配置 SCEP 证书基础结构Configure certificate infrastructure for SCEP

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

本主题介绍创建和部署 SCEP 证书配置文件需要具备的基础结构。This topic describes what infrastructure you need in order to create and deploy SCEP certificate profiles.

本地基础结构On-premises infrastructure

  • Active Directory 域:本部分列出的所有服务器(Web 应用程序代理服务器除外)必须加入你的 Active Directory 域。Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server) must be joined to your Active Directory domain.

  • 证书颁发机构 (CA):在 Windows Server 2008 R2 企业版或更高版本上运行的企业证书颁发机构 (CA)。Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支持独立 CA。A Standalone CA is not supported. 有关如何设置证书颁发机构的说明,请参阅安装证书颁发机构For instructions on how to set up a Certification Authority, see Install the Certification Authority. 如 CA 运行的是 Windows Server 2008 R2,则必须 安装修补程序 KB2483564If your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564. II

  • NDES 服务器:在运行 Windows Server 2012 R2 或更高版本的服务器上,必须设置网络设备注册服务 (NDES)。NDES Server: On a server that runs Windows Server 2012 R2 or later, you must set up the Network Device Enrollment Service (NDES). 如果在服务器上运行了企业 CA,则同时在该服务器上运行的 Intune 将不支持使用 NDES。Intune does not support using NDES when it runs on a server that also runs the Enterprise CA. 有关如何配置 Windows Server 2012 R2 以托管网络设备注册服务的说明,请参阅网络设备注册服务指南See Network Device Enrollment Service Guidance for instructions on how to configure Windows Server 2012 R2 to host the Network Device Enrollment Service. NDES 服务器必须以域加入到托管 CA 的域,且不能与 CA 位于同一服务器上。The NDES server must be domain joined to the domain that hosts the CA, and not be on the same server as the CA. 有关在单独的林、独立的网络或内部的域中部署 NDES 服务器的详细信息,可查阅 Using a Policy Module with the Network Device Enrollment Service(结合使用策略模块和网络设备注册服务)。More information about deploying the NDES server in a separate forest, isolated network or internal domain can be found in Using a Policy Module with the Network Device Enrollment Service.

  • Microsoft Intune 证书连接器:使用 Intune 管理控制台下载证书连接器安装程序 (ndesconnectorssetup.exe)。Microsoft Intune Certificate Connector: You use the Intune admin console to download the Certificate Connector installer (ndesconnectorssetup.exe). 随后可以在想要安装证书连接器的计算机上运行 ndesconnectorssetup.exeThen you can run ndesconnectorssetup.exe on the computer where you want to install the Certificate Connector.

  • Web 应用程序代理服务器(可选):可以使用运行 Windows Server 2012 R2 或更高版本的服务器作为 Web 应用程序代理 (WAP) 服务器。Web Application Proxy Server (optional): You can use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server. 该配置:This configuration:

    • 允许设备使用 Internet 连接接收证书。Allows devices to receive certificates using an Internet connection.
    • 是设备通过 Internet 连接接收和续订证书时的安全建议。Is a security recommendation when devices connect through the Internet to receive and renew certificates.


网络要求Network requirements

从 Internet 到外围网络,从所有主机或 Internet 上的 IP 地址到 NDES 服务器,都支持 443 端口。From the Internet to perimeter network, allow port 443 from all hosts/IP addresses on the internet to the NDES server.

从外围网络到受信任网络,支持域对已加入域的 NDES 服务器进行访问所需的所有端口和协议。From the perimeter network to trusted network, allow all ports and protocols needed for domain access on the domain-joined NDES server. NDES 服务器需要证书服务器、DNS 服务器、Configuration Manager 服务器和域控制器的访问权限。The NDES server needs access to the certificate servers, DNS servers, Configuration Manager servers and domain controllers.

建议通过代理(例如,Azure AD 应用程序代理Web Access 代理或第三方代理)发布 NDES 服务器。We recommend publishing the NDES server through a proxy, such as the Azure AD application proxy, Web Access Proxy, or a third-party proxy.

