在 Microsoft Intune 中針對 SCEP 憑證設定檔的裝置對 NDES 伺服器通訊進行疑難排解Troubleshoot device to NDES server communication for SCEP certificate profiles in Microsoft Intune

使用下列資訊來判斷接收並處理 Intune 簡單憑證註冊通訊協定 (SCEP) 憑證設定檔的裝置是否可以順利連絡網路裝置註冊服務 (NDES) 以提出挑戰。Use the following information to determine if a device that received and processed an Intune Simple Certificate Enrollment Protocol (SCEP) certificate profile can successfully contact Network Device Enrollment Service (NDES) to present a challenge. 在裝置上,系統會產生私密金鑰,並將憑證簽署要求 (CSR) 和挑戰從裝置傳送到 NDES 伺服器。On the device, a private key is generated and the Certificate Signing Request (CSR) and challenge are passed from the device to the NDES server. 為了連絡 NDES 伺服器,裝置會使用來自 SCEP 憑證設定檔的 URI。To contact the NDES server, the device uses the URI from the SCEP certificate profile.

此文章會參考 SCEP 通訊流程概觀的步驟 2。This article references Step 2 of the SCEP communication flow overview.

檢閱 IIS 記錄中來自裝置的連線Review IIS logs for a connection from the device

IIS 記錄針對所有平台皆包含相同類型的項目。IIS logs include the same type of entries for all platforms.

  1. 在 NDES 伺服器上開啟最新的 IIS 記錄檔,其可在下列資料夾中找到: %SystemDrive%\inetpub\logs\logfiles\w3svc1On the NDES server, open the most recent IIS log file found in the following folder: %SystemDrive%\inetpub\logs\logfiles\w3svc1

  2. 搜尋記錄檔以尋找類似下列範例的項目。Search the log for entries similar to the following examples. 這兩個範例皆包含狀態 200,其出現在結尾附近:Both examples contain a status 200, which appears near the end:

    fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACaps&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 186 0.

    AndAnd

    fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default 80 - fe80::f53d:89b8:c3e8:5fec%13 Mozilla/4.0+(compatible;+Win32;+NDES+client) - 200 0 0 3567 0

  3. 當裝置連絡 IIS 時,系統會記錄針對 mscep.dll 的 HTTP GET 要求。When the device contacts IIS, an HTTP GET request for mscep.dll is logged.

    檢閱此要求結尾附近的狀態碼:Review the status code near the end of this request:

    如果系統完全沒有記錄連線要求,裝置與 NDES 伺服器之間的網路可能已封鎖來自該裝置的連絡。If the connection request isn't logged at all, the contact from the device might be blocked on the network between the device and the NDES server.

檢閱裝置記錄中針對 NDES 的連線Review device logs for connections to NDES

Android 裝置Android devices

請檢閱裝置 OMADM 記錄Review the devices OMADM log. 尋找與下列類似的項目,這些項目會在裝置連線至 NDES 時記錄:Look for entries that resemble the following, which are logged when the device connects to NDES:

2018-02-27T05:16:08.2500000  VERB  Event  com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager  18327    10  There are 1 requests
2018-02-27T05:16:08.2500000  VERB  Event  com.microsoft.omadm.platforms.android.certmgr.CertificateEnrollmentManager  18327    10  Trying to enroll certificate request: ModelName=AC_51bad41f-3854-4eb5-a2f2-0f7a94034ee8%2FLogicalName_39907e78_e61b_4730_b9fa_d44a53e4111c;Hash=1677525787
2018-02-27T05:16:09.5530000  VERB  Event  org.jscep.transport.UrlConnectionGetTransport  18327    10  Sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:14.6440000  VERB  Event  org.jscep.transport.UrlConnectionGetTransport  18327    10  Received '200 OK' when sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
2018-02-27T05:16:21.8220000  VERB  Event  org.jscep.message.PkiMessageEncoder  18327     10 Encoding message: org.jscep.message.PkcsReq@2b06f45f[messageData=org.<server>.pkcs.PKCS10CertificationRequest@699b3cd,messageType=PKCS_REQ,senderNonce=Nonce [D447AE9955E624A56A09D64E2B3AE76E],transId=251E592A777C82996C7CF96F3AAADCF996FC31FF]
2018-02-27T05:16:21.8790000  VERB  Event  org.jscep.message.PkiMessageEncoder  18327     10  Signing pkiMessage using key belonging to [dn=CN=<uesrname>; serial=1]
2018-02-27T05:16:21.9580000  VERB  Event  org.jscep.transaction.EnrollmentTransaction  18327     10  Sending org.<server>.cms.CMSSignedData@ad57775

