配置基础结构以支持在 Intune 中使用 SCEPConfigure infrastructure to support SCEP with Intune

Intune 支持使用简单证书注册协议 (SCEP) 来验证体验与应用和公司资源的连接Intune supports use of the Simple Certificate Enrollment Protocol (SCEP) to authenticate connections to your apps and corporate resources. SCEP 使用证书颁发机构 (CA) 证书来保护证书签名请求 (CSR) 的消息交换。SCEP uses the Certification Authority (CA) certificate to secure the message exchange for the Certificate Signing Request (CSR). 当基础结构支持 SCEP 时,可以使用 Intune SCEP 证书配置文件(Intune 中的一种设备配置文件)将证书部署到设备。When your infrastructure supports SCEP, you can use Intune SCEP certificate profiles (a type of device profile in Intune) to deploy the certificates to your devices. 使用 Active Directory 证书服务证书颁发机构时,需要 Microsoft Intune 连接器才可在 Intune 中使用 SCEP 证书配置文件。The Microsoft Intune Connector is required to use SCEP certificate profiles with Intune when using an Active Directory Certificate Services Certification Authority. 使用第三方证书颁发机构时,不需要该连接器。The connector isn't required when using 3rd party Certification Authorities.

本文中的信息可帮助配置基础结构,以便在使用 Active Directory 证书服务时支持 SCEP。The information in this article can help you configure your infrastructure to support SCEP when using Active Directory Certificate Services. 在配置基出结构后,可以在 Intune 中创建和部署 SCEP 证书配置文件After your infrastructure is configured, you can create and deploy SCEP certificate profiles with Intune.

提示

Intune 还支持使用公钥加密标准 12 号证书Intune also supports use of Public Key Cryptography Standards #12 certificates.

使用 SCEP 证书的先决条件Prerequisites for using SCEP for certificates

在继续操作之前,请确保已创建受信任的证书配置文件并将其部署到将使用 SCEP 证书配置文件的设备。Before you continue, ensure you've created and deployed a trusted certificate profile to devices that will use SCEP certificate profiles. SCEP 证书配置文件直接引用用于通过受信任的根 CA 证书来预配设备的受信任证书配置文件。SCEP certificate profiles directly reference the trusted certificate profile that you use to provision devices with a Trusted Root CA certificate.

服务器和服务器角色Servers and server roles

以下本地基础结构必须在已加入 Active Directory 域的服务器上运行,Web 应用程序代理服务器除外。The following on-premises infrastructure must run on servers that are domain-joined to your Active Directory, with the exception of the Web Application Proxy Server.

  • 证书颁发机构 - 使用在 Windows Server 2008 R2 企业版 Service Pack 1 或更高版本上运行的 Microsoft Active Directory 证书服务企业证书颁发机构 (CA)。Certification Authority – Use a Microsoft Active Directory Certificate Services Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 with service pack 1, or later. 所用 Windows Server 版本必须仍受 Microsoft 支持。The version of Windows Server you use must remain in support by Microsoft. 不支持独立 CA。A Standalone CA is not supported. 有关详细信息,请参阅安装证书颁发机构For more information, see Install the Certification Authority. 如果 CA 运行的是 Windows Server 2008 R2 SP1,则必须安装修补程序 KB2483564If your CA runs Windows Server 2008 R2 SP1, you must install the hotfix from KB2483564.

  • NDES 服务器角色 - 必须在 Windows Server 2012 R2 或更高版本上配置网络设备注册服务 (NDES) 服务器角色。NDES server role – You must configure a Network Device Enrollment Service (NDES) server role on Windows Server 2012 R2 or later. 本文的后面部分介绍了如何安装 NDESIn a later section of this article, we guide you through installing NDES.

    • 托管 NDES 的服务器必须已加入域,并与企业 CA 位于相同的林中。The server that hosts NDES must be domain-joined and in the same forest as your Enterprise CA.
    • 不可使用在托管企业 CA 的服务器上安装的 NDES。You can't use NDES that's installed on the server that hosts the Enterprise CA.
    • 可将 Microsoft Intune 连接器安装在托管 NDES 的同一服务器上。You'll install the Microsoft Intune Connector on the same server that hosts NDES.

    要详细了解 NDES,请参阅 Windows Server 文档网络设备注册服务指南以及 Using a Policy Module with the Network Device Enrollment Service(将策略模块与网络设备注册服务配合使用)To learn more about NDES, see Network Device Enrollment Service Guidance in the Windows Server documentation, and Using a Policy Module with the Network Device Enrollment Service.

  • Microsoft Intune 连接器 - 需要 Microsoft Intune 连接器才可在 Intune 中使用 SCEP 证书配置文件。Microsoft Intune Connector – The Microsoft Intune Connector is required to use SCEP certificate profiles with Intune. 本文介绍了如何安装此连接器This article will guide you through installing this connector.

    该连接器支持美国联邦信息处理标准 (FIPS) 模式。The connector supports Federal Information Processing Standard (FIPS) mode. FIPS 不是必需的,但启用它后,就可颁发和吊销证书。FIPS isn't required, but when it's enabled, you can issue and revoke certificates.