证书和模板Certificates and Templates

对象Object 详细信息Details
证书模板Certificate Template 在发证 CA 上配置此模板。You configure this template on your issuing CA.
客户端身份验证证书Client authentication certificate 发证 CA 或公共 CA 请求你在 NDES 服务器上安装证书。Requested from your issuing CA or public CA, you install this certificate on the NDES Server.
服务器身份验证证书Server authentication certificate 发证 CA 或公共 CA 请求你在 NDES 服务器上的 IIS 中安装并绑定该 SSL 证书。Requested from your issuing CA or public CA, you install and bind this SSL certificate in IIS on the NDES server.
受信任的根 CA 证书Trusted Root CA certificate 你可以从根 CA 或信任该根 CA 的任何设备中将其导出为 .cer 文件,并通过使用可信 CA 证书配置文件将其部署到设备。You export this as a .cer file from the root CA or any device which trusts the root CA, and deploy it to devices by using the Trusted CA certificate profile.

你可以在每个操作系统平台上使用一个受信任的根 CA 证书,并将其与你创建的每个受信任的根证书配置文件相关联。You use a single Trusted Root CA certificate per operating system platform, and associate it with each Trusted Root Certificate profile you create.

你可以在需要时使用其它受信任的根 CA 证书。You can use additional Trusted Root CA certificates when needed. 例如,你可以这样做来信任为 Wi-Fi 访问点的服务器身份验证证书签名的 CA。For example, you might do this to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points.


名称Name 详细信息Details
NDES 服务帐户NDES service account 指定用作 NDES 服务帐户的域用户帐户。You specify a domain user account to use as the NDES Service account.

配置基础结构Configure your infrastructure

在可以配置证书配置文件之前,必须完成以下需要 Windows Server 2012 R2 和 Active Directory Certificate Services (ADCS) 知识的任务:Before you can configure certificate profiles you must complete the following tasks, which require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):

任务 1:创建 NDES 服务帐户Task 1: Create an NDES service account

任务 2:配置证书颁发机构上的证书模板Task 2: Configure certificate templates on the certification authority

任务 3:在 NDES 服务器上配置必备组件Task 3: Configure prerequisites on the NDES server

任务 4:配置 NDES 以与 Intune 一起使用Task 4: Configure NDES for use with Intune

任务 5:启用、安装和配置 Intune 证书连接器Task 5: Enable, install, and configure the Intune Certificate Connector

任务 1 - 创建 NDES 服务帐户Task 1 - Create an NDES service account

创建用作 NDES 服务帐户的域用户帐户。Create a domain user account to use as the NDES service account. 你可以在安装和配置 NDES 之前,在配置发证 CA 上的模板时指定该帐户。You will specify this account when you configure templates on the issuing CA before you install and configure NDES. 确保用户具有默认权限,即本地登录作为服务登录作为批处理作业登录的权限。Make sure the user has the default rights, Logon Localy, Logon as a Service and Logon as a batch job rights. 某些组织已采用强化策略禁用这些权限。Some organizations have hardening policies that disable those rights.

任务 2 - 配置证书颁发机构上的证书模板Task 2 - Configure certificate templates on the certification authority

在此任务中,你将:In this task you will:

  • 配置 NDES 证书模板Configure a certificate template for NDES

  • 发布 NDES 证书模板Publish the certificate template for NDES

配置证书颁发机构To configure the certification authority
  1. 以企业管理员身份登录。Log on as an enterprise administrator.

  2. 在发证 CA 上,使用证书模板管理单元创建新的自定义模板,或复制现有模板然后编辑现有模板(与用户模板相似)以与 NDES 配合使用。On the issuing CA, use the Certificate Templates snap-in to create a new custom template or copy an existing template and then edit an existing template (like the User template), for use with NDES.

    模板必须进行以下配置:The template must have the following configurations:

    • 为模板指定一个友好的“模板显示名称”Specify a friendly Template display name for the template.

    • 在“使用者名称”选项卡上,选择“在请求中提供”。On the Subject Name tab, select Supply in the request. (由适用于 NDES 的 Intune 策略模块强制实施安全措施)。(Security is enforced by the Intune policy module for NDES).