重要項目會包含下列範例文字字串:Key entries include the following sample text strings:

  • 有 1 個要求There are 1 requests
  • 將 GetCACaps(ca) 傳送至 https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca 時,收到 '200 OK'Received '200 OK' when sending GetCACaps(ca) to https://<server>.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=ca
  • 使用屬於 [dn=CN=<username>; serial=1] 的金鑰簽署 pkiMessageSigning pkiMessage using key belonging to [dn=CN=<username>; serial=1]

該連線也會由 IIS 記錄在 NDES 伺服器的 %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ 資料夾。The connection is also logged by IIS in the %SystemDrive%\inetpub\logs\LogFiles\W3SVC1\ folder of the NDES server. 下列為範例:The following is an example:

fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=ca 443 - 
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 3909 0
fe80::f53d:89b8:c3e8:5fec%13 GET /certsrv/mscep/mscep.dll operation=GetCACaps&message=ca 443 - 
fe80::f53d:89b8:c3e8:5fec%13 Dalvik/2.1.0+(Linux;+U;+Android+5.0;+P01M+Build/LRX21V) - 200 0 0 421 

iOS/iPadOS 裝置iOS/iPadOS devices

檢閱裝置偵錯記錄Review the devices debug log. 尋找與下列類似的項目,這些項目會在裝置連線至 NDES 時記錄:Look for entries that resemble the following, which are logged when the device connects to NDES:

debug    18:30:53.691033 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACert&message=SCEP%20Authority\ 
debug    18:30:54.640644 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=GetCACaps&message=SCEP%20Authority\ 
default    18:30:55.483977 -0500    profiled    Attempting to retrieve issued certificate...\ 
debug    18:30:55.487798 -0500    profiled    Sending CSR via GET.\  
debug    18:30:55.487908 -0500    profiled    Performing synchronous URL request: https://<server>-contoso.msappproxy.net/certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwGggCSABIIZfzCABgkqhkiG9w0BBwOggDCAAgEAMYIBgjCCAX4CAQAwZjBPMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxHDAaBgoJkiaJk/IsZAEZFgxmb3VydGhjb2ZmZWUxGDAWBgNVBAMTD0ZvdXJ0aENvZmZlZSBDQQITaAAAAAmaneVjEPlcTwAAAAAACTANBgkqhkiG9w0BAQEFAASCAQCqfsOYpuBToerQLkw/tl4tH9E+97TBTjGQN9NCjSgb78fF6edY0pNDU+PH4RB356wv3rfZi5IiNrVu5Od4k6uK4w0582ZM2n8NJFRY7KWSNHsmTIWlo/Vcr4laAtq5rw+CygaYcefptcaamkjdLj07e/Uk4KsetGo7ztPVjSEFwfRIfKv474dLDmPqp0ZwEWRQGZwmPoqFMbX3g85CJT8khPaqFW05yGDTPSX9YpuEE0Bmtht9EwOpOZe6O7sd77IhfFZVmHmwy5mIYN7K6mpx/4Cb5zcNmY3wmTBlKEkDQpZDRf5PpVQ3bmQ3we9XxeK1S4UsAXHVdYGD+bg/bCafMIAGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQI5D5J2lwZS5OggASCF6jSG9iZA/EJ93fEvZYLV0v7GVo3JAsR11O7DlmkIqvkAg5iC6DQvXO1j88T/MS3wV+rqUbEhktr8Xyf4sAAPI4M6HMfVENCJTStJw1PzaGwUJHEasq39793nw4k268UV5XHXvzZoF3Os2OxUHSfHECOj

重要項目會包含下列範例文字字串:Key entries include the following sample text strings:

  • operation=GetCACertoperation=GetCACert
  • 嘗試擷取已發行的憑證Attempting to retrieve issued certificate
  • 透過 GET 傳送 CSRSending CSR via GET
  • operation=PKIOperationoperation=PKIOperation

Windows 裝置Windows devices

在連線到 NDES 的 Windows 裝置上,您可以檢視裝置的 Windows 事件檢視器,並尋找成功連線的跡象。On a Windows device that is making a connection to NDES, you can view the devices Windows Event Viewer and look for indications of a successful connection. 系統會在裝置的 [DeviceManagement-Enterprise-Diagnostics-Provide] > [管理員] 記錄中,將連線記錄為事件識別碼 36Connections are logged as an event ID 36 in the devices DeviceManagement-Enterprise-Diagnostics-Provide > Admin log.

