透過 Intune 設定並管理 SCEP 憑證Configure and manage SCEP certificates with Intune

適用對象:Azure 入口網站的 IntuneApplies to: Intune in the Azure portal
您需要傳統入口網站的 Intune 相關文件嗎?Looking for documentation about Intune in the classic portal? 請移至這裡Go here.

本主題說明如何透過 Intune 設定基礎結構,並建立及指派簡單憑證註冊通訊協定 (SCEP) 憑證設定檔。This topic shows how to configure your infrastructure, then create and assign Simple Certificate Enrollment Protocol (SCEP) certificate profiles with Intune.

設定內部部署基礎結構Configure on-premises infrastructure

  • Active Directory 網域:本節所列的所有伺服器 (除了 Web 應用程式 Proxy 伺服器) 均須加入 Active Directory 網域。Active Directory domain: All servers listed in this section (except for the Web Application Proxy Server) must be joined to your Active Directory domain.

  • 憑證授權單位 (CA):在企業版 Windows Server 2008 R2 或更新版本上執行的企業憑證授權單位 (CA)。Certification Authority (CA): An Enterprise Certification Authority (CA) that runs on an Enterprise edition of Windows Server 2008 R2 or later. 不支援獨立 CA。A Standalone CA is not supported. 如需詳細資料,請參閱安裝憑證授權單位 (機器翻譯)For details, see Install the Certification Authority. 如果您的 CA 執行 Windows Server 2008 R2,您必須 從 KB2483564 安裝 HotfixIf your CA runs Windows Server 2008 R2, you must install the hotfix from KB2483564.

  • NDES 伺服器:在執行 Windows Server 2012 R2 或更新版本的伺服器上,您必須設定網路裝置註冊服務 (NDES)。NDES Server: On a server that runs Windows Server 2012 R2 or later, you must set up the Network Device Enrollment Service (NDES). 在同時執行企業 CA 的伺服器上執行 NDES 時,Intune 便無法支援 NDES。Intune does not support using NDES when it runs on a server that also runs the Enterprise CA. 請參閱網路裝置註冊服務指導方針以取得有關如何設定 Windows Server 2012 R2 來裝載網路裝置註冊服務的指示。See Network Device Enrollment Service Guidance for instructions on how to configure Windows Server 2012 R2 to host the Network Device Enrollment Service. NDES 伺服器必須加入裝載 CA 的網域,但不在與 CA 相同的伺服器上。The NDES server must be domain joined to the domain that hosts the CA, and not be on the same server as the CA. 使用原則模組和網路裝置註冊服務中可以找到將 NDES 伺服器部署至不同樹系、隔離網路或內部網域的詳細資訊。More information about deploying the NDES server in a separate forest, isolated network, or internal domain can be found in Using a Policy Module with the Network Device Enrollment Service.

  • Microsoft Intune 憑證連接器:使用 Azure 入口網站來下載「憑證連接器」安裝程式 (ndesconnectorssetup.exe)。Microsoft Intune Certificate Connector: Use the Azure portal to download the Certificate Connector installer (ndesconnectorssetup.exe). 然後您可以在要安裝 Certificate Connector 的電腦上執行 ndesconnectorssetup.exeThen you can run ndesconnectorssetup.exe on the computer where you want to install the Certificate Connector.

  • Web 應用程式 Proxy 伺服器 (選用)︰使用執行 Windows Server 2012 R2 或更新版本的伺服器做為 Web 應用程式 Proxy (WAP) 伺服器。Web Application Proxy Server (optional): Use a server that runs Windows Server 2012 R2 or later as a Web Application Proxy (WAP) server. 此組態:This configuration:

    • 允許裝置使用網際網路連線接收憑證。Allows devices to receive certificates using an Internet connection.
    • 是裝置連線透過網際網路來接收和更新憑證時的安全性建議。Is a security recommendation when devices connect through the Internet to receive and renew certificates.

    注意

網路需求Network requirements

從網際網路到周邊網路,允許網際網路上所有主機/IP 位址的連接埠 443 都能連線到 NDES 伺服器。From the Internet to perimeter network, allow port 443 from all hosts/IP addresses on the internet to the NDES server.

從周邊網路到受信任網路,允許在加入網域的 NDES 伺服器上進行網域存取所需的所有連接埠和通訊協定。From the perimeter network to trusted network, allow all ports and protocols needed for domain access on the domain-joined NDES server. NDES 伺服器需要存取憑證伺服器、DNS 伺服器、Configuration Manager 伺服器和網域控制站。The NDES server needs access to the certificate servers, DNS servers, Configuration Manager servers, and domain controllers.

建議您透過 Proxy 發佈 NDES 伺服器,例如 Azure AD 應用程式 ProxyWeb Access Proxy,或是協力廠商 Proxy。We recommend publishing the NDES server through a proxy, such as the Azure AD application proxy, Web Access Proxy, or a third-party proxy.

