对 Microsoft Intune 中用于 SCEP 证书配置文件的设备到 NDES 服务器的通信进行故障排除Troubleshoot device to NDES server communication for SCEP certificate profiles in Microsoft Intune

使用以下信息来确定已接收并处理 Intune 简单证书注册协议 (SCEP) 证书配置文件的设备是否可以成功联系网络设备注册服务 (NDES) 以提出质询。Use the following information to determine if a device that received and processed an Intune Simple Certificate Enrollment Protocol (SCEP) certificate profile can successfully contact Network Device Enrollment Service (NDES) to present a challenge. 在设备上,将生成一个私钥,并将证书签名请求 (CSR) 和质询从设备传递到 NDES 服务器。On the device, a private key is generated and the Certificate Signing Request (CSR) and challenge are passed from the device to the NDES server. 要与 NDES 服务器联系,设备将使用 SCEP 证书配置文件中的 URI。To contact the NDES server, the device uses the URI from the SCEP certificate profile.

本文引用 SCEP 通信流概述的步骤 2。This article references Step 2 of the SCEP communication flow overview.

在 IIS 日志中查看来自设备的连接Review IIS logs for a connection from the device

IIS 日志包含所有平台的相同类型的条目。IIS logs include the same type of entries for all platforms.

  1. 在 NDES 服务器上,打开在以下文件夹中找到的最新 IIS 日志文件:%SystemDrive%\inetpub\logs\logfiles\w3svc1**On the NDES server, open the most recent IIS log file found in the following folder: %SystemDrive%\inetpub\logs\logfiles\w3svc1

  2. 在日志中搜索类似于以下示例的条目。Search the log for entries similar to the following examples. 这两个示例都包含状态 200****,该状态显示在末尾处:Both examples contain a status 200, which appears near the end:

    fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACaps&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 186 0.

    And

    fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0

  3. 当设备与 IIS 联系时,将记录对 mscep.dll 的 HTTP GET 请求。When the device contacts IIS, an HTTP GET request for mscep.dll is logged.

    在此请求末尾处查看状态代码:Review the status code near the end of this request:

    如果根本没有记录连接请求,则来自设备的联系人可能会在设备与 NDES 服务器之间的网络上受阻。If the connection request isn't logged at all, the contact from the device might be blocked on the network between the device and the NDES server.

在设备日志中查看到 NDES 的连接Review device logs for connections to NDES

Android 设备Android devices

查看设备 OMADM 日志Review the devices OMADM log. 查找类似于以下内容的条目,当设备连接到 NDES 时,会记录这些条目:Look for entries that resemble the following, which are logged when the device connects to NDES:

2018-02-27T05:16:08.2500000  VERB  Event  com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager  18327    10  There are 1 requests
2018-02-27T05:16:08.2500000  VERB  Event  com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager  18327    10  Trying to enroll certificate request: ModelName=AC_51bad41f-3854-4eb5-a2f2-0f7a94034ee8%2FLogicalName_39907e78_e61b_4730_b9fa_d44a53e4111c;Hash=1677525787
2018-02-27T05:16:09.5530000  VERB  Event  org.jscep.transport.UrlConnectionGetTransport  18327    10  Sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000  VERB  Event  org.jscep.transport.UrlConnectionGetTransport  18327    10  Received '200 OK' when sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.8220000  VERB  Event  org.jscep.message.PkiMessageEncoder  18327     10 Encoding message: org.jscep.message.PkcsReq@2b06f45f[messageData=org.<server>.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,senderNonce=Nonce [D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF996FC31FF]
2018-02-27T05:16:21.8790000  VERB  Event  org.jscep.message.PkiMessageEncoder  18327     10  Signing pkiMessage using key belonging to [dn=CN=<uesrname>; serial=1]
2018-02-27T05:16:21.9580000  VERB  Event  org.jscep.transaction.EnrollmentTransaction  18327     10  Sending org.<server>.cms.CMSSignedData@ad57775

密钥条目包含以下示例文本字符串:Key entries include the following sample text strings:

  • 有 1 个请求There are 1 requests
  • 将 GetCACaps(ca) 发送到 https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca 时收到“200 OK”Received '200 OK' when sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
  • 使用属于 [dn=CN=<username>; serial=1] 的密钥登录 pkiMessageSigning pkiMessage using key belonging to [dn=CN=<username>; serial=1]

