in Intune SCEP HTTP Error 500 – Internal Server Error.

Monitoring!This particular configuration can also result in HTTP Error 503 - Service Unavailable.

Like this/certsrv/mscepApplication no pool SCEPIIS authenticationthroughPCRyou have to have it too

  • Anonymousauthentication =Able to
  • windowauthentication =Disabled
The issuing CA is offline or unreachable from NDES

*********One of the most notable causes of Intune SCEP HTTP Error 500 - Internal Server Error.*********

Network configuration changes made by the network/firewall/proxy team can cause the issuing CA on the NDES box to become unreachable or unavailable, leading to the error. Error events can be viewed in the events below.

Event source:Logs Windows > Application > NetworkDeviceEnrollmentServiceEvent identification 8 -The Network Device Enrollment Service cannot obtain information about the Certificate Authority (0x80004005). unspecified errorEvent ID 2 -The network device registration service cannot be started (0x80004005). unspecified error

You can usecertutil Command on NDES server to check CA availability. You should expect an output like below if yourThe issuing certificate authority cannot be reached or is not availablefrom the NDES box.

PSC:\Windows\system32>certutil -config - -pingWIN-2CQQDB9STE6.joymalya.xyz\joymalya-WIN-2CQQDB9STE6-CAConnecting to WIN-2CQQDB9STE6.joymalya.xyz\joymalya-WIN-2CQQDB9STE6-CA ...Cannot reach server: RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (32ms)CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)CertUtil: The RPC server is unavailable.

The same can be checked using another tool calledpkiview.msc

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (12)

Once in a while,In a layered PKI setup, the issuing CA server turns out to be online, but the issuing CA's Certificate Services fails to start after restarting the server [legitimate causes] because the root CA's CRL has expired.

Consider the classic example below, where a normal ping my CA server returns a response meaning it's online and available, but a certutil ping to the same CA server says otherwise.

PSC:\Windows\system32>ping WIN-2CQQDB9STE6.joymalya.xyzPing WIN-2CQQDB9STE6.joymalya.xyz[10.0.0.20] with 32 data bytes: response from 10.0.0.20: bytes = 32 time < 1 ms TTL = 128 response from 10.0.0.20: bytes = 32 time = 1 ms TTL = 128 response from 10.0 .0.20: bytes=32 time=1ms TTL=128Response from 10.0.0.20: bytes=32 time=1ms TTL=128Ping statistics for 10.0.0.20: Packets: Sent=4, Received=4, Lost=0 (0 %loss ), Approximate round trip times in milliseconds: Minimum = 0 ms, Maximum = 1 ms, Average = 0 msPS C:\Windows\system32>certutil -ping WIN-2CQQDB9STE6.joymalya.xyzConnecting to WIN-2CQQDB9STE6.joymalya.xyz ...Cannot reach the server: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE) -- (32 ms) CertUtil: -ping command FAILED: 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)CertUtil: The RPC server is unavailable.

This can happen with layered PKI infrastructure where the root CA is mostly offline and the CRL of the root CA has expired. The issuing CA has been reset for some reason. After rebooting, the issuing CA's Certificate Services fails to start because the verification process fails when trying to get the root CA's CRL to verify its own certificate chain.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (13)

Resolving the issue may require involvement of the network team and/or the ADCS team as this is generally outside the scope of Intune.

NDES cannot get CRL from CDP

******This is the other most common cause of Intune SCEP HTTP Error 500 – Internal Server Error******

This is because the NDES box cannot retrieve the Certificate Revocation List (CRP CRL) that is required to start the NDES service.

(Video) S03E15 - Deploying SCEP certificates to Windows devices (I.T)

Remember that NDES is implemented as an ISAPI extension in IIS, so you won't see NDES as a service when you check services.msc. Instead, the service runs inside the w3wp.exea process that is an IIS worker process.

In order for the SCEP pool to run in IIS, the NDES service must first be started successfully. You will get the from hereChecklist for starting the NDES service.

