All posts in category SCEP

Microsoft Intune Cloud PKI and Active Directory

Recently, Microsoft introduced a new PKI-as-a-Service offering called Cloud PKI. This cloud-based PKI can issue and manage certificates to Intune-managed endpoints. Administrators can now deploy user and device authentication certificates using Intune Cloud PKI without deploying Active Directory Certificate Services (AD CS) on-premises. Numerous blog posts and YouTube videos show how to configure and deploy Intune Cloud PKI, so I won’t reinvent the wheel with a complete configuration guide here. This article will focus instead on integrating Microsoft Intune Cloud PKI with on-premises Active Directory (AD).

Note: I will deliver an Intune and Certificates Masterclass on the ViaMonstra online academy on May 14-16, 2024. This comprehensive training event will cover all aspects of Intune certificate management and will include a full review of Intune Cloud PKI. You can learn more and register here.

AD Integration

While Intune Cloud PKI eliminates the need for on-premises AD CS infrastructure, there will be times when Cloud PKI-issued certificates will be used to authenticate to on-premises AD, either through a RADIUS server such as Windows Network Policy Server (NPS), which is common for VPN and Wi-Fi deployments, or other methods. Additional configuration is required to support this scenario.

Publish Root/Issuing CA Certificates

The Intune Cloud PKI root and issuing CA certificates must be published in AD to support on-premises AD authentication using Intune Cloud PKI-issued certificates. Follow the steps below to complete this task.

Note: Arguably, you could skip publishing the Intune Cloud PKI root and issuing CA certificates in on-premises AD because Cloud-PKI certificates can only be issued to Intune-managed endpoints, in which case you are likely already deploying the Cloud PKI root and issuing CA certificates using Intune. I’m including these steps for completeness. However, publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA certificate store in AD is required to support on-premises AD authentication using Intune Cloud PKI-issued certificates, so that step is mandatory.

RootCA Store

On a domain-joined computer on-premises, open an elevated PowerShell or command window and run the following command to publish the Intune Cloud PKI root CA certificate to the RootCA certificate store in AD.

certutil.exe -dspublish -f <path to Cloud PKI root CA certificate> RootCA

SubCA Store

Next, run the following command to publish the Cloud PKI issuing CA certificate to the SubCA certificate store in AD.

certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> SubCA

NtAuthCA Store

Finally, run the following command to publish the Intune Cloud PKI issuing CA certificate to the NtAuthCA certificate store in AD. Publishing the Intune Cloud PKI issuing CA certificate in the NtAuthCA store in AD allows certificates issued by Intune Cloud PKI to be used to authenticate on-premises AD if required. Be sure to run this command even if you did not run the previous commands to publish the Intune Cloud PKI root and issuing CA certificates in AD.

certutil.exe -dspublish -f <path to Cloud PKI issuing CA certificate> NtAuthCa

GUI

If you have an existing on-premises AD CS deployment, you can use the Enterprise PKI management console to publish the Intune Cloud PKI certificates in AD as an alternative to the command line. First, open the Enterprise PKI tool (pkiview.msc) on an existing on-premises Certification Authority (CA) server. Right-click the Enterprise PKI root node and choose Manage AD Containers. Add the Intune Cloud PKI root CA certificate to the Certification Authorities container. Next, add the Intune Cloud PKI issuing CA certificate to the Enrollment Services container. Finally, add the Intune Cloud PKI issuing CA certificate to the NTAuthCertificatesContainer.

Summary

Administrators can use the Microsoft Intune Cloud PKI solution to issue and manage user and device authentication certificates for their Intune-managed endpoints. Using the commands above, administrators can also integrate their Intune Cloud PKI with on-premises Active Directory to support user and device authentication for common workloads such as Wi-Fi and VPN. Critically, when integrating Cloud PKI with on-premises Active Directory, your Intune administrators should be considered Tier-0 administrators, and appropriate security controls should be enforced.

Additional Information

Microsoft Intune Cloud PKI

Mastering Certificates with Microsoft Intune Training Course – May 14-16, 2024

4 Comments
by Richard M. Hicks on March 5, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, ADCS, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Device Management, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, Infrastructure, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, NDES, PKCS, PKI, public cloud, public key infrastructure, SCEP, Simple Certificate Enrollment Protocol, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 5, 2024

https://directaccess.richardhicks.com/2024/03/05/microsoft-intune-cloud-pki-and-active-directory/

Mastering Certificates with Intune Training Course

I’m excited to announce I’ll present a three-day LIVE online training event covering all things Microsoft Intune and certificates. This training event takes place on the ViaMonstra online academy May 14-16, 2024.

Course Material

This training course comprehensively examines all aspects of delivering certificates using Microsoft Intune, including common deployment scenarios, PKCS and SCEP configuration, Intune certificate connector configuration, high availability strategies, implementation and security best practices, and troubleshooting.

Cloud PKI

Cloud PKI, a new cloud-based PKI-as-a-Service solution from Microsoft, will also be covered in depth. I’ll provide an overview of the service and discuss the advantages and limitations of Cloud PKI. We’ll also cover different configuration and deployment scenarios, including Bring Your Own CA (BYOCA). In addition, I’ll share security best practices for Microsoft Cloud PKI deployments.