    • 连接器的网络要求与受管理设备相同。The connector has the same network requirements as managed devices.
    • 该连接器必须与 NDES 服务器角色在同一服务器上运行,且该服务器运行 Windows Server 2012 R2 或更高版本。The connector must run on the same server as the NDES server role, a server that runs Windows Server 2012 R2 or later.
    • 该连接器需要 .NET 4.5 Framework,而 Windows Server 2012 R2 中自动包含 .NET 4.5 Framework。The .NET 4.5 Framework is required by the connector and is automatically included with Windows Server 2012 R2.
    • 必须在托管 NDES 和 Microsoft Intune 连接器的服务器上禁用 Internet Explorer 增强型安全配置。Internet Explorer Enhanced Security Configuration must be disabled on the server that hosts NDES and the Microsoft Microsoft Intune Connector.

支持 Internet 上的 NDESSupport for NDES on the internet

要允许 Internet 上的设备获取证书,必须将 NDES URL 发布到企业网络外部。To allow devices on the internet to get certificates, you must publish your NDES URL external to your corporate network. 若要实现这一点,可以使用 Azure AD 应用程序代理或 Web ApplicationProxy 服务器 。To do this, you can use either an Azure AD Application Proxy or a Web ApplicationProxy Server. 也可以使用所选的其他反向代理。You can also use another reverse proxy of your choice.

  • Azure AD 应用程序代理 - 可以使用 Azure AD 应用程序代理(而不是专用的 Web 应用程序代理 (WAP) 服务器)向 Internet 发布 NDES URL。Azure AD Application Proxy – You can use the Azure AD Application Proxy instead of a dedicated Web Application Proxy (WAP) Server to publish your NDES URL to the internet. 这允许面向 Intranet 和面向 Internet 的设备获取证书。This allows both intranet and internet facing devices to get certificates. 更多信息,请参阅与网络设备注册服务 (NDES) 服务器上的 Azure AD 应用程序代理集成For more information, see Integrate with Azure AD Application Proxy on a Network Device Enrollment Service (NDES) server.

  • Web 应用程序代理服务器 - 使用运行 Windows Server 2012 R2 或更高版本的服务器作为 Web 应用程序代理 (WAP) 服务器来将 NDES URL 发布到 Internet。Web Application Proxy Server - Use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server to publish your NDES URL to the internet. 这允许面向 Intranet 和面向 Internet 的设备获取证书。This allows both intranet and internet facing devices to get certificates.

    承载 WAP 的服务器必须安装此更新以支持网络设备注册服务所使用的长 URL。The server that hosts WAP must install an update that enables support for the long URLs that are used by the Network Device Enrollment Service. 该更新包括在 2014 年 12 月的更新汇总中,或单独更新自 KB3011135This update is included with the December 2014 update rollup, or individually from KB3011135.

    WAP 服务器必须具有与发布到外部客户端的名称匹配的 SSL 证书,并且信任托管 NDES 服务的计算机上使用的 SSL 证书。The WAP server must have an SSL certificate that matches the name that's published to external clients and trust the SSL certificate that's used on the computer that hosts the NDES service. 这些证书使 WAP 服务器可以终止来自客户端的 SSL 连接,并创建与 NDES 服务的新 SSL 连接。These certificates enable the WAP server to terminate the SSL connection from clients and create a new SSL connection to the NDES service.

    有关详细信息,请参阅规划 WAP 证书有关 WAP 服务器的常规信息For more information, see Plan certificates for WAP and general information about WAP servers.

帐户Accounts

  • NDES 服务帐户 - 在设置 NDES 前,确定要用作 NDES 服务帐户的域用户帐户。NDES service account - Before you set up NDES, identify a domain user account to use as the NDES service account. 可以在配置 NDES 之前,在配置发证 CA 上的模板时指定该帐户。You'll specify this account when you configure templates on your issuing CA, before you configure NDES.

    此帐户必须对托管 NDES 的服务器拥有以下权限:This account must have the following rights on the server that hosts NDES:

    • 本地登录Logon Locally
    • 作为服务登录Logon as a Service
    • 作为批处理作业登录Logon as a batch job

    有关详细信息,请参阅创建充当 NDES 服务帐户的域用户帐户For more information, see Create a domain user account to act as the NDES service account.

  • 对托管 NDES 服务的计算机的访问权限 - 需要一个有权限在安装 NDES 的服务器上安装和配置 Windows 服务器角色的域用户帐户。Access to the computer that hosts the NDES service - You'll need a domain user account with permissions to install and configure Windows server roles on the server where you install NDES.

  • 对证书颁发机构的访问权限 - 需要一个有权管理证书颁发机构的与用户帐户。Access to the certification authority - You'll need a domain user account that has rights to manage your certification authority.

网络要求Network requirements

建议通过反向代理(例如,Azure AD 应用程序代理、Web 访问代理或第三方代理)发布 NDES 服务器。We recommend publishing the NDES service through a reverse proxy, such as the Azure AD application proxy, Web Access Proxy, or a third-party proxy. 如果不使用反向代理,则允许端口 443 上的 TCP 流量从 Internet 上的所有主机和 IP 地址传输到 NDES 服务。If you don't use a reverse proxy, then allow TCP traffic on port 443 from all hosts and IP addresses on the internet to the NDES service.

允许 NDES 服务和环境中任何支持基础结构之间进行通信所需的所有端口和协议。Allow all ports and protocols necessary for communication between the NDES service and any supporting infrastructure in your environment. 例如,托管 NDES 服务的计算机需要与 CA、DNS 服务器、域控制器以及环境中可能的其他服务或服务器(例如 Configuration Manager)进行通信。For example, the computer that hosts the NDES service needs to communicate with the CA, DNS servers, domain controllers, and possibly other services or servers within your environment, like Configuration Manager.