若要開啟記錄:To open the log:

  1. 在裝置上,執行 eventvwr.msc 以開啟 Windows 事件檢視器。On the device, run eventvwr.msc to open Windows Event Viewer.

  2. 展開 [應用程式及服務記錄檔] > [Microsoft] > [Windows] > [DeviceManagement-Enterprise-Diagnostic-Provider] > [管理員]。Expand Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

  3. 尋找事件 36,其類似於下列範例,並具有 SCEP:Certificate request generated successfully (SCEP: 成功產生憑證要求) 的關鍵行:Look for Event 36, which resembles the following example, with the key line of SCEP: Certificate request generated successfully:

    Event ID:      36
    Task Category: None
    Level:         Information
    Keywords:
    User:          <UserSid>
    Computer:      <Computer Name>
    Description:
    SCEP: Certificate request generated successfully. Enhanced Key Usage: (1.3.6.1.5.5.7.3.2), NDES URL: (https://<server>/certsrv/mscep/mscep.dll/pkiclient.exe), Container Name: (), KSP Setting: (0x2), Store Location: (0x1).
    

對常見錯誤進行疑難排解Troubleshoot common errors

下列各節可協助處理所有裝置平台對 NDES 的常見連線問題。The following sections can help with common connection issues from all device platforms to NDES.

狀態碼 500Status code 500

類似下列範例且狀態碼為 500 的連線,表示 [在驗證後模擬用戶端] 使用者權限並未指派給 NDES 伺服器上的 IIS_IURS 群組。Connections that resemble the following example, with a status code of 500, indicate the Impersonate a client after authentication user right isn't assigned to the IIS_IURS group on the NDES server. 狀態值 500 會出現在結尾:The status value of 500 appears at the end:

2017-08-08 20:22:16 IP_address GET /certsrv/mscep/mscep.dll operation=GetCACert&message=SCEP%20Authority 443 - 10.5.14.22 profiled/1.0+CFNetwork/811.5.4+Darwin/16.6.0 - 500 0 1346 31

修正此問題To fix this issue:

  1. 在 NDES 伺服器上,執行 secpol.msc 以開啟本機安全性原則。On the NDES server, run secpol.msc to open the Local Security Policy.

  2. 展開 [本機原則],然後按一下 [使用者權限指派]。Expand Local Policies, and then click User Rights Assignment.

  3. 按兩下右窗格中的 [在驗證後模擬用戶端]。Double-click Impersonate a client after authentication in the right pane.

  4. 按一下 [新增使用者或群組],在 [輸入物件名稱來選取] 方塊中輸入 IIS_IURS,然後按一下 [確定]。Click Add User or Group…, enter IIS_IURS in the Enter the object names to select box, and then click OK.

  5. 按一下 [確定]。Click OK.

  6. 重新啟動電腦,然後再次嘗試從裝置進行連線。Restart the computer, and then try the connection from the device again.

測試 SCEP 伺服器 URLTest the SCEP server URL

使用下列步驟來測試於 SCEP 憑證設定檔中指定的 URL。Use the following steps to test the URL that is specified in the SCEP certificate profile.

  1. 在 Intune 中,編輯您的 SCEP 憑證設定檔並複製伺服器 URL。In Intune, edit your SCEP certificate profile and copy the Server URL. URL 應該會類似 https://contoso.com/certsrv/mscep/mscep.dllThe URL should resemble https://contoso.com/certsrv/mscep/mscep.dll.

  2. 開啟網頁瀏覽器,然後瀏覽到該 SCEP 伺服器 URL。Open a web browser, and then browse to that SCEP server URL. 結果應該如下:「HTTP 錯誤 403.0 – 禁止」。The result should be: HTTP Error 403.0 – Forbidden. 此結果指出 URL 正常運作。This result indicates the URL is functioning correctly.