Register Now

Space is limited, so don’t miss out on this excellent opportunity to learn about these critically essential technologies. Reserve your spot in this training class today!

Additional Information

Mastering Certificates and Microsoft Intune

Microsoft Cloud PKI

ViaMonstra Online Academy

1 Comment
by Richard M. Hicks on March 4, 2024  •  Permalink
Posted in Active Directory Certificate Services, AD CS, ADCS, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, certificates, cloud, Cloud PKI, Cloud Service, Cryptography, Deployment, Device Management, Encryption, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, High Availability, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, MFA, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Intune, Mobile Device Management, Mobility, Multifactor Authentiction, NDES, Network Device Enrollment Service, Network Device Enrollment Services, PFX Connector, PKCS, PKI, public cloud, public key infrastructure, Remote Access, SCEP, Security, Simple Certificate Enrollment Protocol, TLS, Training, troubleshooting, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on March 4, 2024

https://directaccess.richardhicks.com/2024/03/04/mastering-certificates-with-intune-training-course/

Microsoft Intune Certificate Connector Failure

The Microsoft Intune Certificate Connector enables the provisioning and de-provisioning of on-premises PKI certificates for Intune-managed devices. Always On VPN administrators using Intune to deploy certificates with the Intune Certificate Connector using either PKCS or SCEP may encounter a scenario where certificates are no longer being provisioned to users or devices after working reliably previously.

Certificate Not Found

When this issue occurs, users will no longer be able to access the VPN and receive a “certificate could not be found that can be used with this Extensible Authentication Protocol” error message.

Connector Status

To determine the status of the Intune Certificate Connector, open the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Tenant Administration > Connectors and Tokens > Certificate Connectors. The status of the certificate connector server will be in Error.

Event Log

Open the event log on the server where the Intune Certificate Connector is installed. Navigate to Applications and Services Logs > Microsoft > Intune > CertificateConnectors > Operational. Here, you will find a variety of warning and error messages.

Event ID 5001

This is a warning from the CertificateConnectors source with event ID 5001 in the Task Category HealthMessageUploadFailedAttempt with the following details.

PKI Create Service:

Failed to upload health messages. Requeuing messages.

Event ID 1003

This is an error from the CertificateConnectors source with event ID 1003 in the Task Category PkcsDownloadFailure with the following details.

PKI Create Service:

Failed to download PKCS requests.

Event ID 2

This is an error from the CertificateConnectors source with event ID 2 in the Task Category Exception with the following details.

PKI Create Service:

Microsoft.Intune.Connectors.PkiCreateProcessor.Process threw an exception.

Expired Certificate

The warning and error messages recorded in the event log indicate an expired certificate on the Intune Certificate Connector server. Open the local computer certificate store (certlm.msc) on the server where the Intune Certificate Connector is installed. Review the expiration date of the certificate issued by Microsoft Intune ImportPFX Connector CA. It is most likely expired.

Click on the Certification Path tab to view the certificate status.

Renew Certificate

To renew this certificate, you must reinstall the Intune Certificate Connector. However, you do not have to uninstall it first. To renew the certificate, navigate to C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI and double-click on PFXCertificateConnectorUI.exe. Follow the prompts without making changes to the existing configuration. You’ll be prompted for the service account password (if using a domain account) and proxy credentials (if using a proxy server). In addition, you’ll be asked to sign in to Entra ID (formerly Azure AD). Be sure to provide credentials that are a global administrator and have an Intune license assigned. Once the process is complete, a new certificate will be installed in the local computer certificate store.

Intune Configuration

After updating the Intune Certificate Connector, a new certificate connector appears in the Intune Admin Center. You can now safely delete the old connector and rename the new one accordingly.

Redundancy

Deploying multiple instances of the Intune Certificate Connector is an excellent way to avoid future outages! It’s also a good idea to stagger their installation by a few months to ensure that a future certificate expiration doesn’t result in lost functionality. If you’ve deployed Intune Certificate Connectors recently, consider updating them at rotating intervals so certificates expire at different times.

Additional Information

Intune Certificate Connector Configuration Failed

Intune Certificate Connector Service Account and PKCS

Intune Certificate Connector Configuration Failure

Microsoft Intune Learning Resources for Always On VPN Administrators

Leave a comment
by Richard M. Hicks on November 27, 2023  •  Permalink
Posted in Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, authentication, Azure, Azure Active Directory, Azure AD, Certificate Connector for Intune, Certificate Services, certificates, cloud, Device Management, EAP, Endpoint Manager, Enterprise, enterprise mobility, Entra, Entra ID, extensible authentication protocol, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, MEMCM, Microsoft, Microsoft Endpoint Manager, Microsoft Entra, Microsoft Entra ID, Microsoft Intune, Mobile Device Management, Mobility, Network Device Enrollment Service, Network Device Enrollment Services, Operational Support, PEAP, PFX Connector, PKCS, PKI, Protected EAP, public cloud, public key infrastructure, Remote Access, SCEP, Simple Certificate Enrollment Protocol, systems management, troubleshooting, user tunnel, VPN, Windows 10, Windows 11
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 27, 2023

https://directaccess.richardhicks.com/2023/11/27/microsoft-intune-certificate-connector-failure/

« Older Posts
Newer Posts »