证书和模板Certificates and templates

使用 SCEP 时,使用了以下证书和模板。The following certificates and templates are used when you use SCEP.

对象Object 详细信息Details
SCEP 证书模板SCEP Certificate Template 将在发证 CA 上配置的模板,用于完成设备 SCEP 请求。Template you'll configure on your issuing CA used to fullfil the devices SCEP requests.
客户端身份验证证书Client authentication certificate 从发证 CA 或公共 CA 请求。Requested from your issuing CA or public CA.
此证书安装在托管 NDES 服务的计算机上,供 Microsoft Intune 连接器使用。You install this certificate on the computer that hosts the NDES service and it's used by the Microsoft Intune Connector.
如果证书已在用于颁发证书的 CA 模板上设置客户端和服务器身份验证密钥用法(增强型密钥使用) ,If the certificate has the client and server authentication key usages set (Enhanced Key Usages) on the CA template that you use to issue this certificate. 则可将相同的证书用于服务器和客户端身份验证。You can then use the same certificate for server and client authentication.
服务器身份验证证书Server authentication certificate 发证 CA 或公共 CA 请求 Web 服务器证书。Web Server certificate requested from your issuing CA or public CA.
在托管 NDES 的计算机上的 IIS 中安装并绑定此 SSL 证书。You install and bind this SSL certificate in IIS on the computer that hosts NDES.
如果证书已在用于颁发证书的 CA 模板上设置客户端和服务器身份验证密钥用法(增强型密钥使用) ,If the certificate has the client and server authentication key usages set (Enhanced Key Usages) on the CA template that you use to issue this certificate. 则可将相同的证书用于服务器和客户端身份验证。You can then use the same certificate for server and client authentication.
受信任的根 CA 证书Trusted Root CA certificate 要使用 SCEP 证书配置文件,设备必须信任受信任的根证书颁发机构 (CA)。To use a SCEP certificate profile, devices must trust your Trusted Root Certification Authority (CA). 在 Intune 中使用受信任的证书配置文件为用户和设备预配受信任的根 CA 证书。Use a trusted certificate profile in Intune to provision the Trusted Root CA certificate to users and devices.

- 在每个操作系统平台上使用一个受信任的根 CA 证书,并将该证书与创建的每个受信任的根证书配置文件关联。- Use a single Trusted Root CA certificate per operating system platform and associate that certificate with each trusted certificate profile you create.

- 可以在需要时使用其它受信任的根 CA 证书。- You can use additional Trusted Root CA certificates when needed. 例如,可以使用其他证书来信任为 Wi-Fi 访问点的服务器身份验证证书签名的 CA。For example, you might use additional certificates to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points. 为发证 CA 创建其他受信任的根 CA 证书。Create additional Trusted Root CA certificates for issuing CAs. 对于在 Intune 中创建的 SCEP 证书配置文件,请确保在其中为发证 CA 指定受信任的根 CA 配置文件。In the SCEP certificate profile you create in Intune, be sure to specify the Trusted Root CA profile for the issuing CA.

有关受信任证书配置文件的信息,请参阅“在 Intune 中使用证书进行身份验证”中的导出受信任的 CA 证书创建受信任的证书配置文件For information about the trusted certificate profile, see Export the trusted root CA certificate and Create trusted certificate profiles in Use certificates for authentication in Intune.

配置证书颁发机构Configure the certification authority

在下面各部分中了解如何:In the following sections, you'll:

  • 为 NDES 配置和发布所需模板Configure and publish the required template for NDES
  • 设置吊销证书的所需权限。Set the required permissions for certificate revocation.

完成以下各节需要具备 Windows Server 2012 R2 或更高版本和 Active Directory 证书服务 (AD CS) 方面的知识。The following sections require knowledge of Windows Server 2012 R2 or later, and of Active Directory Certificate Services (AD CS).

访问发证 CAAccess your Issuing CA

  1. 使用有权管理 CA 的域帐户登录发证 CA。Sign in to your issuing CA with a domain account with rights sufficient to manage the CA.

  2. 打开证书颁发机构 Microsoft 管理控制台 (MMC)。Open the Certification Authority Microsoft Management Console (MMC). 运行“certsrv.msc”,或在服务器管理器中单击“工具”,然后单击“证书颁发机构” 。Either Run 'certsrv.msc' or in Server Manager, click Tools, and then click Certification Authority.

  3. 选择“证书模板”节点,单击“操作” > “管理” 。Select the Certificate Templates node, click Action > Manage.

创建 SCEP 证书模板Create the SCEP certificate template

  1. 创建 v2 证书模板(具有 Windows 2003 兼容性),用作 SCEP 证书模板。Create a v2 Certificate Template (with Windows 2003 compatibility) for use as the SCEP certificate template. 你可以:You can:

    • 使用“证书模板”管理单元创建新的自定义模板。Use the Certificate Templates snap-in to create a new custom template.
    • 复制现有模板(如 Web 服务器模板)然后更新,将其用作 NDES 模板。Copy an existing template (like the Web Server template) and then update the copy to use as the NDES template.
  2. 在模板的指定选项卡上配置以下设置:Configure the following settings on the specified tabs of the template:

    • 常规:General:

      • 取消选中“在 Active Directory 中发布证书”。Uncheck Publish certificate in Active Directory.
      • 指定一个友好的“模板显示名称”,以便稍后识别此模板。Specify a friendly Template display name so you can identify this template later.
    • 使用者名称Subject Name:

      • 选择“在请求中提供”。Select Supply in the request. 由适用于 NDES 的 Intune 策略模块强制实施安全措施。Security is enforced by the Intune policy module for NDES.