该连接还由 IIS 记录在 NDES 服务器的 %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ 文件夹中。The connection is also logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder of the NDES server. 下面是一个示例:The following is an example:

fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - 
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - 
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421 

iOS/iPadOS 设备iOS/iPadOS devices

查看设备调试日志Review the devices debug log. 查找类似于以下内容的条目,当设备连接到 NDES 时,会记录这些条目:Look for entries that resemble the following, which are logged when the device connects to NDES:

debug    18:30:53.691033 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=SCEP%20Authority\ 
debug    18:30:54.640644 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=SCEP%20Authority\ 
default    18:30:55.483977 -0500    profiled    Attempting to retrieve issued certificate...\ 
debug    18:30:55.487798 -0500    profiled    Sending CSR via GET.\  
debug    18:30:55.487908 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZjBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxGDAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BAQEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaamkjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQGZwmPoqFMbX3g85CJT8khPaqFW05yGDTPSX9YpuEE0Bmtht9EwOpOZe6O7sd77IhfFZVmHmwy5mIYN7K6mpx/4Cb5zcNmY3wmTBlKEkDQpZDRf5PpVQ3bmQ3we9XxeK1S4UsAXHVdYGD+bg/bCafMIAGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQI5D5J2lwZS5OggASCF6jSG9iZA/EJ93fEvZYLV0v7GVo3JAsR11O7DlmkIqvkAg5iC6DQvXO1j88T/MS3wV+rqUbEhktr8Xyf4sAAPI4M6HMfVENCJTStJw1PzaGwUJHEasq39793nw4k268UV5XHXvzZoF3Os2OxUHSfHECOj

密钥条目包含以下示例文本字符串:Key entries include the following sample text strings:

  • operation=GetCACertoperation=GetCACert
  • 尝试检索已颁发的证书Attempting to retrieve issued certificate
  • 通过 GET 发送 CSRSending CSR via GET
  • operation=PKIOperationoperation=PKIOperation

Windows 设备Windows devices

在要与 NDES 建立连接的 Windows 设备上,可以查看设备 Windows 事件查看器并查找成功连接的指示。On a Windows device that is making a connection to NDES, you can view the devices Windows Event Viewer and look for indications of a successful connection. 连接在设备“DeviceManagement-Enterprise-Diagnostics-Provide”** > “管理员”**** 日志中记录为事件 ID“36”****。Connections are logged as an event ID 36 in the devices DeviceManagement-Enterprise-Diagnostics-Provide > Admin log.

要打开日志,请执行以下操作:To open the log:

  1. 在设备上,运行 eventvwr.msc**** 以打开 Windows 事件查看器。On the device, run eventvwr.msc to open Windows Event Viewer.

  2. 展开“应用程序和服务日志”**** > “Microsoft”**** > “Windows”**** > “DeviceManagement-Enterprise-Diagnostic-Provider”**** > “管理员”****。Expand Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

  3. 查找事件“36”****,如以下示例所示,其键行为“SCEP:**** 已成功生成证书请求”:Look for Event 36, which resembles the following example, with the key line of SCEP: Certificate request generated successfully:

    Event ID:      36
    Task Category: None
    Level:         Information
    Keywords:
    User:          <UserSid>
    Computer:      <Computer Name>
    Description:
    SCEP: Certificate request generated successfully. Enhanced Key Usage: (1.3.6.1.5.5.7.3.2), NDES URL: (https://<server>/certsrv/mscep/mscep.dll/pkiclient.exe), Container Name: (), KSP Setting: (0x2), Store Location: (0x1).
    

解决常见问题Troubleshoot common errors

以下各节可帮助解决从所有设备平台到 NDES 的常见连接问题。The following sections can help with common connection issues from all device platforms to NDES.

状态代码 500Status code 500

与以下示例类似的连接(状态代码为 500)表示未向 NDES 服务器上的 IIS_IURS 组分配“身份验证后模拟客户端”** 用户权限。Connections that resemble the following example, with a status code of 500, indicate the Impersonate a client after authentication user right isn't assigned to the IIS_IURS group on the NDES server. 在末尾显示状态值 500****:The status value of 500 appears at the end:

2017-08-08 20:22:16 IP_address GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - 10.5.14.22 profiled/1.0+CFNetwork/811.5.4+Darwin/16.6.0 - 500 0 1346 31

要解决此问题To fix this issue:

  1. 在 NDES 服务器上,运行“secpol.msc”**** 以打开“本地安全策略”。On the NDES server, run secpol.msc to open the Local Security Policy.

  2. 展开“本地策略”****,然后单击“用户权限分配”****。Expand Local Policies, and then click User Rights Assignment.