    如果您沒有接收到該錯誤,請選取類似您所看到錯誤的連結,以檢視問題特定的指導方針:If you don't receive that error, select the link that resembles the error you see to view issue-specific guidance:

一般 NDES 訊息General NDES message

當您瀏覽到 SCEP 伺服器 URL 時,您接收到下列網路裝置註冊服務訊息:When you browse to the SCEP server URL, you receive the following Network Device Enrollment Service message:

SCEP 伺服器 URL

  • 原因:此問題通常源自於 Microsoft Intune 連接器安裝的問題。Cause: This problem is usually an issue with the Microsoft Intune Connector installation.

    Mscep.dll 是 ISAPI 擴充,其會在沒有正確安裝的情況下攔截連入要求並顯示 HTTP 403 錯誤。Mscep.dll is an ISAPI extension that intercepts incoming request and displays the HTTP 403 error if it's installed correctly.

    解決方案:檢查 SetupMsi.log 檔案以判斷 Microsoft Intune 連接器是否已成功安裝。Resolution: Examine the SetupMsi.log file to determine whether Microsoft Intune Connector is successfully installed. 在下列範例中,Installation completed successfully (已成功完成安裝) 和 Installation success or error status:0 (安裝成功或錯誤狀態: 0) 表示成功安裝:In the following example, Installation completed successfully and Installation success or error status: 0 indicate a successful installation:

    MSI (c) (28:54) [16:13:11:905]: Product: Microsoft Intune Connector -- Installation completed successfully.
    MSI (c) (28:54) [16:13:11:999]: Windows Installer installed the product. Product Name: Microsoft Intune Connector. Product Version: 6.1711.4.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
    

    如果安裝失敗,請移除 Microsoft Intune 連接器然後加以重新安裝。If the installation fails, remove the Microsoft Intune Connector and then reinstall it. 如果安裝成功,而且您繼續收到 Genreal NDES 訊息,請執行 iisreset 命令來重新啟動 IIS。If the installation was successful and you continue to recieve the Genreal NDES message, run the iisreset command to restart IIS.

HTTP 錯誤 503HTTP Error 503

當您瀏覽至 SCEP 伺服器 URL 時,您接收到下列錯誤:When you browse to the SCEP server URL, you receive the following error:

HTTP 錯誤 503。

此問題通常是因為 IIS 中的 SCEP 應用程式集區並未啟動。This issue is usually because the SCEP application pool in IIS isn't started. 在 NDES 伺服器上,開啟 [IIS 管理員] 並移至 [應用程式集區]。On the NDES server, open IIS Manager and go to Application Pools. 找出 SCEP 應用程式集區並確認其已啟動。Locate the SCEP application pool and confirm it's started.

如果 SCEP 應用程式集區未啟動,請檢查伺服器上的應用程式事件記錄:If the SCEP application pool isn't started, check the application event log on the server:

  1. 在裝置上,執行 eventvwr.msc 以開啟 [事件檢視器],然後移至 [Windows 記錄] > [應用程式]。On the device, run eventvwr.msc to open Event Viewer and go to Windows Logs > Application.

  2. 尋找類似下列範例的事件,這代表應用程式集區在接收到要求時損毀:Look for an event that is similar to the following example, which means that the application pool crashes when a request is received:

    Log Name:      Application
    Source:        Application Error
    Event ID:      1000
    Task Category: Application Crashing Events
    Level:         Error
    Keywords:      Classic
    Description: Faulting application name: w3wp.exe, version: 8.5.9600.16384, time stamp: 0x5215df96
    Faulting module name: ntdll.dll, version: 6.3.9600.18821, time stamp: 0x59ba86db
    Exception code: 0xc0000005
    

應用程式集區損毀的常見原因Common causes for an application pool crash:

  • 原因 1:NDES 伺服器的「信任的根憑證授權單位」憑證存放區中有 (未自我簽署的) 中繼 CA 憑證。Cause 1: There are intermediate CA certificates (not self-signed) in the NDES server's Trusted Root Certification Authorities certificate store.

    解決方案:從「信任的根憑證授權單位」憑證存放區移除中繼憑證,然後重新啟動 NDES 伺服器。Resolution: Remove intermediate certificates from the Trusted Root Certification Authorities certificate store, and then restart the NDES server.

    若要識別「信任的根憑證授權單位」憑證存放區中的所有中繼憑證,請執行下列 PowerShell Cmdlet:Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}To identify all intermediate certificates in the Trusted Root Certification Authorities certificate store, run the following PowerShell cmdlet: Get-Childitem -Path cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

    擁有相同 [發行給] 和 [發行者] 值的憑證是根憑證。A certificate that has the same Issued to and Issued by values, is a root certificate. 否則,其便是中繼憑證。Otherwise, it's an intermediate certificate.