    • “扩展” 选项卡上,确保 “应用程序策略描述” 包括了 “客户端身份验证”On the Extensions tab, ensure the Description of Application Policies includes Client Authentication.


      对于 iOS 和 Mac OS X 证书模板,在“扩展”选项卡上编辑“密钥用法”并确保未选择“数字签名为原件的证明”。For iOS and Mac OS X certificate templates, on the Extensions tab, edit Key Usage and ensure Signature is proof of origin is not selected.

    • 在“安全性”选项卡上,添加 NDES 服务帐户,并授予它“注册”模板的权限。On the Security tab, add the NDES service account, and give it Enroll permissions to the template. 将创建 SCEP 配置文件的 Intune 管理员需要读取权限,以便在创建 SCEP 配置文件时可以浏览到该模板。Intune admins who will create SCEP profiles require Read rights so that they can browse to the template when creating SCEP profiles.


    若要吊销证书,NDES 服务帐户需要针对证书配置文件所用的每个证书模板具有“颁发和管理证书”权限。To revoke certificates the NDES service account needs Issue and Manage Certificates rights for each certificate template used by a certificate profile.

  3. 在模板的“常规”选项卡上查看“有效期”。Review the Validity period on the General tab of the template. 默认情况下,Intune 使用模板中配置的值。By default, Intune uses the value configured in the template. 不过,可以视需要将 CA 配置为允许申请者指定其他值,随后便能够在 Intune 管理员控制台中设置此值。However, you have the option to configure the CA to allow the requester to specify a different value, which you can then set from within the Intune Administrator console. 如果你想要一直使用模板中的值,跳过该步骤的其余部分即可。If you want to always use the value in the template, skip the remainder of this step.


    无论你所做出的其他配置是什么,iOS 和 Mac OS X 平台都始终使用模板中设置的值。The iOS and Mac OS X platforms always uses the value set in the template regardless of other configurations you make.

以下是一个示例模板配置的屏幕截图。Here are screenshots of an example template configuration.







对于应用程序策略(在第 4 个屏幕截图中),只添加所需的应用程序策略即可。For Application Policies (in the 4th screenshot), only add the application policies required. 与你的安全管理员确认你的选择。Confirm your choices with your security admins.

若要配置 CA 以允许请求者指定有效期,请在 CA 上运行以下命令:To configure the CA to allow the requester to specify the validity period, on the CA run the following commands:

  1. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
  2. net stop certsvcnet stop certsvc

  3. net start certsvcnet start certsvc

  1. 在发证 CA 上,使用证书颁发机构管理单元发布证书模板。On the issuing CA, use the Certification Authority snap-in to publish the certificate template.

    1. 选择“证书模板”节点,单击“操作”->“新建”>“要颁发的证书模板”,然后选择步骤 2 中创建的模板。Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the template you created in step 2.

    2. 通过查看“证书模板”文件夹下已发布的模板来对它进行验证。Validate that the template published by viewing it under the Certificate Templates folder.

任务 3 - 在 NDES 服务器上配置必备组件Task 3 - Configure prerequisites on the NDES server

在此任务中,你将:In this task you will:

  • 将 NDES 添加到 Windows Server 并配置 IIS 以支持 NDESAdd NDES to a Windows Server and configure IIS to support NDES

  • 将 NDES 服务帐户添加到 IIS_IUSR 组Add the NDES Service account to the IIS_IUSR group

  • 为 NDES 服务帐户设置 SPNSet the SPN for the NDES Service account

  1. 在将要承载 NDES 的服务器上,你必须登录为“企业管理员”,并使用添加角色和功能向导安装 NDES:On the server that will hosts NDES, you must log on as a an Enterprise Administrator, and then use the Add Roles and Features Wizard to install NDES:

    1. 在向导中,选择“Active Directory 证书服务”以获得对 AD CS 角色服务的访问权限。In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role Services. 选择“网络设备注册服务”,取消选择“证书颁发机构”,然后完成向导。Select the Network Device Enrollment Service, uncheck Certification Authority, and then complete the wizard.