憑證和範本Certificates and templates

物件Object 詳細資料Details
憑證範本Certificate Template 在發行 CA 上設定此範本。Configure this template on your issuing CA.
用戶端驗證憑證Client authentication certificate 自發行 CA 或公用 CA 所要求的憑證,您會將它安裝於 NDES 伺服器上。Requested from your issuing CA or public CA; you install this certificate on the NDES Server.
伺服器驗證憑證Server authentication certificate 自發行 CA 或公用 CA 所要求的憑證,您會在 NDES 伺服器的 IIS 中安裝並繫結此 SSL 憑證。Requested from your issuing CA or public CA; you install and bind this SSL certificate in IIS on the NDES server.
可信任的根 CA 憑證Trusted Root CA certificate 您會從根 CA (或任何信任根 CA 的裝置) 將此憑證匯出為 .cer 檔案,並使用受信任的 CA 憑證設定檔將它指派給裝置。You export this certificate as a .cer file from the root CA or any device that trusts the root CA, and assign it to devices by using the Trusted CA certificate profile.

您針對每個作業系統平台使用單一受信任根 CA 憑證,並將它與您建立的每個受信任根憑證設定檔產生關聯。You use a single Trusted Root CA certificate per operating system platform, and associate it with each Trusted Root Certificate profile you create.

您可以在需要時使用其他受信任根 CA 憑證。You can use additional Trusted Root CA certificates when needed. 比方說,當您需要向 CA 提供信任,好讓它為您簽署 Wi-Fi 存取點的伺服器驗證憑證時,您可能就會這麼做。For example, you might do this to provide a trust to a CA that signs the server authentication certificates for your Wi-Fi access points.

帳戶Accounts

NameName 詳細資料Details
NDES 服務帳戶NDES service account 指定網域使用者帳戶以做為 NDES 服務帳戶使用。Specify a domain user account to use as the NDES Service account.

設定基礎結構Configure your infrastructure

您可以設定憑證設定檔之前,必須先完成下列工作,這些需要 Windows Server 2012 R2 和 Active Directory 憑證服務 (ADCS) 的知識:Before you can configure certificate profiles you must complete the following tasks, which require knowledge of Windows Server 2012 R2 and Active Directory Certificate Services (ADCS):

步驟 1:建立 NDES 服務帳戶Step 1: Create an NDES service account

步驟 2:設定憑證授權單位上的憑證範本Step 2: Configure certificate templates on the certification authority

步驟 3:設定 NDES 伺服器上的必要條件Step 3: Configure prerequisites on the NDES server

步驟 4:設定 NDES 以搭配 Intune 使用Step 4: Configure NDES for use with Intune

步驟 5:啟用、安裝及設定 Intune 憑證連接器Step 5: Enable, install, and configure the Intune Certificate Connector

步驟 1:建立 NDES 服務帳戶Step 1 - Create an NDES service account

建立網域使用者帳戶以做為 NDES 服務帳戶。Create a domain user account to use as the NDES service account. 在您安裝及設定 NDES 之前,會在發行 CA 上設定範本時指定此帳戶。You specify this account when you configure templates on the issuing CA before you install and configure NDES. 請確定使用者具有預設權限:[本機登入]、[以服務方式登入] 和 [以批次工作登入] 權限。Make sure the user has the default rights, Logon Locally, Logon as a Service and Logon as a batch job rights. 某些組織擁有停用這些權限的強化原則。Some organizations have hardening policies that disable those rights.

步驟 2:設定憑證授權單位上的憑證範本Step 2 - Configure certificate templates on the certification authority

在這項工作中,您將會:In this task you will:

  • 設定 NDES 的憑證範本Configure a certificate template for NDES

  • 發行 NDES 的憑證範本Publish the certificate template for NDES

設定憑證授權單位To configure the certification authority
  1. 以企業系統管理員身分登入。Log on as an enterprise administrator.

  2. 在發行 CA 上,使用 [憑證範本] 嵌入式管理單元來建立新的自訂範本,或複製現有的範本,然後編輯現有的範本 (例如使用者範本) 以搭配 NDES 使用。On the issuing CA, use the Certificate Templates snap-in to create a new custom template or copy an existing template and then edit an existing template (like the User template), for use with NDES.

    注意

    NDES 憑證範本必須根據 v2 憑證範本 (具有 Windows 2003 相容性)。The NDES certificate template must be based off a v2 Certificate Template (with Windows 2003 compatibility).

    範本必須要有下列組態:The template must have the following configurations:

    • 指定範本的易記「範本顯示名稱」 。Specify a friendly Template display name for the template.

    • 在 [主體名稱] 索引標籤上,選取 [在要求中提供] 。On the Subject Name tab, select Supply in the request. (安全性由 NDES 的 Intune 原則模組加強)。(Security is enforced by the Intune policy module for NDES).

    • 在 [延伸] 索引標籤上,確定 [應用程式原則描述] 包含 [用戶端驗證] 。On the Extensions tab, ensure the Description of Application Policies includes Client Authentication.

      重要

      若為 iOS 和 macOS 憑證範本,請在 [延伸] 索引標籤上編輯 [金鑰使用方法],並確保未選取 [簽章是原件證明]。For iOS and macOS certificate templates, on the Extensions tab, edit Key Usage and ensure Signature is proof of origin is not selected.