        模板,“使用者名称”选项卡

    • 扩展Extensions:

      • 确保“应用程序策略描述”包括“客户端身份验证” 。Ensure that Description of Application Policies includes Client Authentication.

        重要

        只添加所需的应用程序策略即可。Only add the application policies that you require. 与你的安全管理员确认你的选择。Confirm your choices with your security admins.

      • 对于 iOS/iPadOS 和 macOS 证书模板,请编辑“密钥用法”并确保未选择“数字签名为原件的证明” 。For iOS/iPadOS and macOS certificate templates, also edit Key Usage and make sure Signature is proof of origin isn't selected.

      模板,“扩展”选项卡

    • 安全性Security:

      • 添加 NDES 服务帐户。Add the NDES service account. 此帐户需要具有此模板的读取和注册权限。This account requires Read and Enroll permissions to this template.

      • 为将创建 SCEP 配置文件的 Intune 管理员添加其他帐户。Add additional Accounts for Intune administrators who will create SCEP profiles. 这些帐户需要模板的读取权限,以便使这些管理员能够在创建 SCEP 配置文件时浏览此模板。These accounts require Read permissions to the template to enable these admins to browse to this template while creating SCEP profiles.

      模板,“安全”选项卡

    • 请求处理:Request Handling:

      下图是一个示例。The following image is an example. 你的配置可能有所不同。Your configuration might vary.

      模板,“请求处理”选项卡

    • 颁发要求:Issuance Requirements:

      下图是一个示例。The following image is an example. 你的配置可能有所不同。Your configuration might vary.

      模板,“颁发要求”选项卡

  3. 保存证书模板。Save the certificate template.

创建客户端证书模板Create the client certificate template

Microsoft Intune 连接器要求某个证书的“客户端身份验证”增强型密钥用法和使用者名称与安装连接器的计算机的 FQDN 相同。The Microsoft Intune Connector requires a certificate with the Client Authentication Enhanced Key Usage and Subject name equal to the FQDN of the machine where the connector is installed. 需要添加具有以下属性的模板:A template with the following properties is required:

  • “扩展” > “应用程序策略”必须包含“客户端身份验证” Extensions > Application Policies must contain Client Authentication
  • “使用者名称” > “在请求中提供” 。Subject name > Supply in the request.

如果已有包含这些属性的模板,则可以重复使用它,否则可以通过复制现有模板或创建自定义模板来创建新模板。If you already have a template that includes these properties, you can reuse it, otherwise create a new template by either duplicating an existing one or creating a custom template.

创建服务器证书模板Create the server certificate template

托管设备和 NDES 服务器上的 IIS 之间的通信使用 HTTPS,这需要使用证书。Communications between managed devices and IIS on the NDES server use HTTPS, which requires use of a certificate. 可以使用 Web 服务器证书模板来颁发此证书。You can use the Web Server certificate template to issue this certificate. 或者,如果想要使用专用模板,则需要以下属性:Or, if you prefer to have a dedicated template, the following properties are required:

  • “扩展” > “应用程序策略”必须包含“服务器身份验证” Extensions > Application Policies must contain Server Authentication
  • “使用者名称” > “在请求中提供” 。Subject name > Supply in the request.

备注

如果证书同时满足客户端和服务器证书模板的要求,则可以对 IIS 和 Microsoft Intune 连接器使用单个证书。If you have a certificate that satisfies both requirements from the client and server certificate templates, you can use a single certificate for both IIS and the Microsoft Intune Connector.

授予吊销证书的权限Grant permissions for certificate revocation

为了使 Intune 能够吊销不再需要的证书,必须授予证书颁发机构权限。For Intune to be able to revoke certificates that are no longer required, you must grant permissions in the Certificate Authority.

在 Microsoft Intune 连接器上,可以使用 NDES 服务器系统帐户或特定帐户(如 NDES 服务帐户) 。On the Microsoft Intune Connector, you can either use the NDES server system account or a specific account such as the NDES service account.

  1. 在“证书颁发机构”控制台中,右键单击 CA 名称,然后单击“属性”。On your Certificate Authority console, Right-click the CA name and select Properties.

  2. 在“安全”选项卡中,单击“添加”。In Security tab, click Add.

  3. 授予“颁发和管理证书”权限:Grant Issue and Manage Certificates permission:

    • 如果选择使用 NDES 服务器系统帐户,请提供针对 NDES 服务器的权限。If you opt to use the NDES server system account, provide the permissions to the NDES server.
    • 如果选择使用 NDES 服务帐户,则改为提供针对该帐户权限。If you opt to use the NDES service account, provide permissions for that account instead.

修改证书模板的有效期Modify the validity period of the certificate template

可选择修改证书模板的有效期。It's optional to modify the validity period of the certificate template.

创建 SCEP 证书模板后,可以编辑模板,在“常规”选项卡上查看“有效期” 。After you create the SCEP certificate template, you can edit the template to review the Validity period on the General tab.

默认情况下,Intune 使用模板中配置的值,但是可以将 CA 配置为允许申请者输入其他值,以便可在 Intune 控制台中设置该值。By default, Intune uses the value configured in the template, but you can configure the CA to allow the requester to enter a different value, so that value can be set from within the Intune console.