In a few words,NDES service startup sequenceIt is -

  • Locate the RA certificate in the machine's certificate store -X509 objects
  • Acquire the private keys –CryptAcquireCertificatePrivateKey
  • build certificate chain -CertGetCertificateChainStart
  • Check revocation status -CertVerifyRevocationStart

When all the steps are completed successfully, the NDES service will start and you will get success events as below

Event source:Windows Registry > Application >NetworkDeviceEnrollmentServiceEvent ID 47 -The Network Device Registration Service has uploaded the Registration Authority (RA) key exchange certificate with serial number ###### from the "MY" store.Event ID 48 -The Network Device Enrollment Service has uploaded the Registration Authority (RA) signing certificate with serial number ###### from the "MY" store.Event ID 1 -The network device registration service started successfully.

Nonetheless, aNDES service cannot be startedIf not, check the MSCEP-RA certificates. Error events are as follows.

Event source:Logs Windows > Application > NetworkDeviceEnrollmentServiceEvent identification 8 -The Network Device Enrollment Service cannot obtain information about the Certificate Authority (0x80004005). unspecified errorEvent ID 2 -The network device registration service cannot be started (0x80004005). unspecified error

The above event does not necessarily mean that the MSCEP RA certificates are expired or absent (deleted), but it could be due to it as wellExpiration of the CRLor NDES serverCannot get CRL, although the above events do not explicitly state this.

To check the real reason for not loading the RA certificates, here's what you need to doEnable CAPI2 loggingin Events [Application and Services Logs > Microsoft > Windows > CAPI2], thenstart anewaCryptographic ServiceseIIS[PS command iisreset] and check the againCAPI2 operationalHistoric.

CAPI 2 event trackingfor the same is shown below

Event ID 90 - Objects X509 -Upload the RA certificateEvent ID 70 - Acquire private key of certificate - encryption functionCryptAcquireCertificatePrivateKeyEvent ID 10 - Create String - Encryption FunctionCertGetCertificateChainStartStart chain building Event ID 40 - Check for revocation - Encryption functionCertVerifyRevocationStartto start lock status event id 52 - retrieve object from network - encryption functionCryptRetrieveObjectByUrlWireStartGet CRL

If the CA CRL has expired or the CRL location is offline, the error events will start here

Error Event ID 53 - Get Object from Network - Encryption FunctionCryptRetrieveObjectByUrlWirewhich reports an error when CRL is unrecoverable. Error Event ID 42 - Reject Revocation Information - Encryption FunctionCertRejectedRevocationInfo.Here you can see that if the CRL was actually retrieved, the reason for the error could be due to ActionCheckTimeValidity[CRL retrieved expired] Error Event ID 41 - Check Revocation - Encryption FunctionCertVerifyRevocationyou will receive the result of the revocation check.
Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (14)

On NDES server you can usecertutilcommandcertutil -urlcache CRLto view and then use the locally stored CRL URLscertutilcommandcertutil -URL <LDAP oder HTTP URL de CRL>to verify that the NDES server can retrieve the CRL from CDP.

You will see themURL recovery toolGUI window as follows. chooseCRLs(from CDP) and clickRecall🇧🇷 Ideally, status comes asOK.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (15)

Important!If communication between the servers is enabled by a proxy server, ensure that the proxy settings on all servers involved are set to the user and machine/system context.

The production environment may have a firewall or proxy that facilitates communication. With a firewall, you must ensure that you have defined the correct exceptions to allow connections. For proxy, you must configure the proxy settings in the SYSTEM context for NDES to work. It is best to use the PSEXEC tool.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (16)

Open a CMD with PSEXEC and use the whoami command to confirm that the CMD process is running as SYSTEM. After confirmation you can use the netsh winhttp show proxy to see if the proxy settings are configured correctly as SYSTEM context, or if not use the netsh winhttp command to set the proxy to do the same determines.