      在向导的“安装进度”页面,不要单击“关闭”。On the Installation progress page of the wizard, do not click Close. 而是单击“配置目标服务器上的 Active Directory 证书服务”的链接。Instead, click the link for Configure Active Directory Certificate Services on the destination server. 这将打开你用于下一个任务的“AD CS 配置”向导。This opens the AD CS Configuration wizard that you use for the next task. 打开“AD CS 配置”后,你可以关闭“添加角色和功能”向导。After AD CS Configuration opens, you can close the Add Roles and Features wizard.

    2. 将 NDES 添加到服务器后,向导也会安装 IIS。When NDES is added to the server, the wizard also installs IIS. 确保 IIS 具有以下配置:Ensure IIS has the following configurations:

      • Web 服务器>安全性> 请求筛选Web Server > Security > Request Filtering

      • Web 服务器>应用程序开发>ASP.NET 3.5Web Server > Application Development > ASP.NET 3.5. 安装 ASP.NET 3.5 就会安装 .NET Framework 3.5。Installing ASP.NET 3.5 will install .NET Framework 3.5. 安装 .NET Framework 3.5 时,安装核心“.NET Framework 3.5”功能和“HTTP 激活”。When installing .NET Framework 3.5, install both the core .NET Framework 3.5 feature and HTTP Activation.

      • Web 服务器>应用程序开发>ASP.NET 4.5Web Server > Application Development > ASP.NET 4.5. 安装 ASP.NET 4.5 就会安装 .NET Framework 4.5。Installing ASP.NET 4.5 will install .NET Framework 4.5. 安装 .NET Framework 4.5 时,安装核心 .NET Framework 4.5 功能、ASP.NET 4.5 和“WCF 服务”>“HTTP 激活”功能。When installing .NET Framework 4.5, install the core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.

      • 管理工具>IIS 6 管理兼容性>IIS 6 元数据库兼容性Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility

      • 管理工具>IIS 6 管理兼容性>IIS 6 WMI 兼容性Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

    3. 在服务器上,将 NDES 服务帐户添加为“IIS_IUSR”组成员。On the server, add the NDES service account as a member of the IIS_IUSR group.

  2. 在提升的命令指示符处,运行以下命令以设置 NDES 服务帐户的 SPN:In an elevated command prompt, run the following command to set the SPN of the NDES Service account:

**setspn -s http/<DNS name of NDES Server> <Domain name>\<NDES Service account name>**

例如,如果 NDES 服务器名为 Server01,你的域为 Contoso.com,并且服务帐户为 NDESService,则使用:For example, if your NDES Server is named Server01, your domain is Contoso.com, and the service account is NDESService, use:

**setspn –s http/Server01.contoso.com contoso\NDESService**

任务 4 - 配置 NDES 以与 Intune 一起使用Task 4 - Configure NDES for use with Intune

在此任务中,你将:In this task you will:

  • 配置 NDES 以与发证 CA 一起使用Configure NDES for use with the issuing CA

  • 在 IIS 绑定服务器身份验证 (SSL) 证书Bind the server authentication (SSL) certificate in IIS

  • 在 IIS 中配置请求筛选Configure Request Filtering in IIS

将 NDES 配置为与 Intune 一起使用的步骤To configure NDES for use with Intune
  1. 在 NDES 服务器上,打开“AD CS 配置”向导,然后进行以下配置。On the NDES Server, open the AD CS Configuration wizard and then make the following configurations.


    如果你在上一任务中单击了该链接,则此向导已经打开。If you clicked the link in the previous task, this wizard is already open. 或者,打开“服务器管理器”访问“Active Directory 证书服务”的后期部署配置。Otherwise, open Server Manager to access the post-deployment configuration for Active Directory Certificate Services.

    • 在“角包服务”页面选择“网络设备注册服务”。On the Role Services Page, select the Network Device Enrollment Service.

    • 在“NDES 的服务帐户”页面,指定 NDES 服务帐户。On the Service Account for NDES page, specify the NDES Service Account.