  3. 在右窗格中双击“身份验证后模拟客户端”****。Double-click Impersonate a client after authentication in the right pane.

  4. 单击“添加用户或组…”****,在“输入要选择的对象名称”**** 框中键入 IIS_IURS****,然后单击“确定”****。Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.

  5. 单击" 确定"。Click OK.

  6. 重启计算机,然后再次尝试从设备进行连接。Restart the computer, and then try the connection from the device again.

测试 SCEP 服务器 URLTest the SCEP server URL

使用以下步骤测试 SCEP 证书配置文件中指定的 URL。Use the following steps to test the URL that is specified in the SCEP certificate profile.

  1. 在 Intune 中,编辑 SCEP 证书配置文件并复制服务器 URL。In Intune, edit your SCEP certificate profile and copy the Server URL. 此 URL 应类似于:https://contoso.com/certsrv/mscep/mscep.dllThe URL should resemble https://contoso.com/certsrv/mscep/mscep.dll.

  2. 打开 Web 浏览器,然后浏览到该 SCEP 服务器 URL。Open a web browser, and then browse to that SCEP server URL. 结果应为:HTTP 错误 403.0 – 已禁止The result should be: HTTP Error 403.0 – Forbidden. 此结果表示 URL 正常运行。This result indicates the URL is functioning correctly.

    如果未收到该错误,请选择与你看到的错误类似的链接,以查看问题特定的指南:If you don't receive that error, select the link that resembles the error you see to view issue-specific guidance:

常规 NDES 消息General NDES message

浏览到 SCEP 服务器 URL 时,你会收到以下网络设备注册服务消息:When you browse to the SCEP server URL, you receive the following Network Device Enrollment Service message:

SCEP 服务器 URL

  • 原因:此问题通常是 Microsoft Intune 连接器安装的问题。Cause: This problem is usually an issue with the Microsoft Intune Connector installation.

    Mscep.dll 是一个 ISAPI 扩展,可以截获传入的请求并在其安装正确时显示 HTTP 403 错误。Mscep.dll is an ISAPI extension that intercepts incoming request and displays the HTTP 403 error if it's installed correctly.

    解决方法:检查“SetupMsi.log”** 文件,以确定是否成功安装了 Microsoft Intune 连接器。Resolution: Examine the SetupMsi.log file to determine whether Microsoft Intune Connector is successfully installed. 在以下示例中,“已成功完成安装”** 和“安装成功或错误状态:** 0”表示安装成功:In the following example, Installation completed successfully and Installation success or error status: 0 indicate a successful installation:

    MSI (c) (28:54) [16:13:11:905]: Product: Microsoft Intune Connector -- Installation completed successfully.
    MSI (c) (28:54) [16:13:11:999]: Windows Installer installed the product. Product Name: Microsoft Intune Connector. Product Version: 6.1711.4.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
    

    如果安装失败,请删除 Microsoft Intune 连接器,然后重新安装它。If the installation fails, remove the Microsoft Intune Connector and then reinstall it. 如果安装成功,但仍收到常规 NDES 消息,请运行 iisreset 命令以重新启动 IIS。If the installation was successful and you continue to recieve the Genreal NDES message, run the iisreset command to restart IIS.

HTTP 错误 503HTTP Error 503

浏览到 SCEP 服务器 URL 时,会收到以下错误:When you browse to the SCEP server URL, you receive the following error:

HTTP 错误 503。

此问题通常是因为 IIS 中的 SCEP**** 应用程序池未启动所致。This issue is usually because the SCEP application pool in IIS isn't started. 在 NDES 服务器上,打开“IIS 管理器”****,然后转到“应用程序池”****。On the NDES server, open IIS Manager and go to Application Pools. 找到“SCEP”**** 应用程序池并确认它已启动。Locate the SCEP application pool and confirm it's started.

如果未启动 SCEP 应用程序池,请检查服务器上的应用程序事件日志:If the SCEP application pool isn't started, check the application event log on the server:

  1. 在设备上,运行“eventvwr.msc”**** 以打开“事件查看器”****,然后转到“Windows 日志”**** > “应用程序”****。On the device, run eventvwr.msc to open Event Viewer and go to Windows Logs > Application.