重要

对于 iOS/iPadOS 和 macOS,请始终使用模板中设置的值。For iOS/iPadOS and macOS, always use a value set in the template.

配置可在 Intune 控制台中设置的值To configure a value that can be set from within the Intune console

  1. 请在 CA 上运行以下命令:On the CA, run the following commands:

    certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
    net stop certsvcnet stop certsvc
    net start certsvcnet start certsvc

  2. 在发证 CA 上,使用证书颁发机构管理单元发布证书模板。On the issuing CA, use the Certification Authority snap-in to publish the certificate template. 选择“证书模板”节点,选择“操作” > “新建” > “要颁发的证书模板”,然后选择在前面一节中创建的模板 。Select the Certificate Templates node, select Action > New > Certificate Template to Issue, and then select the certificate template you created in the previous section.

  3. 通过查看“证书模板”文件夹中已发布的模板来对该模板进行验证。Validate that the template has published by viewing it in the Certificate Templates folder.

设置 NDESSet up NDES

以下过程可帮助配置用于 Intune 的网络设备注册服务 (NDES)。The following procedures can help you configure the Network Device Enrollment Service (NDES) for use with Intune. 有关 NDES 的详细信息,请参阅网络设备注册服务指南For more information about NDES, see Network Device Enrollment Service Guidance.

安装 NDES 服务Install the NDES service

  1. 在将要通过 NDES 服务的服务器上,以“企业管理员”身份登录,并使用添加角色和功能向导安装 NDES:On the server that will host your NDES service, sign in as an Enterprise Administrator, and then use the Add Roles and Features Wizard to install NDES:

    1. 在向导中,选择“Active Directory 证书服务”以获得对 AD CS 角色服务的访问权限。In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role Services. 选择“网络设备注册服务”,取消选中“证书颁发机构”,然后完成向导。Select Network Device Enrollment Service, uncheck Certification Authority, and then complete the wizard.

      提示

      在“安装进度”处,不要选择“关闭”。In Installation progress, don't select Close. 而是选择“配置目标服务器上的 Active Directory 证书服务”的链接。Instead, select the Configure Active Directory Certificate Services on the destination server link. “AD CS 配置”向导随即打开,它可用于本文中的下一个过程:“配置 NDES 服务”。The AD CS Configuration wizard opens, which you use for the next procedure in this article, Configure the NDES service. 打开“AD CS 配置”后,你可以关闭“添加角色和功能”向导。After AD CS Configuration opens, you can close the Add Roles and Features wizard.

    2. 将 NDES 添加到服务器后,向导也会安装 IIS。When NDES is added to the server, the wizard also installs IIS. 确认 IIS 具有以下配置:Confirm that IIS has the following configurations:

      • “Web 服务器” > “安全性” > “请求筛选” Web Server > Security > Request Filtering

      • “Web 服务器” > “应用程序开发” > “ASP.NET 3.5” Web Server > Application Development > ASP.NET 3.5

        安装 ASP.NET 3.5 会安装 .NET Framework 3.5。Installing ASP.NET 3.5 installs .NET Framework 3.5. 安装 .NET Framework 3.5 时,安装核心“.NET Framework 3.5”功能和“HTTP 激活”。When installing .NET Framework 3.5, install both the core .NET Framework 3.5 feature and HTTP Activation.

      • “Web 服务器” > “应用程序开发” > “ASP.NET 4.5” Web Server > Application Development > ASP.NET 4.5

        安装 ASP.NET 4.5 会安装 .NET Framework 4.5。Installing ASP.NET 4.5 installs .NET Framework 4.5. 安装 .NET Framework 4.5 时,安装核心“.NET Framework 4.5”功能、“ASP.NET 4.5”和“WCF 服务” > “HTTP 激活”功能 。When installing .NET Framework 4.5, install the core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.

      • “管理工具” > “IIS 6 管理兼容性” > “IIS 6 元数据库兼容性” Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility

      • “管理工具” > “IIS 6 管理兼容性” > “IIS 6 WMI 兼容性” Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

      • 在服务器上,将 NDES 服务帐户添加为本地“IIS_IUSR”组成员。On the server, add the NDES service account as a member of the local IIS_IUSR group.

  2. 在托管 NDES 服务的计算机中,在提升的命令提示符处运行以下命令。On the computer that hosts the NDES service, run the following command in an elevated command prompt. 以下命令可设置 NDES 服务帐户的 SPN:The following command sets the SPN of the NDES Service account:

    setspn -s http/<DNS name of the computer that hosts the NDES service> <Domain name>\<NDES Service account name>

    例如,如果托管 NDES 服务的计算机名为 Server01,域为 Contoso.com,并且服务帐户为 NDESService,则使用:For example, if the computer that hosts the NDES service is named Server01, your domain is Contoso.com, and the service account is NDESService, use:

    setspn –s http/Server01.contoso.com contoso\NDESService

配置 NDES 服务Configure the NDES service

  1. 在托管 NDES 服务的计算机中,打开“AD CS 配置”向导,然后进行以下更新:On the computer that hosts the NDES service, open the AD CS Configuration wizard, and then make the following updates:

    提示

    如果从上一个过程继续,并单击了“在目标服务器上配置 Active Directory 证书服务”链接,则此向导应已打开。If you're continuing on from the last procedure and clicked the Configure Active Directory Certificate Services on the destination server link, this wizard should already be open. 或者,打开“服务器管理器”访问“Active Directory 证书服务”的后期部署配置。Otherwise, open Server Manager to access the post-deployment configuration for Active Directory Certificate Services.