    在移除憑證並重新啟動伺服器之後,請再次執行 PowerShell Cmdlet 以確認沒有中繼憑證。After removing certificates and restarting the server, run the PowerShell cmdlet again to confirm there are no intermediate certificates. 如果有,請檢查是否有群組原則會將中繼憑證推送至 NDES 伺服器。If there are, check whether a Group Policy pushes the intermediate certificates to the NDES server. 如果是,請從群組原則排除 NDES 伺服器,然後再次移除中繼憑證。If so, exclude the NDES server from the Group Policy and remove the intermediate certificates again.

  • 原因 2:憑證撤銷清單 (CRL) 中的 URL 已被封鎖,或是無法由 Intune 憑證連接器所使用的憑證所存取。Cause 2: The URLs in the Certificate Revocation List (CRL) are blocked or unreachable for the certificates that are used by the Intune Certificate Connector.

    解決方案:啟用其他記錄以收集更多資訊:Resolution: Enable additional logging to collect more information:

    1. 開啟 [事件檢視器],按一下 [檢視],確定已選取 [顯示分析與偵錯記錄檔] 選項。Open Event Viewer, click View, make sure that Show Analytic and Debug Logs option is checked.
    2. 移至 [應用程式及服務記錄檔] > [Microsoft] > [Windows] > [CAPI2] > [操作],以滑鼠右鍵按一下 [操作],然後按一下 [啟用記錄]。Go to Applications and Services Logs > Microsoft > Windows > CAPI2 > Operational, right-click Operational, then click Enable Log.
    3. 在啟用 CAPI2 記錄之後,請重新產生該問題,並檢視事件記錄以對問題進行疑難排解。After CAPI2 logging is enabled, reproduce the problem, and examine the event log to troubleshoot the issue.
  • 原因 3:[CertificateRegistrationSvc] 上的 IIS 權限已啟用 [Windows 驗證]。Cause 3: IIS permission on CertificateRegistrationSvc has Windows Authentication enabled.

    解決方案:啟用 [匿名驗證] 並停用 [Windows 驗證],然後重新啟動 NDES 伺服器。Resolution: Enable Anonymous Authentication and disable Windows Authentication, and then restart the NDES server.

    IIS 權限

  • 原因 4:NDESPolicy 模組憑證已過期。Cause 4: The NDESPolicy module certificate has expired.

    CAPI2 記錄 (請參閱原因 2 的解決方案) 將會顯示與 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint' 所參考的憑證超出憑證有效期間相關的錯誤。The CAPI2 log (see Cause 2's resolution) will show errors relating to the certificate referenced by 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP\Modules\NDESPolicy\NDESCertThumbprint' being outside of the certificate's validity period.

    解決方案:以有效憑證的指紋更新參考。Resolution: Update the reference with the thumbprint of a valid certificate.

    1. 識別取代憑證:Identify a replacement certificate:
      • 更新現有的憑證Renew the existing certificate
      • 選取屬性 (主體、EKU、金鑰類型與長度等等) 類似的其他憑證Select a different certificate with similar proprties (subject, EKU, key type and length, etc.)
      • 註冊新的憑證Enroll a new certificate
    2. 匯出 NDESPolicy 登錄機碼以備份目前的值。Export the NDESPolicy Registry key to back up the current values.
    3. 以新憑證的指紋取代 NDESCertThumbprint 登錄值的資料,以移除所有空白字元,並將文字轉換成小寫。Replace the data of the NDESCertThumbprint Registry value with the thumbprint of the new certificate, removing all whitespace and converting the text to lowercase.
    4. 重新啟動 NDES IIS 應用程式集區,或從提高權限的命令提示字元執行 iisresetRestart the NDES IIS App Pools or execute iisreset from an elevated command prompt.

GatewayTimeoutGatewayTimeout

當您瀏覽至 SCEP 伺服器 URL 時,您接收到下列錯誤:When you browse to the SCEP server URL, you receive the following error:

Gatewaytimeout 錯誤

  • 原因:未啟動 [Microsoft AAD 應用程式 Proxy 連接器] 服務。Cause: The Microsoft AAD Application Proxy Connector service isn't started.

