Replies: 1 comment
-
|
Finally had the time to get back to cracking the code here... This worked for a user cert. I can also confirm that Windows NPS accepted the result. So, we got there but I think people doing what I'm doing would appreciate something to get them to this place quicker. Even this example:
Yes, I wasn't working out the perfect RegEx for our usernames. It is firstname.lastname. So, I don't know if there was something I could have done there but this will suffice because the UPN and SID URI are tight enough. Thank you Uwe! P.S. Something strange has started happening. I'm seeing lots of ScepNotifyAttemptFailed in the logging on the NDES server. Wasn't there before. Haven't seen any negative effects of this yet though. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I finally got around to implementing this to solve the issue of still having 2016 DC's that can't accept the SID URI SAN added by the Intune SCEP/NDES method of requesting certificates.
Everything seemed to be going incredibly smoothly. I configured the policies as I thought they needed to be... everything was hanging on things not being imposed on us at this time because I had not accounted for that, time-wise right now. I just needed the SID extension injected into my Intune certificates and nothing else for now... I left myself no time for figuring anything out... didn't work.
Rather than leave everything in our power, there must be some kind of default enforcement going on around the subject. All Intune certificate issuing ground to a halt.
"The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded"
I didn't ask for this. How did it come to this? I get it, there was a desire to fix poor practices but I feel like it's been done without my consent. I suddenly found myself scrambling, with no time, to try and figure out how I turn off this intrusion. Tried adding:
true
But it fix nothing and made things worse because now the error logging just said:
"An internal error occurred"
Another error around SCEP notify, spewing out oodles of JSON nonsense.
So, disappointed. I really thought this was going to be my first ever immediate success, with things like this.
Obviously, now I have to figure out what I need to add to the policy to get TMC to behave the way I need it to behave. Here's what I had, that didn't work:
true AddThe certificates are simple user and computer with platform crypto provider. User CN is their SAMAccountName. The rest is standard Intune fair. There is the "Enterprise VPN" extension we need for our AoVPN. The URI SAN for the SID is coming through too because I wasn't ready to remove that just yet. I just wanted to see TMC work for us. I honestly don't know what TMC could be choking on. Why doesn't it just work? I'm not doing anything any other Intune customer shouldn't be doing.
Also, the logging doesn't seem to be working the way it's described in the docs. However, that might be because the requests are coming in to NDES and TMC is on our two Issuing CA's. NDES just talks to one of them. It's managed by the Intune Certificate Connector.
As soon as I removed the policy files, normality was restored. However, I'm back to not being able to deliver the SID extension in our Intune User certs for AoVPN.
Beta Was this translation helpful? Give feedback.
All reactions