    • 在“角色服务”中,选择“网络设备注册服务” 。In Role Services, select the Network Device Enrollment Service.
    • 在“NDES 的服务帐户”中,指定 NDES 服务帐户。In Service Account for NDES, specify the NDES Service Account.
    • 在“NDES 的 CA”中,单击“选择”,然后选择在其中配置证书模板的发证 CA 。In CA for NDES, click Select, and then select the issuing CA where you configured the certificate template.
    • 在“为 NDES 加密”页面,设置符合公司要求的秘钥长度。In Cryptography for NDES, set the key length to meet your company requirements.
    • 在“确认”页面,选择“配置”,完成向导 。In Confirmation, select Configure to complete the wizard.
  2. 完成向导后,在托管 NDES 服务的计算机中更新以下注册表项:After the wizard completes, update the following registry key on the computer that hosts the NDES service:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\

    要更新此密钥,请标识证书模板的“目的”(位于“请求处理”选项卡上) 。To update this key, identify the certificate templates' Purpose (found on its Request Handling tab). 然后,通过将现有数据替换为在创建证书模板时指定的证书模板名称(不是模板的显示名称),更新对应的注册表项。Then, update the corresponding registry entry by replacing the existing data with the name of the certificate template (not the display name of the template) that you specified when you created the certificate template.

    下表将证书模板目的映射至注册表中的值:The following table maps the certificate template purpose to the values in the registry:

    证书模板目的(位于“请求处理”选项卡上)Certificate template Purpose (On the Request Handling tab) 待编辑的注册表值Registry value to edit 在 Intune 管理控制台中显示的 SCEP 配置文件的值Value seen in the Intune admin console for the SCEP profile
    签名Signature SignatureTemplateSignatureTemplate 数字签名Digital Signature
    加密Encryption EncryptionTemplateEncryptionTemplate 密钥加密Key Encipherment
    签名和加密Signature and encryption GeneralPurposeTemplateGeneralPurposeTemplate 密钥加密Key Encipherment
    数字签名Digital Signature

    例如,如果证书模板的目的为“加密”,然后将“EncryptionTemplate”值编辑为你的证书模板的名称。For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate value to be the name of your certificate template.

  3. 配置 IIS 请求筛选,在 IIS 中添加对 NDES 服务收到的长 URL(查询)的支持。Configure IIS request filtering to add support in IIS for the long URLs (queries) that the NDES service receives.

    1. 在 IIS 管理器中,选择“默认网站” > “请求筛选” > “编辑功能设置”,打开“编辑请求筛选设置”页面 。In IIS manager, select Default Web Site > Request Filtering > Edit Feature Setting to open the Edit Request Filtering Settings page.

    2. 配置下列设置:Configure the following settings:

      • 最大 URL 长度(字节) = 65534****Maximum URL length (Bytes) = 65534
      • 最大查询字符串(字节) = 65534****Maximum query string (Bytes) = 65534
    3. 选择“确定”,保存此配置并关闭 IIS 管理器。Select OK to save this configuration and close IIS manager.

    4. 查看以下注册表项并确认其具有指示的值,以验证此配置:Validate this configuration by viewing the following registry key to confirm it has the indicated values:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

      以下值设置为 DWORD 值:The following values are set as DWORD entries:

      • 名称:MaxFieldLength****,十进制值为 65534****Name: MaxFieldLength, with a decimal value of 65534
      • 名称:MaxRequestBytes,十进制值为 65534Name: MaxRequestBytes, with a decimal value of 65534
  4. 重启托管 NDES服务的服务器。Restart the server that hosts the NDES service. 请勿使用 iisreset;iireset 未完成所需更改。Don't use iisreset; iireset doesn't complete the required changes.

  5. 浏览到 http://Server_FQDN/certsrv/mscep/mscep.dll 。Browse to http:// Server_FQDN /certsrv/mscep/mscep.dll. 应看到与下图类似的 NDES 页面:You should see an NDES page similar to the following image:

    测试 NDES

    如果 Web 地址返回“503 服务不可用”,请查看计算机事件查看器。If the web address returns a 503 Service unavailable, check the computers event viewer. 当应用程序池因缺少 NDES 服务帐户权限而停止时,通常会出现此错误。This error commonly occurs when the application pool is stopped due to a missing permission for the NDES service account.

在托管 NDES 服务的服务器上安装和绑定证书Install and bind certificates on the server that hosts NDES

NDES 服务器中有两个配置所需的证书。In the NDES server, there are two certificates that are required by the configuration. 这些证书是客户端身份验证证书服务器身份验证证书,如证书和模板部分所述。These certificates are Client authentication certificate and Server authentication certificate as mentioned in Certificates and templates section.

提示

在以下过程中,如果某个服务器配置为同时满足服务器和客户端身份验证的要求,则可以使用单个证书进行“服务器身份验证”和“客户端身份验证” 。In the following procedure, you can use a single certificate for both server authentication and client authentication when that certificate is configured to meet the criteria of both uses. “使用者名称”必须满足客户端身份验证证书要求。Regarding the Subject Name, it must meet the client authentication certificate requirements.