    • 在 [安全性] 索引標籤上,新增 NDES 服務帳戶,並提供其 [註冊] 範本的權限。On the Security tab, add the NDES service account, and give it Enroll permissions to the template. 建立 SCEP 設定檔的 Intune 系統管理員需要讀取 權限,讓他們可以在建立 SCEP 設定檔時瀏覽至範本。Intune admins who create SCEP profiles require Read rights so that they can browse to the template when creating SCEP profiles.

    注意

    若要撤銷憑證,NDES 服務帳戶需要憑證設定檔所使用之每個憑證範本的發行及管理憑證權限。To revoke certificates the NDES service account needs Issue and Manage Certificates rights for each certificate template used by a certificate profile.

  3. 檢閱範本 [一般] 索引標籤上的 [有效期間] 。Review the Validity period on the General tab of the template. 根據預設,Intune 使用範本中所設定的值。By default, Intune uses the value configured in the template. 不過,您可以選擇設定 CA 以允許要求者指定不同的值,然後您可以從 Intune 管理主控台內設定該值。However, you have the option to configure the CA to allow the requester to specify a different value, which you can then set from within the Intune Administrator console. 如果您想要一律使用範本中的值,請略過此步驟中的其餘部分。If you want to always use the value in the template, skip the remainder of this step.

    重要

    iOS 和 macOS 一律會使用範本中的值,而不論您所做的其他組態設定。iOS and macOS always use the value set in the template regardless of other configurations you make.

以下是範例範本設定的螢幕擷取畫面。Here are screenshots of an example template configuration.

範本, 處理要求索引標籤

範本, 主體名稱索引標籤

範本, 安全性索引標籤

範本, 延伸索引標籤

範本, 發行需求索引標籤

重要

針對應用程式原則,僅新增所需的應用程式原則。For Application Policies, only add the application policies required. 向您的安全性系統管理員確認您的選擇。Confirm your choices with your security admins.

若要設定 CA 以允許要求者指定有效期間:To configure the CA to allow the requester to specify the validity period:

  1. 在 CA 上執行下列命令:On the CA run the following commands:
    • certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATEcertutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
    • net stop certsvcnet stop certsvc
    • net start certsvcnet start certsvc
  2. 在發行的 CA 上使用 [憑證授權單位] 嵌入式管理單元來發行憑證範本。On the issuing CA, use the Certification Authority snap-in to publish the certificate template. 選取 [憑證範本] 節點,並按一下 [動作]-> [新增]> [要發出的憑證範本],然後選取您在步驟 2 中建立的範本。Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the template you created in step 2.
  3. 檢視 [憑證範本] 資料夾下的發行範本來加以驗證。Validate that the template published by viewing it under the Certificate Templates folder.

步驟 3:設定 NDES 伺服器上的必要條件Step 3 - Configure prerequisites on the NDES server

在這項工作中,您將會:In this task you will:

  • 將 NDES 加入至 Windows Server 並設定 IIS 以支援 NDESAdd NDES to a Windows Server and configure IIS to support NDES

  • 將 NDES 服務帳戶加入至 IIS_IUSR 群組Add the NDES Service account to the IIS_IUSR group

  • 設定 NDES 服務帳戶的 SPNSet the SPN for the NDES Service account

  1. 在將裝載 NDES 的伺服器上,您必須以企業系統管理員的身分登入,然後使用新增角色及功能精靈來安裝 NDES:On the server that will hosts NDES, you must log on as an Enterprise Administrator, and then use the Add Roles and Features Wizard to install NDES:

    1. 在精靈中,選取 [Active Directory 憑證服務] 以存取 AD CS 角色服務。In the Wizard, select Active Directory Certificate Services to gain access to the AD CS Role Services. 選取 [網路裝置註冊服務] ,取消核取 [憑證授權單位] ,然後完成精靈。Select the Network Device Enrollment Service, uncheck Certification Authority, and then complete the wizard.

      提示

      在精靈的 [安裝進度] 頁面,請不要按一下 [關閉] 。On the Installation progress page of the wizard, do not click Close. 相反地,請按一下 [設定目的地伺服器上的 Active Directory 憑證服務] 的連結。Instead, click the link for Configure Active Directory Certificate Services on the destination server. 這會開啟 [AD CS 設定精靈] ,讓您用於下一個工作。This opens the AD CS Configuration wizard that you use for the next task. [AD CS 設定] 開啟之後,您可以關閉 [新增角色及功能精靈]。After AD CS Configuration opens, you can close the Add Roles and Features wizard.

    2. 當 NDES 加入至伺服器時,精靈也會安裝 IIS。When NDES is added to the server, the wizard also installs IIS. 請確定 IIS 具有下列組態:Ensure IIS has the following configurations:

      • [Web 伺服器] > [安全性] > [要求篩選]Web Server > Security > Request Filtering

      • [Web 伺服器] > [應用程式部署] > [ASP.NET 3.5]。Web Server > Application Development > ASP.NET 3.5. 安裝 ASP.NET 3.5 時會安裝 .NET Framework 3.5。Installing ASP.NET 3.5 installs .NET Framework 3.5. 安裝 .NET Framework 3.5 時,請安裝核心 [.NET Framework 3.5] 功能和 [HTTP 啟動] 。When installing .NET Framework 3.5, install both the core .NET Framework 3.5 feature and HTTP Activation.