  2. 查找类似于以下示例的事件,这意味着接收到请求时,应用程序池崩溃:Look for an event that is similar to the following example, which means that the application pool crashes when a request is received:

    Log Name:      Application
    Source:        Application Error
    Event ID:      1000
    Task Category: Application Crashing Events
    Level:         Error
    Keywords:      Classic
    Description: Faulting application name: w3wp.exe, version: 8.5.9600.16384, time stamp: 0x5215df96
    Faulting module name: ntdll.dll, version: 6.3.9600.18821, time stamp: 0x59ba86db
    Exception code: 0xc0000005
    

导致应用程序池崩溃的常见原因Common causes for an application pool crash:

  • 原因 1:NDES 服务器的“受信任的根证书颁发机构”证书存储中存在中间 CA 证书(不是自签名证书)。Cause 1: There are intermediate CA certificates (not self-signed) in the NDES server's Trusted Root Certification Authorities certificate store.

    解决方法:从“受信任的根证书颁发机构”证书存储中删除中间证书,然后重启 NDES 服务器。Resolution: Remove intermediate certificates from the Trusted Root Certification Authorities certificate store, and then restart the NDES server.

    要在“受信任的根证书颁发机构”证书存储中标识所有中间证书,请运行以下 PowerShell cmdlet:Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}To identify all intermediate certificates in the Trusted Root Certification Authorities certificate store, run the following PowerShell cmdlet: Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

    具有相同的“颁发对象”**** 和“颁发机构”**** 值的证书是一个根证书。A certificate that has the same Issued to and Issued by values, is a root certificate. 否则,它是中间证书。Otherwise, it's an intermediate certificate.

    删除证书并重启服务器后,再次运行 PowerShell cmdlet 以确认没有中间证书。After removing certificates and restarting the server, run the PowerShell cmdlet again to confirm there are no intermediate certificates. 如果存在,请检查组策略是否将中间证书推送到 NDES 服务器。If there are, check whether a Group Policy pushes the intermediate certificates to the NDES server. 如果是这样,请从组策略中排除 NDES 服务器,然后再次删除中间证书。If so, exclude the NDES server from the Group Policy and remove the intermediate certificates again.

  • 原因 2:对于 Intune 证书连接器使用的证书,证书吊销列表 (CRL) 中的 URL 受阻或无法访问。Cause 2: The URLs in the Certificate Revocation List (CRL) are blocked or unreachable for the certificates that are used by the Intune Certificate Connector.

    解决方法:启用其他日志记录以收集详细信息:Resolution: Enable additional logging to collect more information:

    1. 打开事件查看器,单击“查看”****,确保选中了“显示分析和调试日志”**** 选项。Open Event Viewer, click View, make sure that Show Analytic and Debug Logs option is checked.
    2. 转到“应用程序和服务日志”**** > “Microsoft”**** > “Windows”**** > “CAPI2”**** > “可操作”****,右键单击“可操作”****,然后单击“启用日志”****。Go to Applications and Services Logs > Microsoft > Windows > CAPI2 > Operational, right-click Operational, then click Enable Log.
    3. 启用 CAPI2 日志记录后,重现问题,然后检查事件日志以解决问题。After CAPI2 logging is enabled, reproduce the problem, and examine the event log to troubleshoot the issue.
  • 原因 3:CertificateRegistrationSvc**** 的 IIS 权限已启用“Windows 身份验证”****。Cause 3: IIS permission on CertificateRegistrationSvc has Windows Authentication enabled.

    解决方法:启用“匿名身份验证”**** 并禁用“Windows 身份验证”****,然后重启 NDES 服务器。Resolution: Enable Anonymous Authentication and disable Windows Authentication, and then restart the NDES server.

    IIS 权限

  • 原因 4:NDESPolicy 模块证书已过期。Cause 4: The NDESPolicy module certificate has expired.

    CAPI2 日志(请参阅原因 2 的解决方案)将显示“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint”引用的证书在超过证书有效期后发生的相关错误。The CAPI2 log (see Cause 2's resolution) will show errors relating to the certificate referenced by 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint' being outside of the certificate's validity period.

    解决方法:使用有效证书的指纹更新引用。Resolution: Update the reference with the thumbprint of a valid certificate.

    1. 标识替代证书:Identify a replacement certificate:
      • 续订现有证书Renew the existing certificate
      • 选择具有类似属性(主题、EKU、密钥类型和长度等)的其他证书Select a different certificate with similar proprties (subject, EKU, key type and length, etc.)
      • 注册新证书Enroll a new certificate
    2. 导出 NDESPolicy 注册表项以备份当前值。Export the NDESPolicy Registry key to back up the current values.
    3. NDESCertThumbprint 注册表值的数据替换为新证书的指纹,同时删除所有空格并将文本转换为小写。Replace the data of the NDESCertThumbprint Registry value with the thumbprint of the new certificate, removing all whitespace and converting the text to lowercase.
    4. 重启 NDES IIS 应用池,或从提升的命令提示符中执行 iisresetRestart the NDES IIS App Pools or execute iisreset from an elevated command prompt.