  • 客户端身份验证证书Client authentication certificate

    此证书在 Microsoft Intune 连接器安装过程中使用。This certificate is used during the Microsoft Intune Connector installation.

    请求并安装来自你的内部 CA 或公用证书颁发机构的 “客户端身份验证” 证书。Request and install a client authentication certificate from your internal CA, or a public certificate authority.

    该证书必须满足以下要求:The certificate must meet the following requirements:

    • 增强型密钥使用:此值必须包括“客户端身份验证”。Enhanced Key Usage: This value must include Client Authentication.
    • 使用者名称:CN(通用名)设置的值必须与安装证书的服务器(NDES 服务器)的 FQDN 相同。Subject Name: Set a CN (Common Name) with a value that must be equal to the FQDN of the server where you're installing the certificate (the NDES Server).
  • 服务器身份验证证书Server authentication certificate

    此证书在 IIS 中使用。This certificate is used in IIS. 这是一个简单的 Web 服务器证书,可让客户端信任 NDES URL。It's a simple Web server certificate that allows the client to trust NDES URL.

    1. 从内部 CA 或公共 CA 请求“服务器身份验证”证书,然后在服务器上安装该证书。Request a server authentication certificate from your internal CA or public CA, and then install the certificate on the server.

      根据向 Internet 公开 NDES 的情况,要求会有所不同。Depending how you expose your NDES to the internet, there are different requirements.

      一种正确配置是:A good configuration is:

      • 使用者名称:CN(通用名)设置的值必须与安装证书的服务器(NDES 服务器)的 FQDN 相同。A Subject Name: Set a CN (Common Name) with a value that must be equal to the FQDN of the server where you're installing the certificate (the NDES Server).
      • 使用者可选名称:为 NDES 响应的每个 URL 设置 DNS 条目,例如内部 FQDN 和外部 URL。A Subject Alternative Name: Set DNS entries for every URL your NDES is responding to, such as the internal FQDN and the external URLs.

      备注

      如果使用 Azure AD 应用代理,AAD 应用代理连接器会将外部 URL 发出的请求转换为内部 URL。If you are using Azure AD App Proxy, the AAD App Proxy connector will translate the requests from the external URL to the internal URL. 因此,NDES 将只响应定向到内部 URL 的请求,通常为 NDES 服务器的 FQDN。As such, NDES will only respond to requests directed to the internal URL, usually the FQDN of the NDES Server.

      在这种情况下,不需要外部 URL。In this situation, the external URL is not required.

    2. 在 IIS 中绑定服务器身份验证证书:Bind the server authentication certificate in IIS:

      1. 安装服务器身份验证证书后,打开“IIS 管理器”,然后选择“默认网站” 。After installing the server authentication certificate, open IIS Manager, and select the Default Web Site. 在“操作”窗格中,选择“绑定” 。In the Actions pane, select Bindings.

      2. 选择“添加”,将“类型”设置为“https”并确认端口为“443” 。Select Add, set Type to https, and then confirm the port is 443.

      3. 为“SSL 证书”指定服务器身份验证证书。For SSL certificate, specify the server authentication certificate.

安装 Microsoft Intune 连接器Install the Microsoft Intune Connector

Microsoft Intune 连接器安装在运行 NDES 服务的服务器上。The Microsoft Intune Connector installs on the server that runs your NDES service. 不支持在证书颁发机构 (CA) 所在的同一服务器上使用 NDES 或 Microsoft Intune 连接器。It isn't supported to use NDES or the Microsoft Intune Connector on the same server as your issuing Certification Authority (CA).

安装证书连接器To install the Certificate Connector

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“租户管理” > “连接器和令牌” > “证书连接器” > “添加”。Select Tenant administration > Connectors and tokens > Certificate connectors > Add.

  3. 下载并保存 SCEP 文件的连接器。Download and save the connector for SCEP file. 将该文件保存到可从要安装连接器的服务器访问的位置。Save it to a location accessible from the server where you're going to install the connector.

    ConnectorDownload

  4. 下载完成后,请转到托管网络设备注册服务 (NDES) 角色的服务器。After the download completes, go to the server hosting the Network Device Enrollment Service (NDES) role. 然后:Then:

    1. 确认已安装 .NET 4.5 Framework,因为它是 Microsoft Intune 连接器的必需项。Confirm that .NET 4.5 Framework is installed, as it's required by the Microsoft Intune Connector. Windows Server 2012 R2 和更高版本中自动包含 .NET 4.5 Framework。The .NET 4.5 Framework is automatically included with Windows Server 2012 R2 and newer versions.

    2. 使用对服务器具有管理权限的帐户运行安装程序 (NDESConnectorSetup.exe)。Use an account with admin permissions to the server to run the installer (NDESConnectorSetup.exe). 安装程序还会安装 NDES 和 IIS 证书注册点 (CRP) Web 服务的策略模块。The installer also installs the policy module for NDES and the IIS Certificate Registration Point (CRP) Web Service. CRP Web 服务 CertificateRegistrationSvc 作为 IIS 中的应用程序运行。The CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.

      如果为独立 Intune 安装 NDES,则 CRP 服务会自动随证书连接器一起安装。When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector.

  5. 提示输入证书连接器的客户端证书时,选取“选择”,然后选择在前文在托管 NDES 的服务器上安装和绑定证书过程的步骤 3 中,在 NDES 服务器上安装的“客户端身份验证”证书。When prompted for the client certificate for the Certificate Connector, choose Select, and select the client authentication certificate you installed on your NDES Server during step #3 of the procedure Install and bind certificates on the server that hosts NDES from earlier in this article.