      • [Web 伺服器] > [應用程式部署] > [ASP.NET 4.5]。Web Server > Application Development > ASP.NET 4.5. 安裝 ASP.NET 4.5 時會安裝 .NET Framework 4.5。Installing ASP.NET 4.5 installs .NET Framework 4.5. 安裝 .NET Framework 4.5 時,請安裝核心 [.NET Framework 4.5] 功能、[ASP.NET 4.5] 以及 [WCF 服務] > [HTTP 啟動] 功能。When installing .NET Framework 4.5, install the core .NET Framework 4.5 feature, ASP.NET 4.5, and the WCF Services > HTTP Activation feature.

      • [管理工具] > [IIS 6 管理相容性] > [IIS 6 Metabase 相容性]Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility

      • [管理工具] > [IIS 6 管理相容性] > [IIS 6 WMI 相容性]Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility

    3. 在伺服器上,新增 NDES 服務帳戶成為 IIS_IUSR 群組的成員身分。On the server, add the NDES service account as a member of the IIS_IUSR group.

  2. 在提升權限的命令提示字元中,執行下列命令來設定 NDES 服務帳戶的 SPN:In an elevated command prompt, run the following command to set the SPN of the NDES Service account:

**setspn -s http/<DNS name of NDES Server> <Domain name>\<NDES Service account name>**

例如,如果 NDES 伺服器的名稱為 Server01,您的網域是 Contoso.com,而且服務帳戶是 NDESService,請使用:For example, if your NDES Server is named Server01, your domain is Contoso.com, and the service account is NDESService, use:

**setspn –s http/Server01.contoso.com contoso\NDESService**

步驟 4:設定 NDES 以搭配 Intune 使用Step 4 - Configure NDES for use with Intune

在這項工作中,您將會:In this task you will:

  • 設定 NDES 以便用於發行 CAConfigure NDES for use with the issuing CA

  • 在 IIS 中繫結伺服器驗證 (SSL) 憑證Bind the server authentication (SSL) certificate in IIS

  • 設定 IIS 中的要求篩選Configure Request Filtering in IIS

  1. 在 NDES 伺服器上,開啟 [AD CS 設定精靈],然後進行下列設定:On the NDES Server, open the AD CS Configuration wizard and then make the following configurations:

    提示

    如果您按一下前個工作中的連結,此精靈已經開啟。If you clicked the link in the previous task, this wizard is already open. 否則,開啟 [伺服器管理員] 來存取 Active Directory 憑證服務的部署後組態。Otherwise, open Server Manager to access the post-deployment configuration for Active Directory Certificate Services.

    • 在 [角色服務] 頁面上,選取 [網路裝置註冊服務] 。On the Role Services Page, select the Network Device Enrollment Service.

    • 在 [NDES 的服務帳戶] 頁面上,指定 NDES 服務帳戶。On the Service Account for NDES page, specify the NDES Service Account.

    • 在 [NDES 的 CA] 頁面上,按一下 [選取] ,然後選取您設定憑證範本的發行 CA。On the CA for NDES page, click Select, and then select the issuing CA where you configured the certificate template.

    • 在 [NDES 的密碼編譯] 頁面上,設定符合您公司需求的金鑰長度。On the Cryptography for NDES page, set the key length to meet your company requirements.

    在 [確認] 頁面上,按一下 [設定] 來完成精靈。On the Confirmation page, click Configure to complete the wizard.

  2. 在精靈完成之後,在 NDES 伺服器上編輯下列登錄機碼:After the wizard completes, edit the following registry key on the NDES Server:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\

    若要編輯這個機碼,請識別憑證範本的 [目的 (可在其 [要求處理] 索引標籤上找到)],然後使用您在工作 1 中指定的憑證範本名稱 (而不是範本顯示名稱) 來取代現有的資料,以編輯登錄中的對應項目。To edit this key, identify the certificate template's Purpose, as found on its Request Handling tab, and then edit the corresponding entry in the registry by replacing the existing data with the name of the certificate template (not the display name of the template) that you specified in Task 1. 下表會將憑證範本目的對應到登錄中的值:The following table maps the certificate template purpose to the values in the registry:

    憑證範本目的 (在 [處理要求] 索引標籤上)Certificate template Purpose (On the Request Handling tab) 要編輯的登錄值Registry value to edit SCEP 設定檔的 Intune 管理主控台中看到的值Value seen in the Intune admin console for the SCEP profile
    簽章Signature SignatureTemplateSignatureTemplate 數位簽章Digital Signature
    加密Encryption EncryptionTemplateEncryptionTemplate 金鑰加密Key Encipherment
    簽章和加密Signature and encryption GeneralPurposeTemplateGeneralPurposeTemplate 金鑰加密Key Encipherment

    數位簽章Digital Signature

    例如,如果您的憑證範本目的是 [加密] ,則請將 EncryptionTemplate 值編輯為憑證範本的名稱。For example, if the Purpose of your certificate template is Encryption, then edit the EncryptionTemplate value to be the name of your certificate template.