GatewayTimeoutGatewayTimeout

浏览到 SCEP 服务器 URL 时,会收到以下错误:When you browse to the SCEP server URL, you receive the following error:

Gatewaytimeout 错误

  • 原因:Microsoft AAD 应用程序代理连接器**** 服务未启动。Cause: The Microsoft AAD Application Proxy Connector service isn't started.

    解决方法:运行“services.msc”****,然后确保“Microsoft AAD 应用程序代理连接器”**** 服务正在运行,并且将“启动类型”**** 设置为“自动”****。Resolution: Run services.msc, and then make sure that the Microsoft AAD Application Proxy Connector service is running and Startup Type is set to Automatic.

HTTP 414 请求 URI 太长HTTP 414 Request-URI Too Long

浏览到 SCEP 服务器 URL 时,会收到以下错误:HTTP 414 Request-URI Too LongWhen you browse to the SCEP server URL, you receive the following error: HTTP 414 Request-URI Too Long

  • 原因:未配置 IIS 请求筛选,以支持 NDES 服务收到的长 URL(查询)。Cause: IIS request filtering isn't configured to support the long URLs (queries) that the NDES service receives. 配置 NDES 服务以结合使用 SCEP 的基础结构时,就可以配置此支持。This support is configured when you configure the NDES service for use with your infrastructure for SCEP.

  • 解决方法:配置对长网址的支持。Resolution: Configure support for long URLs.

    1. 在 NDES 服务器中,打开 IIS 管理器,选择“默认网站” > “请求筛选” > “编辑功能设置”,以打开“编辑请求筛选设置”页面**** **** **** ****。On the NDES server, open IIS manager, select Default Web Site > Request Filtering > Edit Feature Setting to open the Edit Request Filtering Settings page.

    2. 配置下列设置:Configure the following settings:

      • 最大 URL 长度(字节) = 65534****Maximum URL length (Bytes) = 65534
      • 最大查询字符串(字节) = 65534****Maximum query string (Bytes) = 65534
    3. 选择“确定”,保存此配置并关闭 IIS 管理器。Select OK to save this configuration and close IIS manager.

    4. 定位以下注册表项以确认其具有指示的值,以验证此配置:Validate this configuration by locating the following registry key to confirm that it has the indicated values:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

      以下值设置为 DWORD 值:The following values are set as DWORD entries:

      • 名称:MaxFieldLength****,十进制值为 65534****Name: MaxFieldLength, with a decimal value of 65534
      • 名称:MaxRequestBytes,十进制值为 65534Name: MaxRequestBytes, with a decimal value of 65534
    5. 重启 NDES 服务器。Restart the NDES server.

无法显示此页This page can't be displayed

已配置 Azure AD 应用程序代理。You have Azure AD Application Proxy configured. 浏览到 SCEP 服务器 URL 时,会收到以下错误:When you browse to the SCEP server URL, you receive the following error:

This page can't be displayed

  • 原因:当应用程序代理配置中的 SCEP 外部 URL 不正确时,会发生此问题。Cause: This issue occurs when the SCEP external URL is incorrect in the Application Proxy configuration. 此 URL 的一个示例为 https://contoso.com/certsrv/mscep/mscep.dllAn example of this URL is https://contoso.com/certsrv/mscep/mscep.dll.

    解决方法:在应用程序代理配置中,为 SCEP 外部 URL 使用默认域 yourtenant.msappproxy.net**。Resolution: Use the default domain of yourtenant.msappproxy.net for the SCEP external URL in the Application Proxy configuration.

500 - 内部服务器错误500 - Internal server error

浏览到 SCEP 服务器 URL 时,会收到以下错误:When you browse to the SCEP server URL, you receive the following error:

500 - 内部服务器错误

  • 原因 1:NDES 服务帐户已锁定或其密码已过期。Cause 1: The NDES service account is locked or its password is expired.

    解决方法:解锁帐户或重置密码。Resolution: Unlock the account or reset the password.

  • 原因 2:MSCEP-RA 证书已过期。Cause 2: The MSCEP-RA certificates are expired.