    解決方案:執行 services.msc,然後確定 [Microsoft AAD 應用程式 Proxy 連接器] 服務正在執行,且 [啟動類型] 已設定為 [自動]。Resolution: Run services.msc, and then make sure that the Microsoft AAD Application Proxy Connector service is running and Startup Type is set to Automatic.

HTTP 414 要求 - URI 太長HTTP 414 Request-URI Too Long

當您瀏覽至 SCEP 伺服器 URL 時,您接收到下列錯誤:HTTP 414 Request-URI Too LongWhen you browse to the SCEP server URL, you receive the following error: HTTP 414 Request-URI Too Long

  • 原因:IIS 要求篩選沒有設定以支援 NDES 服務所接收的長 URL (查詢)。Cause: IIS request filtering isn't configured to support the long URLs (queries) that the NDES service receives. 此支援會在您設定 NDES 服務以搭配您的 SCEP 基礎結構使用時設定。This support is configured when you configure the NDES service for use with your infrastructure for SCEP.

  • 解決方案:設定長 URL 的支援。Resolution: Configure support for long URLs.

    1. 在 NDES 伺服器上開啟 [IIS 管理員],選取 [預設的網站] > [要求篩選] > [編輯功能設定] 以開啟 [編輯要求篩選設定] 頁面。On the NDES server, open IIS manager, select Default Web Site > Request Filtering > Edit Feature Setting to open the Edit Request Filtering Settings page.

    2. 進行以下設定:Configure the following settings:

      • URL 長度上限 (位元組) = 65534Maximum URL length (Bytes) = 65534
      • 查詢字串上限 (位元組) = 65534Maximum query string (Bytes) = 65534
    3. 選取 [確定] 以儲存這項設定並關閉 IIS 管理員。Select OK to save this configuration and close IIS manager.

    4. 找出下列登錄機碼以確認其具有指出的值來驗證此設定:Validate this configuration by locating the following registry key to confirm that it has the indicated values:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\ParametersHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

      下列值設定為 DWORD 項目:The following values are set as DWORD entries:

      • 名稱:MaxFieldLength,具有十進位值 65534Name: MaxFieldLength, with a decimal value of 65534
      • 名稱:MaxRequestBytes,具有十進位值 65534Name: MaxRequestBytes, with a decimal value of 65534
    5. 重新啟動 NDES 伺服器。Restart the NDES server.

無法顯示此頁面This page can't be displayed

您已設定 Azure AD 應用程式 Proxy。You have Azure AD Application Proxy configured. 當您瀏覽至 SCEP 伺服器 URL 時,您接收到下列錯誤:When you browse to the SCEP server URL, you receive the following error:

This page can't be displayed

  • 原因:此問題會在應用程式 Proxy 設定中的 SCEP 外部 URL 不正確時發生。Cause: This issue occurs when the SCEP external URL is incorrect in the Application Proxy configuration. 此 URL 的範例為 https://contoso.com/certsrv/mscep/mscep.dllAn example of this URL is https://contoso.com/certsrv/mscep/mscep.dll.

    解決方案:在應用程式 Proxy 設定中,針對 SCEP 外部 URL 使用預設網域 yourtenant.msappproxy.netResolution: Use the default domain of yourtenant.msappproxy.net for the SCEP external URL in the Application Proxy configuration.

500 - 內部伺服器錯誤500 - Internal server error

當您瀏覽至 SCEP 伺服器 URL 時,您接收到下列錯誤:When you browse to the SCEP server URL, you receive the following error:

500 - 內部伺服器錯誤

  • 原因 1:NDES 服務帳戶已鎖定,或是其密碼已過期。Cause 1: The NDES service account is locked or its password is expired.

    解決方案:將帳戶解除鎖定,或是重設密碼。Resolution: Unlock the account or reset the password.

  • 原因 2:MSCEP-RA 憑證已過期。Cause 2: The MSCEP-RA certificates are expired.

    解決方案:如果 MSCEP-RA 憑證已過期,請重新安裝 NDES 角色或是要求新的 CEP 加密和 Exchange 註冊代理程式 (離線要求) 憑證。Resolution: If the MSCEP-RA certificates are expired, reinstall the NDES role or request new CEP Encryption and Exchange Enrollment Agent (Offline request) certificates.