    • 在“NDES 的 CA”页面单击“选择”,然后选择可以配置证书模板的发证 CA。On the CA for NDES page, click Select, and then select the issuing CA where you configured the certificate template.

    • 在“为 NDES 加密”页面,设置符合你公司要求的秘钥长度。On the Cryptography for NDES page, set the key length to meet your company requirements.

    在“确认”页面单击“配置”以完成向导。On the Confirmation page, click Configure to complete the wizard.

  2. 完成向导后,在 NDES 服务器上编辑以下注册表项:After the wizard completes, edit the following registry key on the NDES Server:


    若要编辑该项,请确定证书模板的“用途”,可以在其“请求处理”选项卡上找到,然后通过使用你在任务 1 中指定的证书模板的名称(不是模板的显示名称)替换现有数据来编辑对应的注册表项。To edit this key, identify the certificate template's Purpose, as found on its Request Handling tab, and then edit the corresponding entry in the registry by replacing the existing data with the name of the certificate template (not the display name of the template) that you specified in Task 1. 下表将证书模板目的映射至注册表中的值:The following table maps the certificate template purpose to the values in the registry:

    证书模板目的(位于“请求处理”选项卡上)Certificate template Purpose (On the Request Handling tab) 待编辑的注册表值Registry value to edit 在 Intune 管理控制台中显示的 SCEP 配置文件的值Value seen in the Intune admin console for the SCEP profile
    签名Signature SignatureTemplateSignatureTemplate 数字签名Digital Signature
    加密Encryption EncryptionTemplateEncryptionTemplate 密钥加密Key Encipherment
    签名和加密Signature and encryption GeneralPurposeTemplateGeneralPurposeTemplate 密钥加密Key Encipherment

    数字签名Digital Signature

    例如,如果证书模板的目的为“加密”,然后将“EncryptionTemplate”值编辑为你的证书模板的名称。For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate value to be the name of your certificate template.

  3. NDES 服务器将会收到很长的 URL(查询),要求你添加两个注册表项:The NDES server will receive very long URL’s (queries), which require that you add two registry entries:

    位置Location Value 类型Type 数据Data
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxFieldLengthMaxFieldLength DWORDDWORD 65534(十进制)65534 (decimal)
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxRequestBytesMaxRequestBytes DWORDDWORD 65534(十进制)65534 (decimal)
  4. 在 IIS 管理器中,选择“默认网站” -> “请求筛选” -> “编辑功能设置”,并将“最大 URL 长度”和“最大查询字符串”更改为 65534,如上所示。In IIS manager, choose Default Web Site -> Request Filtering -> Edit Feature Setting, and change the Maximum URL length and Maximum query string to 65534, as shown.

    IIS 的最大 URL 长度和最大查询长度

  5. 重新启动服务器。Restart the server. 在服务器上运行 iisreset 将不足以完成这些更改。Running iisreset on the server will not be sufficient to finalize these changes.

  6. 浏览到 http://FQDN/certsrv/mscep/mscep.dll。Browse to http://FQDN/certsrv/mscep/mscep.dll. 你应看到类似于下面的 NDES 页面:You should see an NDES page similar to this:

    测试 NDES

    如果你收到 503 服务不可用的信息,请查看事件查看器。If you get a 503 Service unavailable, check the eventviewer. 可能是因 NDES 用户缺少权限导致应用程序池停止。It's likely that the application pool is stopped due to a missing right for the NDES user. 任务 1 中描述了这些权限。Those rights are described in Task 1.

要安装和绑定 NDES 服务器上的证书To Install and bind certificates on the NDES Server
  1. 在你的 NDES 服务器上,请求并安装来自你的内部 CA 或公共 CA 的“服务器身份验证”证书。On your NDES Server, request and install a server authentication certificate from your internal CA or public CA. 你随后将可以绑定 IIS 中的 SSL 证书。You will then bind this SSL certificate in IIS.