    解决方法:如果 MSCEP-RA 证书已过期,请重新安装 NDES 角色或请求新的“CEP 加密和 Exchange 注册代理(脱机请求)”证书。Resolution: If the MSCEP-RA certificates are expired, reinstall the NDES role or request new CEP Encryption and Exchange Enrollment Agent (Offline request) certificates.

    要请求新证书,请按照下列步骤操作:To request new certificates, follow these steps:

    1. 在证书颁发机构 (CA) 上或颁发 CA 时,打开证书模板 MMC。On the Certificate Authority (CA) or issuing CA, open the Certificate Templates MMC. 确保已登录的用户和 NDES 服务器对“CEP 加密和 Exchange 注册代理(脱机请求)”证书模板具有“读取”**** 和“注册”**** 权限。Make sure that the logged in user and the NDES server have Read and Enroll permissions to the CEP Encryption and Exchange Enrollment Agent (Offline request) certificate templates.

    2. 检查 NDES 服务器上已过期的证书,从证书中复制“主题”**** 信息。Check the expired certificates on the NDES server, copy the Subject information from the certificate.

    3. 打开“计算机帐户”的证书 MMC****。Open the Certificates MMC for Computer account.

    4. 展开“个人”****,右键单击“证书”****,然后选择“所有任务”**** > “申请新证书”****。Expand Personal, right-click Certificates, then select All Tasks > Request New Certificate.

    5. 在“申请证书”**** 页上,选择“CEP 加密”****,然后单击“注册此证书需要详细信息” 。单击这里以配置设置”On the Request Certificate page, select CEP Encryption, then click More information is required to enroll for this certificate. Click here to configure settings.

      选择“CEP 加密”

    6. 在“证书属性”**** 中,单击“主题”**** 选项卡,用在步骤 2 中收集的信息填充“主题名称”****,单击“添加”****,然后单击“确定”****。In Certificate Properties, click the Subject tab, fill the Subject name with the information that you collected during step 2, click Add, then click OK.

    7. 完成证书注册。Complete the certificate enrollment.

    8. 打开“我的用户帐户”**** 的证书 MMC。Open the Certificates MMC for My user account.

      在注册“Exchange 注册代理(脱机请求)”证书时,必须在用户上下文中完成注册。When you enroll for the Exchange Enrollment Agent (Offline request) certificate, it must be done in the user context. 因为此证书模板的“主题类型”**** 设置为“用户”****。Because the Subject Type of this certificate template is set to User.

    9. 展开“个人”****,右键单击“证书”****,然后选择“所有任务”**** > “申请新证书”****。Expand Personal, right-click Certificates, then select All Tasks > Request New Certificate.

    10. 在“申请证书”**** 页面上,选择“Exchange 注册代理(脱机请求)”****,然后单击“注册此证书需要详细信息” 。单击这里以配置设置”On the Request Certificate page, select Exchange Enrollment Agent (Offline request), then click More information is required to enroll for this certificate. Click here to configure settings.

      选择“Exchange 注册代理”

    11. 在“证书属性”**** 中,单击“主题”**** 选项卡,使用在步骤 2 中收集的信息填充“主题名称”****,然后单击“添加”****。In Certificate Properties, click the Subject tab, fill the Subject name with the information that you collected during step 2, click Add.

      证书属性

      选择“私钥”**** 选项卡,选择“使私钥可导出”****,然后单击“确定”****。Select the Private Key tab, select Make private key exportable, then click OK.

      私钥

    12. 完成证书注册。Complete the certificate enrollment.

    13. 从当前用户证书存储中导出“Exchange 注册代理(脱机请求)”证书。Export the Exchange Enrollment Agent (Offline request) certificate from the current user certificate store. 在证书导出向导中,单击“是,导出私钥”****。In the Certificate Export Wizard, select Yes, export the private key.

    14. 将证书导入到本地计算机证书存储。Import the certificate to the local machine certificate store.

    15. 在证书 MMC 中,对每个新证书执行以下操作:In the Certificates MMC, do the following action for each of the new certificates:

      右键单击证书,单击“所有任务”**** > “管理私钥”****,向 NDES 服务帐户添加“读取”**** 权限。Right-click the certificate, click All Tasks > Manage Private Keys, add Read permission to the NDES service account.

    16. 运行“iisreset”**** 命令以重启 IIS。Run the iisreset command to restart IIS.

后续步骤Next steps

如果设备成功访问 NDES 服务器并提出证书申请,则下一步是检查 Intune 证书连接器策略模块If the device successfully reaches the NDES server to present the certificate request, the next step is to review the Intune Certificate Connectors policy module.