All posts tagged error

Strong Certificate Mapping Error with PKCS

Microsoft recently announced support for strong certificate mapping for certificates Intune PKCS and SCEP certificates. Administrators are encouraged to update their Intune Certificate Connector servers and SCEP device configuration policies to support this capability as soon as possible.

PKCS

Organizations that use PKCS device configuration policies to deploy certificates to Intune-managed endpoints may have encountered the following error message in the event log on the Intune Certificate Connector server.

System.NullReferenceException: CertEnroll::CX509Extension::Initialize: Invalid pointer 0x80004003 (-2147467261 E_POINTER) at CERTENROLLLib.IX509Extension.Initialize(CObjectId pObjectId, EncodingType Encoding, String strEncodedData)

Known Issue

The above error is a known issue that has been resolved with the November security updates. If you encounter this error, install the latest Microsoft security update from November 2024.

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Intune Strong Certificate Mapping Error

Leave a comment
by Richard M. Hicks on November 18, 2024  •  Permalink
Posted in Active Directory Certificate Services, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, InTune, Intune Certificate Connector, Intune PFX Connector, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , ,

Posted by Richard M. Hicks on November 18, 2024

https://directaccess.richardhicks.com/2024/11/18/strong-certificate-mapping-error-with-pkcs/

Intune Strong Certificate Mapping Error

Microsoft recently introduced support for strong certificate mapping in Intune to support changes introduced with the May 2022 security update KB5014754. Specifically, Intune now supports adding the SID for the principal in the subject name to the certificate for PKCS and SCEP device configuration policies.

Error

A few folks have contacted me about an error they encountered when configuring strong certificate mapping for Intune device configuration profiles using PKCS. Specifically, they would receive the following error message after specifying the URI value {{OnPremisesSecurityIdentifier}} in the Subject Alternative Name section of the PKCS policy.

A value is required for Value. Value can include allowed variables combined with static text. UPN and Email address should include an @, for example: “{{AAD_Device_ID}}@contoso.com”. DNS cannot end with a symbol or contain an @ sign, e.g. “{{DeviceName}}.contoso.com“ or “{{DeviceName}}”. See support variables here: https://go.microsoft.com/fwlink/?linkid=2104597

Resolution

Administrators will receive this message when adding the {{OnPremisesSecurityIdentifier}} variable to a PKCS device configuration policy. This error is expected because PKCS does not require (or support) the use of this value in this field. The {{OnPremisesSecurityIdentifier}} value is only required for SCEP Intune device configuration profiles.

To add the SID to a PKCS certificate, administrators must only define a registry value on the Intune Certificate Connector server as described here. No changes are required on the PKCS device configuration policy in Intune.

Additional Information

Strong Certificate Mapping for Intune PKCS and SCEP Certificates

Certificate-Based Authentication Changes for Always On VPN

Leave a comment
by Richard M. Hicks on November 8, 2024  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, authentication, Certificate Authentication, Certificate Authority, Certificate Connector for Intune, Certificate Services, Certificate-Based Authentication, certificates, Endpoint Manager, Enterprise, enterprise mobility, Infrastructure, InTune, Intune Certificate Connector, Intune PFX Connector, MDM, MEM, Microsoft, Microsoft Endpoint Manager, Microsoft Intune, Mobile Device Management, Mobility, PFX Connector, PKCS, PKI, SCEP, Simple Certificate Enrollment Protocol, troubleshooting
Tagged , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 8, 2024

https://directaccess.richardhicks.com/2024/11/08/intune-strong-certificate-mapping-error/

DirectAccess Fails on Windows 11 24H2

Microsoft recently released Windows 11 24H2. Not long after the release there have been numerous reports of DirectAccess failing after performing an in-place upgrade from previous versions of Windows 11. New installations of Windows 11 24H2 experience the same problem.

Update 10/28/2024: This issue is resolved with KB5044384.

Testing

After downloading and configuring a Windows 11 24H2 test client I was able to quickly reproduce the issue. While previous versions of Windows 11 can connect to my test DirectAccess server without issue, the Windows 11 24H2 client fails.

Troubleshooting

Looking at the DirectAccess status indicator in the UI the DirectAccess connection remains ‘Connecting’ perpetually. Further investigation indicates an IP-HTTPS interface error. Running the command netsh.exe interface httpstunnel show interface reveals an error code 0x57 (invalid parameter) with the following error message.

Failed to connect to the IPHTTPS server. Waiting to reconnect.

Workaround

Currently there is no known root cause for this issue and there is no available workaround. Administrators should delay upgrading to Windows 11 24H2 if DirectAccess is deployed in the organization. I will continue to investigate and post additional information as I learn more. Stay tuned!

Additional Information

Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109

Troubleshooting DirectAccess IP-HTTPS Error Code 0x90320

Troubleshooting DirectAccess IP-HTTPS Error 0x80090326

Troubleshooting DirectAccess IP-HTTPS Error 0x2af9

Microsoft DirectAccess Now Formally Deprecated

7 Comments
by Richard M. Hicks on October 7, 2024  •  Permalink
Posted in DirectAccess, Enterprise, enterprise mobility, Infrastructure, IP-HTTPS, Microsoft, Mobility, network connectivity status indicator, Reddit, Remote Access, TLS, transition technology, troubleshooting, Windows 11
Tagged , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on October 7, 2024

https://directaccess.richardhicks.com/2024/10/07/directaccess-fails-on-windows-11-24h2/

« Older Posts
Newer Posts »