    绑定 IIS 中的 SSL 证书后,你也可以安装客户端身份验证证书。After you bind the SSL certificate in IIS, you will also install a client authentication certificate. 该证书可以由 NDES 服务器信任的任何 CA 颁发。This certificate can be issued by any CA that is trusted by the NDES Server. 尽管这不是最佳做法,但你可以对服务器和客户端身份验证使用相同的证书,只要证书具备两个增强型密钥用法 (EKU) 即可。Although it is not a best practice, you can use the same certificate for both server and client authentication as long as the certificate has both Enhance Key Usages (EKU’s). 查看以下步骤以获得有关这些身份验证证书的信息。Review the following steps for information about these authentication certificates.

    1. 获得服务器身份验证证书后,打开“IIS 管理器”,在“连接”窗格中选择“默认网站”,然后单击“操作”窗格中的“绑定”。After you obtain the server authentication certificate, open IIS Manager, select the Default Web Site in the Connections pane, and then click Bindings in the Actions pane.

    2. 单击“添加”,将“类型”设置为“https”并确保端口为“443”。Click Add, set Type to https, and then ensure the port is 443. (独立 Intune 仅支持端口 443。(Only port 443 is supported for standalone Intune.

    3. 为“SSL 证书”指定服务器身份验证证书。For SSL certificate, specify the server authentication certificate.


      如果 NDES 服务器对单个网络地址同时使用外部和内部名称,则服务器身份验证证书必须具备带有外部公开服务器名称的“使用者名称”,以及包括内部服务器名称的“使用者备用名称”。If the NDES server uses both an external and internal name for a single network address, the server authentication certificate must have a Subject Name with an external public server name, and a Subject Alternative Name that includes the internal server name.

  2. 在你的 NDES 服务器上,请求并安装来自你的内部 CA 或公用证书颁发机构的“客户端身份验证”证书。On your NDES Server, request and install a client authentication certificate from your internal CA, or a public certificate authority. 该证书可以与服务器身份验证的证书相同,如果证书具有这两个功能。This can be the same certificate as the server authentication certificate if that certificate has both capabilities.

    客户端身份验证证书必须具备以下属性:The client authentication certificate must have the following properties:

    增强型密钥用法 — 必须包括“客户端身份验证”。Enhanced Key Usage - This must include Client Authentication.

    使用者名称 — 必须与你安装证书的服务器(NDES 服务器)的 DNS 名称相同。Subject Name - This must be equal to the DNS name of the server where you are installing the certificate (the NDES Server).

若要配置 IIS 请求筛选To configure IIS Request Filtering
  1. 在 NDES 服务器上打开 “IIS 管理器”,在 “连接” 窗格中选择 “默认网站” ,然后打开 “请求筛选”On the NDES Server open IIS Manager, select the Default Web Site in the Connections pane, and then open Request Filtering.

  2. 单击“编辑功能设置”,然后进行以下设置:Click Edit Feature Settings, and then set the following:

    查询字符串(字节) = 65534query string (Bytes) = 65534

    最大 URL 长度(字节) = 65534Maximum URL length (Bytes) = 65534

  3. 查看以下注册表:Review the following registry key:


    确保以下值都设置为 DWORD 值:Ensure the following values are set as DWORD entries:

    名称:“MaxFieldLength” ,十进制值为 65534Name: MaxFieldLength, with a decimal value of 65534

    名称:“MaxRequestBytes” ,十进制值为 65534Name: MaxRequestBytes, with a decimal value of 65534

  4. 重新启动 NDES 服务器。Reboot the NDES server. 服务器现已支持证书连接器。The server is now ready to support the Certificate Connector.

任务 5 — 启用、安装和配置 Intune 证书连接器Task 5 - Enable, install, and configure the Intune Certificate Connector

在此任务中,你将:In this task you will:

在 Intune 中启用对 NDES 的支持。Enable support for NDES in Intune.

在 NDES 服务器上下载、安装和配置证书连接器。Download, install, and configure the Certificate Connector on the NDES Server.

启用对证书连接器的支持To enable support for the Certificate Connector
  1. 打开“Intune 管理控制台”,单击管理>证书连接器Open the Intune administration console, click Admin > Certificate Connector.