(Video) Microsoft Endpoint Manager Intune Configuration Profiles Part 5 Working with Certificates

Resolving CRL recovery or expired CRL issues should primarily be the domain of ADCS and not the domain of Intune in general.

After the CRL issue is resolved, on your NDES serverstart anewaCryptographic ServiceseIISand wait to verify that the NDES services started successfully. 🇧🇷Event ID 1for successful NDES startup]

Intune SCEP HTTP Error 503 - Service Unavailable

This one is pretty easy. In most cases you will find that the IIS SCEP pool has crashed (declared stopped). Possible causes are

Untrusted intermediate certificatesin the certificate store of the NDES server

This is very common with layered PKI infrastructure. So, if you are facing this problem, the first thing you should do in your NDES box is check if you open PowerShell and run the following command

Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

If the above code gives any output, it means there are untrusted certificates and you can easily delete them by running the following command

Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}| Objekt entfernen

Monitoring!If you encounter this problem frequently, you should create a scheduled task to run this command automatically at regular intervals to remove untrusted certificates.

  • The IIS SSL binding certificate has been renewed, but the NDES policy engine still points to the thumbprint of the old SSL certificate

Note that the certificate used to bind IIS port 443 is the same one that must be selected during the Intune NDES Certificate Connector installation. Therefore, this situation mainly occurs when the IIS SSL binding certificate is renewed but not updated with the Intune NDES Certificate Connector.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (17)

You must ensure that the thumbprint of the certificate managed by the NDES policy engine matches the thumbprint of the SSL binding certificate used in IIS.

Troubleshooting Intune HTTP SCEP errors just got easier with Joy - #5 (18)

Tune YOUR jackThe service needs access to the URLs in the CRL to function properly. So, after the NDES service has started successfully, if for some reason the CRL URLs on the NDES box become inaccessible again, this may cause itHTTP Error 503 - Service Unavailable.

Note that this time the NDES service itself has started, otherwise the same scenario will occur during the NDES service startHTTP Error 500 - Internal server error.

The end

In addition to allIntune-HTTP-SCEP-Fehleras listed above, you can also findHTTP Error 414 - Request URI too longeHTTP Error 413 - Payload too largeall of which are due to itincorrect IIS request filter settingsfor the/certsrv/mscepvirtual application.

The causes listed for the errors listed in this article may not be exhaustive, and while troubleshooting you may, and quite possibly, find an entirely new cause. I would be very interested to know if you have found new causes for any of the errors listed above while troubleshooting your environment.

Well, that was reserved for today. I'll be back with more posts soon. Until then stay healthy...

(Video) S03E14 - Configuring NDES for SCEP Certificate Deployment (I.T)

Videos

1. S03E16 - Deploying SCEP certificates to iOS devices (I.T)
(Intune Training)
2. Intune Tutorial 28 - NDES Server Configuration for SCEP Certificate in Intune
(Harvansh Singh)
3. S03E17 - Depoloying SCEP certificates to macOS devices (I.T)
(Intune Training)
4. HTMD Learning Intune SCEP Certificate Deployment Session by Joy Hrs User Group event Session
(Anoop C Nair)
5. S03E18 - Deploying SCEP Certificates to Android Devices (I.T)
(Intune Training)
6. Simple Certificate Enrollment Protocol (SCEP) and Untrusted Devices
(Keyfactor)

References

Top Articles
Latest Posts
Article information

Author: Domingo Moore

Last Updated: 10/24/2023

Views: 6210

Rating: 4.2 / 5 (53 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Domingo Moore

Birthday: 1997-05-20

Address: 6485 Kohler Route, Antonioton, VT 77375-0299

Phone: +3213869077934

Job: Sales Analyst

Hobby: Kayaking, Roller skating, Cabaret, Rugby, Homebrewing, Creative writing, amateur radio

Introduction: My name is Domingo Moore, I am a attractive, gorgeous, funny, jolly, spotless, nice, fantastic person who loves writing and wants to share my knowledge and understanding with you.