  3. NDES 伺服器會收到長的 URL (查詢),而這需要您新增兩個登錄項目︰The NDES server receives long URLs (queries), which require that you add two registry entries:

    位置Location Value 類型Type 資料Data
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxFieldLengthMaxFieldLength DWORDDWORD 65534 (十進位)65534 (decimal)
    HKLM\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters MaxRequestBytesMaxRequestBytes DWORDDWORD 65534 (十進位)65534 (decimal)
  4. 在 IIS 管理員中,選擇 [預設的網站] -> [要求篩選] -> [編輯功能設定],然後將 [URL 長度上限] 和 [查詢字串上限] 變更為 65534 (如所顯示)。In IIS manager, choose Default Web Site -> Request Filtering -> Edit Feature Setting, and change the Maximum URL length and Maximum query string to 65534, as shown.

    IIS URL 和查詢長度上限

  5. 重新啟動伺服器。Restart the server. 在伺服器上執行 iisreset 不足以完成這些變更。Running iisreset on the server is not sufficient to finalize these changes.

  6. 瀏覽至 http://FQDN/certsrv/mscep/mscep.dll。Browse to http://FQDN/certsrv/mscep/mscep.dll. 您應該會看到與下面類似的 NDES 頁面︰You should see an NDES page similar to this:

    測試 NDES

    如果您收到「503 服務無法使用」,請檢查事件檢視器。If you get a 503 Service unavailable, check the event viewer. 因為遺失 NDES 使用者的權限,所以可能已停止應用程式集區。It's likely that the application pool is stopped due to a missing right for the NDES user. 工作 1 會說明這些權限。Those rights are described in Task 1.

在 NDES 伺服器上安裝並繫結憑證To Install and bind certificates on the NDES Server
  1. 在 NDES 伺服器上,要求並安裝來自內部 CA 或公用 CA 的 伺服器驗證 憑證。On your NDES Server, request and install a server authentication certificate from your internal CA or public CA. 然後將此 SSL 憑證繫結在 IIS 中。You then bind this SSL certificate in IIS.

    提示

    在 IIS 中繫結 SSL 憑證之後,您也會安裝用戶端驗證憑證。After you bind the SSL certificate in IIS, you will also install a client authentication certificate. 此憑證可以由 NDES 伺服器所信任的任何 CA 發出。This certificate can be issued by any CA that is trusted by the NDES Server. 雖然不是最佳做法,但您可以使用相同的憑證,進行伺服器和用戶端驗證,只要憑證中同時有雙方的增強金鑰使用方法 (EKU) 即可。Although it is not a best practice, you can use the same certificate for both server and client authentication as long as the certificate has both Enhance Key Usages (EKUs). 請檢閱以下的步驟,以取得這些驗證憑證的相關資訊。Review the following steps for information about these authentication certificates.

    1. 取得伺服器驗證憑證後,開啟 [IIS 管理員] ,在 [連線] 窗格中選取 [預設的網站] ,然後按一下 [動作] 窗格中的 [繫結] 。After you obtain the server authentication certificate, open IIS Manager, select the Default Web Site in the Connections pane, and then click Bindings in the Actions pane.

    2. 按一下 [新增] ,將 [類型] 設為 [https] ,然後確定連接埠是 [443] 。Click Add, set Type to https, and then ensure the port is 443. (獨立版 Intune 只支援連接埠 443)。(Only port 443 is supported for standalone Intune.

    3. 針對 [SSL 憑證] ,指定伺服器驗證憑證。For SSL certificate, specify the server authentication certificate.

      注意

      如果 NDES 伺服器針對單一網路位址同時使用外部和內部名稱,則伺服器驗證憑證必須具有外部公用伺服器名稱的 [主體名稱] ,以及包括內部伺服器名稱的 [主體替代名稱] 。If the NDES server uses both an external and internal name for a single network address, the server authentication certificate must have a Subject Name with an external public server name, and a Subject Alternative Name that includes the internal server name.

  2. 在 NDES 伺服器上,從內部 CA 或公開憑證授權單位,要求並安裝 用戶端驗證 憑證。On your NDES Server, request and install a client authentication certificate from your internal CA, or a public certificate authority. 這可以是與伺服器驗證憑證相同的憑證,如果該憑證具備兩種功能。This can be the same certificate as the server authentication certificate if that certificate has both capabilities.

    用戶端驗證憑證必須具有下列屬性:The client authentication certificate must have the following properties:

    增強金鑰使用方法 - 這必須包括 [用戶端驗證]。Enhanced Key Usage - This must include Client Authentication.

    主體名稱 - 這必須等於您要在其中安裝憑證之伺服器 (NDES 伺服器) 的 DNS 名稱。Subject Name - This must be equal to the DNS name of the server where you are installing the certificate (the NDES Server).

設定 IIS 要求篩選To configure IIS request filtering
  1. 在 NDES 伺服器上,開啟 [IIS 管理員] ,在 [連線] 窗格中選取 [預設的網站] ,然後開啟 [要求篩選] 。On the NDES Server open IIS Manager, select the Default Web Site in the Connections pane, and then open Request Filtering.