  2. 单击配置本地证书连接器Click Configure On-Premises Certificate Connector.

  3. 选择“启用证书连接器” ,然后单击“确定” 。Select Enable Certificate Connector, and then click OK.

下载、安装和配置证书连接器To download, install and configure the Certificate Connector
  1. 打开“Intune 管理控制台”,然后单击管理 >移动设备管理>证书连接器>下载证书连接器Open the Intune administration console, and then click Admin > Mobile Device Management > Certificate Connector > Download Certificate Connector.

  2. 下载完成后,在 Windows Server 2012 R2 服务器上运行下载的安装程序 (ndesconnectorssetup.exe)。After the download completes, run the downloaded installer (ndesconnectorssetup.exe) on a Windows Server 2012 R2 server. 该安装程序也会安装 NDES 和 CRP Web Service 的策略模块。The installer also installs the policy module for NDES and the CRP Web Service. (CRP Web 服务 CertificateRegistrationSvc 运行为 IIS 中的应用程序)(The CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.)


    如果为独立 Intune 安装 NDES,则 CRP 服务会自动随证书连接器一起安装。When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector. 如果将 Intune 与 Configuration Manager 配合使用,请以单独的站点系统角色安装证书注册点。When you use Intune with Configuration Manager, you install the Certificate Registration Point as a separate site system role.

  3. 提示输入证书连接器的客户端证书时,单击“选择” ,然后选择任务 3 中在你的 NDES 服务器上安装的 客户端身份验证 证书。When prompted for the client certificate for the Certificate Connector, click Select, and select the client authentication certificate you installed on your NDES Server in Task 3.

    选择客户端身份验证证书后,你将返回到“Microsoft Intune 证书连接器的客户端证书” 处。After you select the client authentication certificate, you are returned to the Client Certificate for Microsoft Intune Certificate Connector surface. 尽管你选择的证书不会显示,但可以单击“下一步”查看该证书的属性。Although the certificate you selected is not shown, click Next to view the properties of that certificate. 然后单击“下一步”,再单击“安装”。Then click Next, and then click Install.

  4. 向导完成后,关闭向导前,单击“启动证书连接器 UI” 。After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.


    如果在启动证书连接器 UI 前关闭了向导,你可以通过运行以下命令重新打开它:If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following command:


  5. 在“证书连接器” UI 中:In the Certificate Connector UI:

    单击“登录”并输入你的 Intune 服务管理员凭据或具有全局管理权限的租户管理员的凭据。Click Sign In and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.


    如果在登录 NDESConnectorUI.exe 时收到错误“无法识别用户名”,通常表示你使用的帐户不具备有效的 Intune 许可证。If you get a User name is not recognized error when signing into NDESConnectorUI.exe, it usually means you've used an account that does not have a valid Intune license. 向该帐户分配 Intune 或 EMS 许可证,然后重试操作。Assign the account an Intune or EMS license and retry the operation.

    如果你的组织使用代理服务器并且 NDES 服务器需要代理才能访问 Internet,请单击“使用代理服务器”,然后提供用于连接的代理服务器名称、端口和帐户凭据。If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, click Use proxy server and then provide the proxy server name, port, and account credentials to connect.

    选择“高级”选项卡,然后提供具有在证书颁发机构“颁发和管理证书”的权限的帐户凭据,然后单击“应用”。Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority, and then click Apply.

    你现在可以关闭证书连接器 UI。You can now close the Certificate Connector UI.

  6. 打开命令提示符并键入 services.msc,然后按 Enter,右键单击“Intune 连接器服务”,再单击“重启”。Open a command prompt and type services.msc, and then press Enter, right-click the Intune Connector Service, and then click Restart.

若要验证服务是否正在运行,打开浏览器然后输入以下 URL 将返回“403”错误:To validate that the service is running, open a browser and enter the following URL, which should return a 403 error:

https:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dllhttps:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

后续步骤Next steps

你现在可以像配置证书配置文件中所述的那样配置证书配置文件了。You are now ready to configure certificate profiles, as described in Configure certificate profiles.