EAP-TLS Wi-Fi / PKCS certificate profile to Android device not working

Question

question

FritsCompatibill-7979 asked Feb 28, '22 Sarika-1268 commented Jun 23, '22

EAP-TLS Wi-Fi / PKCS certificate profile to Android device not working

We want to deploy a new WiFi network for our customer using Android devices, using Endpoint Manager.

We created 4 new configuration profiles:

trusted root certificate from our CA server to all devices. Succesfully received by the Android device
trusted intermediate certificate from our CA server to all devices. Succesfully received by the Android device
wifi profile - new WiFi profile with EAP-type: EAP-TLS selected and set to a group of users - Keeps failing to distribute. No error message.
pkcs certificate profile - receive a client certificate from ca-server set to a group of users - Keeps pending status.

When we perform these step manually on the Android device it works perfectly.
Something wrong with the deployment?

mem-intune-general mem-intune-application-management

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-01T01:47:10.707Z

Crystal-MSFT answered Mar 1, '22 FritsCompatibill-7979 commented Mar 4, '22

@FritsCompatibill-7979, Thanks for posting in our Q&A. From the information you provided, it seems the PKCS certificate and WiFi profile deployment are not successfully.

For our issue, as the user or device certificate is needed in the WiFi profile, we can firstly check on the PKCS certificate deployment.

In General, when the PKCS certificate profile is deployed to the device, the Intune service will ask Intune Certificate Connector to create the certificate for the user. send the request to CA, CA will issue the certificate and send it to Intune Certificate connector.And this certificate will be uploaded to Intune. Intune will re-encrypt the certificate and send it to the device. After all, the device will report the status to Intune.

To know which stage it is pending, we need log analysis. Here is a link with detailed information for the reference:
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-pkcs-certificate-profiles

To ensure your data is protected, if you need any help with log analysis, you can open case which is free to troubleshoot it. Here is a link to guide how to open case for the reference:
https://docs.microsoft.com/en-us/mem/get-support

Hope it can help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FritsCompatibill-7979 · Mar 03 at 09:24 PM

Hi @Crystal-MSFT, thanks for your reply.

When I try to analyse logging on the Intune Certificate Connector I check the ODJ Connector Service.
Only Event ID 30121 and 30150 occur. I cannot find the NDESConnector_date_time.svclog
On the CA server I don't see any certificates issued/pending/failed which uses the certificate template which is configured in the PKCS certificate profile in Intune.

Looks like the request does not even reach the CA server?

I

0 ·

Crystal-MSFT FritsCompatibill-7979 · Mar 04 at 06:26 AM

@FritsCompatibill-7979, From your description, it seems the request is not created. As the log NDESConnector_date_time.svclog is not created. Could you check the event log under "Application and Services Logs\Microsoft Intune Connector" to see if it function well?

0 ·

FritsCompatibill-7979 Crystal-MSFT · Mar 04 at 07:43 AM

Under Application and Services Logs there is the ODJ Connector Service which only shows the Event ID 30121 and 30150. There is no Microsoft Intune Connector log.
The Windows laptops are also used by this connector. Those work fine.

0 ·

Answer 2 · 2022-03-04T14:43:16.01Z

FritsCompatibill-7979 answered Mar 4, '22 Sarika-1268 commented Jun 23, '22

I have looked in the wrong place.
I found the NDESConnector logging. How to open?
And is there a certain thing to look for?

· 9

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crystal-MSFT · Mar 07 at 01:37 AM

@FritsCompatibill-7979, Thanks for the reply. I am glad to hear that the log is found. To view the log, we can use Service Trace Viewer Tool.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/service-trace-viewer-tool-svctraceviewer-exe

Here is a link with the log analysis example for the reference:
https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-configuring-and-troubleshooting-pfx-pkcs/ba-p/516450

Hope it can help.

0 ·

FritsCompatibill-7979 Crystal-MSFT · Mar 08 at 09:01 AM

Where can I find the Service Trace Viewer Tool?
I have downloaded the Microsoft .NET SDK 6.0 but there is no Servic Trace Viewer Tool.

Do you have a direct download to the file?

0 ·

FritsCompatibill-7979 Crystal-MSFT · Mar 08 at 04:09 PM

I have tested with another new WiFi profile for Android Enterprise, basic profile with a WPA-Pre-Shared-Key and no PKCS.
The deployment failed.

0 ·

Crystal-MSFT FritsCompatibill-7979 · Mar 09 at 01:49 AM

@FritsCompatibill-7979, For the tool, you can check if it is under location: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools

For another WiFi Profile with WPA-pre-shared-key, could you confirm if the configuration can work when we configure it manually on the device side? If yes, we can check if the configuration is the same on intune .

0 ·

Show more comments

question