  2. 按一下 [編輯功能設定],然後設定下列值:Click Edit Feature Settings, and then set the values:

    查詢字串 (位元組) = 65534query string (Bytes) = 65534

    URL 長度上限 (位元組) = 65534Maximum URL length (Bytes) = 65534

  3. 檢閱下列登錄機碼:Review the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

    確定下列值設定為 DWORD 項目:Ensure the following values are set as DWORD entries:

    名稱: MaxFieldLength,具有十進位值 65534Name: MaxFieldLength, with a decimal value of 65534

    名稱: MaxRequestBytes,具有十進位值 65534Name: MaxRequestBytes, with a decimal value of 65534

  4. 重新啟動 NDES 伺服器。Reboot the NDES server. 伺服器現在已準備好支援 Certificate Connector。The server is now ready to support the Certificate Connector.

步驟 5:啟用、安裝及設定 Intune 憑證連接器Step 5 - Enable, install, and configure the Intune certificate connector

在這項工作中,您將會:In this task you will:

  • 啟用 Intune 中的 NDES 支援。Enable support for NDES in Intune.

  • 下載、安裝及設定 NDES 伺服器上的憑證連接器。Download, install, and configure the Certificate Connector on the NDES Server.

    注意

    若要支援高可用性,您可以安裝多個憑證連接器執行個體。To support high availability, you can install multiple Certificate Connector instances.

啟用針對憑證連接器的支援To enable support for the certificate connector
  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中選擇 [憑證授權單位]。On the Device Configuration blade, choose Certification Authority.
  5. 選取 [啟用憑證連接器]。Select Enable Certificate Connector.
下載、安裝及設定憑證連接器To download, install and configure the certificate connector
  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中選擇 [設定裝置]。On the Intune blade, choose Configure devices.
  4. 在 [裝置設定] 刀鋒視窗中選擇 [憑證授權單位]。On the Device Configuration blade, choose Certification Authority.
  5. 選擇 [下載憑證連接器]。Choose Download Certificate Connector.
  6. 下載完成之後,請在 Windows Server 2012 R2 伺服器上執行下載的安裝程式 (ndesconnectorssetup.exe)。After the download completes, run the downloaded installer (ndesconnectorssetup.exe) on a Windows Server 2012 R2 server. 安裝程式也會安裝 NDES 和 CRP Web 服務的原則模組。The installer also installs the policy module for NDES and the CRP Web Service. (CRP Web 服務 CertificateRegistrationSvc 會以 IIS 中的應用程式方式執行。)(The CRP Web Service, CertificateRegistrationSvc, runs as an application in IIS.)

    注意

    當您為獨立版 Intune 安裝 NDES 時,CRP 服務會自動與 Certificate Connector 一起安裝。When you install NDES for standalone Intune, the CRP service automatically installs with the Certificate Connector. 當您使用 Intune 搭配 Configuration Manager 時,將憑證註冊點安裝為個別的網站系統角色。When you use Intune with Configuration Manager, you install the Certificate Registration Point as a separate site system role.

  7. 當提示您提供憑證連接器的用戶端憑證時,請選擇 [選取],然後選取您在工作 3 中,於 NDES 伺服器上安裝的用戶端驗證憑證。When prompted for the client certificate for the Certificate Connector, choose Select, and select the client authentication certificate you installed on your NDES Server in Task 3.

    選取用戶端驗證憑證之後,您會回到 [Microsoft Intune Certificate Connector 的用戶端憑證] 介面。After you select the client authentication certificate, you are returned to the Client Certificate for Microsoft Intune Certificate Connector surface. 雖然未顯示您所選取的憑證,請按 [下一步] 檢視該憑證的屬性。Although the certificate you selected is not shown, click Next to view the properties of that certificate. 然後按 [下一步] ,再按一下 [安裝] 。Then click Next, and then click Install.

  8. 在精靈完成後,但在關閉精靈之前,按一下 [啟動 Certificate Connector UI] 。After the wizard completes, but before closing the wizard, click Launch the Certificate Connector UI.

    提示

    如果您在啟動 Certificate Connector UI 之前關閉精靈,您可以藉由執行下列命令重新加以開啟:If you close the wizard before launching the Certificate Connector UI, you can reopen it by running the following command:

    <安裝路徑>\NDESConnectorUI\NDESConnectorUI.exe<install_Path>\NDESConnectorUI\NDESConnectorUI.exe

  9. Certificate Connector UI 中:In the Certificate Connector UI:

    按一下 [登入] 並輸入您的 Intune 服務系統管理員認證,或擁有全域管理權限的租用戶管理員認證。Click Sign In and enter your Intune service administrator credentials, or credentials for a tenant administrator with the global administration permission.

    如果您的組織使用 Proxy 伺服器,而且 NDES 伺服器需要該 Proxy 以存取網際網路,請按一下 [使用 Proxy 伺服器],然後提供 Proxy 伺服器名稱、連接埠,以及用以連接的帳戶認證。If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, click Use proxy server and then provide the proxy server name, port, and account credentials to connect.

    選取 [進階] 索引標籤,然後再提供對您的發行憑證授權單位具有 [發行及管理憑證] 權限的帳戶認證,再按一下 [套用] 。Select the Advanced tab, and then provide credentials for an account that has the Issue and Manage Certificates permission on your issuing Certificate Authority, and then click Apply.

