Support Tip: Troubleshooting a Common Intune SCEP and NDES Server Issue

By Iain Greer | Intune Software Engineer

In this support tip, we share details about a common problem that customers run into when setting up or continuing to run the NDES connector. I personally ran into this and spent some time troubleshooting in my own test environment. Unfortunately, we cannot add in a useful error code since the issue detection is outside the connector itself. So below I share the symptoms, context of what’s really happening, and the resolution.

Here’s a list of symptoms you may run across:

• The NDES connector and server are running as expected and the SCEP URL works as expected on the NDES server.
• A SCEP profile is setup with the correct parameters and is tied to a Trusted Root profile correctly.
• The client receives the profile correctly from Intune, but the SCEP certificate fails to install.
  • You MAY see an error on the client but it will likely be vague and point to the SCEP certificate failed to install without a good reason.
• To troubleshoot go to https://<scepurl>/?operation=GetCACaps on the client device and you will see an SSL failure.
  • Most browsers will initially say something about the SSL cert is not trusted.
  • In “more details” you will see an error ERROR_WINHTTP_SECURE_FAILURE.
• The HTTPS certificate is valid on the CA and properly configured in the IIS settings of the NDES server
• No other errors are present on the NDES server – no IIS traffic (since the device failed to trust the SSL cert).
• The certificate chain for the SSL cert looks valid with no issues.

Here’s what is really going on:

• The certificate uploaded to the Trusted Root (TR) profile in Intune that the SCEP profile was using is different than the trusted root certificate installed on the NDES server
• The issue wasn’t with the SSL certificate, but that the client couldn’t validate the certificate chain because the TR profile it pulled down from Intune was different than the NDES SSL cert chain.
• How can this happen?
  • For me, I simply pulled a new public key trusted root cert and installed it on my NDES server, but mistakenly used the old TR in the profile.
  • Anytime you renew your CA root certificate but don’t update the TR profile in Intune,  you will run into this.

Here’s how to fix it:

• Fortunately, it’s straight forward! Have the current TR from the CA uploaded into the TR profile in Intune, target that to the user, and then make sure the SCEP profile is also pointing to that TR profile and is targeted to the same user.

Hope this will save some of you the time that it took me to troubleshoot this in my own test environment.