    选择客户端身份验证证书后,会返回到“Microsoft Intune 连接器的客户端证书”处****。After you select the client authentication certificate, you're returned to the **Client Certificate for Microsoft Intune Connector ** surface. 尽管不会显示所选证书,但可以选择“下一步”查看该证书的属性。Although the certificate you selected isn't shown, select Next to view the properties of that certificate. 然后依次选择“下一步”和“安装” 。Select Next, and then Install.

备注

在启动 Microsoft Intune 连接器之前,必须对 GCC High 租户进行以下更改。The following changes must be made for GCC High tenants prior to launching the Microsoft Intune Connector.

编辑下面列出的两个配置文件,这将更新 GCC High 环境的服务终结点。Make edits to the two config files listed below which will update the service endpoints for the GCC High environment. 请注意,这些更新会将 URI 的后缀 .com 更改为 .us 后缀。Notice that these updates change the URIs from .com to .us suffixes. 总共有 3 个 URI 更新,NDESConnectorUI.exe.config 配置文件中有 2 个更新,NDESConnector.exe.config 文件中有 1 个更新。There are a total of three URI updates, two updates within the NDESConnectorUI.exe.config configuration file, and one update in the NDESConnector.exe.config file.

  • 文件名:<install_Path>\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.configFile Name: <install_Path>\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.config

    示例:(%programfiles%\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.config)Example: (%programfiles%\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe.config)

    <appSettings>
         <add key="SignInURL" value="https://portal.manage.microsoft.us/Home/ClientLogon"/>
         <add key="LocationServiceEndpoint" value="RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresses"/>
         <add key="AccountPortalURL" value="https://manage.microsoft.us"/>
    </appSettings>
    
  • 文件名:<install_Path>\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe.configFile Name: <install_Path>\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe.config

    示例:(%programfiles%\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe.config)Example: (%programfiles%\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe.config)

    <appSettings>
         <add key="BaseServiceAddress" value="https://manage.microsoft.us/" />
    

如果未完成这些编辑,则 GCC High 租户将收到以下错误消息:“访问被拒绝” “你无权查看此页”If these edits are not completed, GCC High tenants will get the error: "Access Denied" "You are not authorized to view this page"

  1. 在向导完成后,先单击“启动证书连接器 UI,然后再关闭向导”。After the wizard completes, but before closing the wizard, Launch the Certificate Connector UI.

    如果在启动证书连接器 UI 前关闭了向导,你可以通过运行以下命令重新打开它:If you close the wizard before you launch the Certificate Connector UI, you can reopen it by running the following command:

    <install_Path>\NDESConnectorUI\NDESConnectorUI.exe<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

  2. 在“证书连接器” UI 中:In the Certificate Connector UI:

    1. 选择“登录”,输入你的 Intune 服务管理员凭据或具有全局管理权限的租户管理员的凭据。Select Sign In, and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.

    2. 必须为所用帐户分配有效的 Intune 许可证。The account you use must be assigned a valid Intune license.

    3. 登录后,Microsoft Intune 连接器从 Intune 下载证书。After you sign in, the Microsoft Intune Connector downloads a certificate from Intune. 此证书用于连接器和 Intune 之间的身份验证。This certificate is used for authentication between the connector and Intune. 如果所用帐户没有 Intune 许可证,则连接器 (NDESConnectorUI.exe) 无法从 Intune 获取证书。If the account you used doesn't have an Intune license, the connector (NDESConnectorUI.exe) fails to get the certificate from Intune.

      如果组织使用代理服务器并且 NDES 服务器需要代理才能访问 Internet,请选择“使用代理服务器”。If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select Use proxy server. 然后输入用于连接的代理服务器名称、端口和帐户凭据。Then enter the proxy server name, port, and account credentials to connect.

    4. 选择“高级”选项卡,然后输入在证书颁发机构上拥有“颁发和管理证书”权限的帐户的凭据 。Select the Advanced tab, and then enter credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority. 单击“应用”以应用更改。Apply your changes.

    5. 你现在可以关闭证书连接器 UI。You can now close the Certificate Connector UI.

  3. 打开命令提示符,输入“services.msc”,然后按 Enter 。Open a command prompt, enter services.msc, and then Enter. 右键单击“Intune 连接器服务” > “重启”。Right-click the Intune Connector Service > Restart.

要验证服务是否正在运行,请打开浏览器并输入以下 URL。To validate that the service is running, open a browser, and enter the following URL. 应返回 403 错误:https://<FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dllIt should return a 403 error: https://<FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

备注

Microsoft Intune 连接器支持 TLS 1.2。The Microsoft Intune Connector supports TLS 1.2. 如果托管连接器的服务器支持 TLS 1.2,则使用 TLS 1.2。If the server that hosts the connector supports TLS 1.2, then TLS 1.2 is used. 如果服务器不支持 TLS 1.2,则使用 TLS 1.1。If the server doesn't support TLS 1.2, then TLS 1.1 is used. 目前,TLS 1.1 用于设备和服务器之间的身份验证。Currently, TLS 1.1 is used for authentication between the devices and server.

后续步骤Next steps

创建 SCEP 证书配置文件Create a SCEP certificate profile
排查 Microsoft Intune 连接器问题Troubleshoot issues for the Microsoft Intune Connector