    您現在可以關閉 Certificate Connector UI。You can now close the Certificate Connector UI.

  10. 開啟命令提示字元並輸入 services.msc,然後按下 Enter,再以滑鼠右鍵按一下 [Intune Connector 服務],然後按一下 [重新啟動]。Open a command prompt and type services.msc, and then press Enter, right-click the Intune Connector Service, and then click Restart.

若要驗證服務正在執行,請開啟瀏覽器並輸入下列 URL,這應傳回 403 錯誤:To validate that the service is running, open a browser and enter the following URL, which should return a 403 error:

http:// <NDES 伺服器的 FQDN>/certsrv/mscep/mscep.dllhttp:// <FQDN_of_your_NDES_server>/certsrv/mscep/mscep.dll

如何建立 SCEP 憑證設定檔How to create a SCEP certificate profile

  1. 在 Azure 入口網站中,選取 [設定裝置] 工作負載。In the Azure portal, select the Configure devices workload.
  2. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [設定檔]。On the Device Configuration blade, choose Manage > Profiles.
  3. 在設定檔刀鋒視窗中,選擇 [建立設定檔]。On the profiles blade, choose Create Profile.
  4. 在 [建立設定檔] 刀鋒視窗中,為 SCEP 憑證設定檔輸入 [名稱] 及 [描述]。On the Create Profile blade, enter a Name and Description for the SCEP certificate profile.
  5. 從 [平台] 下拉式清單中,選取此 SCEP 憑證的裝置平台。From the Platform drop-down list, select the device platform for this SCEP certificate. 您目前可選擇下列平台之一,進行裝置限制設定︰Currently, you can choose one of the following platforms for device restriction settings:
    • AndroidAndroid
    • iOSiOS
    • macOSmacOS
    • Windows Phone 8.1Windows Phone 8.1
    • Windows 8.1 及更新版本Windows 8.1 and later
    • Windows 10 及更新版本Windows 10 and later
  6. 從 [設定檔類型] 下拉式清單中,選擇 [SCEP 憑證]。From the Profile type drop-down list, choose SCEP certificate.
  7. 在 [SCEP 憑證] 刀鋒視窗上,進行以下設定:On the SCEP Certificate blade, configure the following settings:

    • 憑證有效期間 - 如果您已在發行 CA 上執行 certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE 命令,允許自訂有效期間,則可以指定憑證到期之前的剩餘時間長度。Certificate validity period - If you have run the certutil - setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you can specify the amount of remaining time before the certificate expires.
      您可以指定一個比憑證範本中指定之有效期間更低,而不是更高的值。You can specify a value that is lower than the validity period in the specified certificate template, but not higher. 舉例來說,如果憑證範本中的憑證有效期間為兩年,您可以指定一年而不是五年的值。For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. 該值也必須低於發行 CA 憑證的剩餘有效期。The value must also be lower than the remaining validity period of the issuing CA's certificate.
    • 金鑰儲存提供者 (KSP) (Windows Phone 8.1、Windows 8.1、Windows 10) - 指定儲存憑證金鑰的位置。Key storage provider (KSP) (Windows Phone 8.1, Windows 8.1, Windows 10) - Specify where the key to the certificate is stored. 選擇下列其中一個值:Choose from one of the following values:
      • 註冊至受信任平台模組 (TPM) KSP (如果存在),否則註冊至軟體 KSPEnroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP
      • 註冊至信賴平台模組 (TPM) KSP,否則失敗Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
      • 註冊至 Passport,否則失敗 (Windows 10 及更新版本)Enroll to Passport, otherwise fail (Windows 10 and later)
      • 註冊至軟體 KSPEnroll to Software KSP
    • 主體名稱格式從清單中選取 Intune 如何自動在憑證要求中建立主體名稱。Subject name format - From the list, select how Intune automatically creates the subject name in the certificate request. 如果憑證是針對使用者,您也可以在主體名稱中包含使用者的電子郵件地址。If the certificate is for a user, you can also include the user's email address in the subject name. 從下列選項進行選擇:Choose from:

      • 未設定Not configured
      • 一般名稱Common name
      • 包括電子郵件的一般名稱Common name including email
      • 一般名稱及電子郵件地址Common name as email
      • IMEI (國際行動設備識別)IMEI (International Mobile Equipment Identity)
      • 序號Serial number
      • 自訂 - 當您選取此選項時,會顯示另一個下拉式欄位。Custom - When you select this option, another drop-down field is displayed. 您可以使用此欄位輸入自訂主體名稱格式。You use this field to enter a custom subject name format. 自訂格式支援的兩個變數為「一般名稱 (CN)」和「電子郵件 (E)」。The two variables supported for the custom format are Common Name (CN) and Email (E). 您可使用由這些變數與靜態字串的其中之一或多個組成的組合,建立自訂主體名稱格式,例如︰CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US。在此範例中,您建立了主體名稱格式,除了 CN 與 E 變數之外,為組織單位、組織、位置、州與國家/地區值使用字串。By using a combination of one or many of these variables and static strings, you can create a custom subject name format, like this one: CN={{UserName}},E={{EmailAddress}},OU=Mobile,O=Finance Group,L=Redmond,ST=Washington,C=US In this example, you created a subject name format that, in addition to the CN and E variables, uses strings for Organizational Unit, Organization, Location, State, and Country values. 本主題 說明 CertStrToName 函式和它支援的字串。This topic shows the CertStrToName function and its supported strings.
    • 主體別名指定 Intune 如何在憑證要求中,自動建立主體別名 (SAN) 的值。Subject alternative name - Specify how Intune automatically creates the values for the subject alternative name (SAN) in the certificate request. 舉例來說,如果您選擇使用者憑證類型,您可以在主體別名中包含使用者主體名稱 (UPN)。For example, if you selected a user certificate type, you can include the user principal name (UPN) in the subject alternative name. 如果用戶端憑證將用來驗證網路原則伺服器,您必須將主體別名設定成 UPN。If the client certificate is used to authenticate to a Network Policy Server, you must set the subject alternative name to the UPN.