    若要要求新的憑證,請遵循這些步驟:To request new certificates, follow these steps:

    1. 在憑證授權單位 (CA) 或發行 CA 上,開啟 [憑證範本] MMC。On the Certificate Authority (CA) or issuing CA, open the Certificate Templates MMC. 確定已登入的使用者和 NDES 伺服器具有 CEP 加密和 Exchange 註冊代理程式 (離線要求) 憑證範本的 [讀取] 和 [註冊] 權限。Make sure that the logged in user and the NDES server have Read and Enroll permissions to the CEP Encryption and Exchange Enrollment Agent (Offline request) certificate templates.

    2. 檢查 NDES 伺服器上的過期憑證,從憑證中複製 [主體] 資訊。Check the expired certificates on the NDES server, copy the Subject information from the certificate.

    3. 開啟 [電腦帳戶] 的 [憑證] MMC。Open the Certificates MMC for Computer account.

    4. 展開 [個人],以滑鼠右鍵按一下 [憑證],然後選取 [所有工作] > [要求新憑證]。Expand Personal, right-click Certificates, then select All Tasks > Request New Certificate.

    5. 在 [要求憑證] 頁面上,選取 [CEP 加密],然後按一下 [需要更多資訊才能註冊此憑證。請按一下此處以設定設定值。]On the Request Certificate page, select CEP Encryption, then click More information is required to enroll for this certificate. Click here to configure settings.

      選取 CEP 加密

    6. 在 [憑證內容] 中,按一下 [主體] 索引標籤,以您在步驟 2 期間所收集的資訊填入 [主體名稱],按一下 [新增],然後按一下 [確定]。In Certificate Properties, click the Subject tab, fill the Subject name with the information that you collected during step 2, click Add, then click OK.

    7. 完成憑證註冊。Complete the certificate enrollment.

    8. 開啟 [我的使用者帳戶] 的 [憑證] MMC。Open the Certificates MMC for My user account.

      當您註冊 Exchange 註冊代理程式 (離線要求) 憑證時,必須在使用者內容中加以完成。When you enroll for the Exchange Enrollment Agent (Offline request) certificate, it must be done in the user context. 因為此憑證範本的 [主體類型] 已設定為 [使用者]。Because the Subject Type of this certificate template is set to User.

    9. 展開 [個人],以滑鼠右鍵按一下 [憑證],然後選取 [所有工作] > [要求新憑證]。Expand Personal, right-click Certificates, then select All Tasks > Request New Certificate.

    10. 在 [要求憑證] 頁面上,選取 [Exchange 註冊代理程式 (離線要求)],然後按一下 [需要更多資訊才能註冊此憑證。請按一下此處以設定設定值。]On the Request Certificate page, select Exchange Enrollment Agent (Offline request), then click More information is required to enroll for this certificate. Click here to configure settings.

      選取 Exchange 註冊代理程式

    11. 在 [憑證內容] 中,按一下 [主體] 索引標籤,以您在步驟 2 期間所收集的資訊填入 [主體名稱],按一下 [新增]。In Certificate Properties, click the Subject tab, fill the Subject name with the information that you collected during step 2, click Add.

      憑證內容

      選取 [私密金鑰] 索引標籤,選取 [可匯出私密金鑰],然後按一下 [確定]。Select the Private Key tab, select Make private key exportable, then click OK.

      私密金鑰

    12. 完成憑證註冊。Complete the certificate enrollment.

    13. 從目前使用者的憑證存放區中匯出 Exchange 註冊代理程式 (離線要求) 憑證。Export the Exchange Enrollment Agent (Offline request) certificate from the current user certificate store. 在 [憑證匯出精靈] 中,選取 [是,匯出私密金鑰]。In the Certificate Export Wizard, select Yes, export the private key.

    14. 將憑證匯入至本機電腦的憑證存放區。Import the certificate to the local machine certificate store.

    15. 在 [憑證] MMC 中,針對每個新憑證執行下列動作:In the Certificates MMC, do the following action for each of the new certificates:

      以滑鼠右鍵按一下憑證,按一下 [所有工作] > [管理私密金鑰],將 [讀取] 權限新增至 NDES 服務帳戶。Right-click the certificate, click All Tasks > Manage Private Keys, add Read permission to the NDES service account.

    16. 執行 iisreset 命令來重新啟動 IIS。Run the iisreset command to restart IIS.

後續步驟Next steps

如果裝置成功連線到 NDES 伺服器以提出憑證要求,下一步便是檢閱Intune 憑證連接器原則模組If the device successfully reaches the NDES server to present the certificate request, the next step is to review the Intune Certificate Connectors policy module.