    • 金鑰使用方式 - 指定憑證的金鑰使用方式選項。Key usage - Specify key usage options for the certificate. 您可以選擇下列選項:You can choose from the following options:
      • 金鑰編密:只允許在金鑰加密後交換金鑰。Key encipherment: Allow key exchange only when the key is encrypted.
      • 數位簽章:只允許在以數位簽章協助保護金鑰後交換金鑰。Digital signature: Allow key exchange only when a digital signature helps protect the key.
    • 金鑰大小 (位元) - 選取金鑰中要包含的位元數。Key size (bits) - Select the number of bits that is contained in the key.
    • 雜湊演算法: (Android、Windows Phone 8.1、Windows 8.1、Windows 10) - 選取其中一種可用的雜湊演算法類型,搭配此憑證使用。Hash algorithm (Android, Windows Phone 8.1, Windows 8.1, Windows 10) - Select one of the available hash algorithm types to use with this certificate. 選取連線中裝置所支援的最強安全性層級。Select the strongest level of security that the connecting devices support.
    • 根憑證 - 選擇先前所設定並指派到使用者或裝置的根 CA 憑證設定檔。Root Certificate - Choose a root CA certificate profile that you have previously configured and assigned to the user or device. 此 CA 憑證必須是發行憑證 (您在此憑證設定檔中設定) 之 CA 的根憑證。This CA certificate must be the root certificate for the CA that issues the certificate that you are configuring in this certificate profile.
    • 擴充金鑰使用方法 - 選擇 [新增] 以新增憑證使用目的值。Extended key usage - Choose Add to add values for the certificate's intended purpose. 在大部分情況下,憑證需要 [用戶端驗證],使用者或裝置才能向伺服器進行驗證。In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server. 不過,您可以視需要新增任何其他金鑰使用方式。However, you can add any other key usages as required.
    • 註冊設定Enrollment Settings
      • 更新閾值 (%) - 指定裝置要求憑證更新之前,剩餘的憑證存留時間百分比。Renewal threshold (%) - Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
      • SCEP 伺服器 URL - 指定一或多個將透過 SCEP 發行憑證的 NDES 伺服器 URL。SCEP Server URLs - Specify one or more URLs for the NDES Servers that issues certificates via SCEP.
  8. 當您完成時,請返回 [建立設定檔] 刀鋒視窗,然後點擊 [建立]。When you're done, go back to the Create Profile blade, and hit Create.

設定檔隨即建立,並出現在 [設定檔清單] 刀鋒視窗上。The profile is created and appears on the profiles list blade.

如何指派憑證設定檔How to assign the certificate profile

將憑證設定檔指派給群組之前,請考慮下列事宜︰Consider the following before you assign certificate profiles to groups:

  • 當您指派憑證設定檔給群組時,來自受信任 CA 憑證設定檔的憑證檔案,即會安裝在裝置上。When you assign certificate profiles to groups, the certificate file from the Trusted CA certificate profile is installed on the device. 裝置會使用 SCEP 憑證設定檔來建立裝置所要求的憑證。The device uses the SCEP certificate profile to create a certificate request by the device.
  • 憑證設定檔只會安裝在執行於您建立設定檔時所用的平台裝置上。Certificate profiles install only on devices running the platform you use when you created the profile.
  • 您可以將憑證設定檔指派到使用者集合或裝置集合。You can assign certificate profiles to user collections or to device collections.
  • 若要在裝置註冊之後快速將憑證發行至裝置,請將憑證設定檔指派到使用者群組,而不是裝置群組。To publish a certificate to a device quickly after the device enrolls, assign the certificate profile to a user group rather than to a device group. 如果您將它指派至裝置群組,便必須先執行完整的裝置註冊,裝置才能接收原則。If you assign to a device group, a full device registration is required before the device receives policies.
  • 雖然您會分別指派每個設定檔,但仍需指派受信任的根 CA 以及 SCEP 或 PKCS 設定檔。Although you assign each profile separately, you also need to assign the Trusted Root CA and the SCEP or PKCS profile. 否則,SCEP 或 PKCS 憑證原則會失敗。Otherwise, the SCEP or PKCS certificate policy fails.

如需如何指派設定檔的相關資訊,請參閱如何指派裝置設定檔For information about how to assign profiles, see How to assign device profiles.