Certificate profile deployment failed with the error ‘22004: Unsupported certificate configuration’

Tweet_NDESThis week a short blog post about an issue that I ran into, and tweeted about, the other week. Due to the strange error message I thought it would definitely be blog worthy. The error description was 22004: Unsupported certificate configuration. However, the actual issue did not come close to what the description would imply. This post will provide a brief overview of the scenario, the issue and the solution.

Scenario

Env_OverviewLet’s start with a brief overview of the scenario. The environment contains Active Directory Federation Services (AD FS) and Web Application Proxy (WAP) for providing single sign-on (SSO) to the cloud services of Office 365 and Microsoft Intune. Microsoft Intune is used in a hybrid configuration with ConfigMgr and is fully configured to deploy certificate profiles. The required Network Device Enrollment Service (NDES) is published through WAP.

Issue

Now let’s have a look at the issue that I started seeing with deploying Certificate Profiles via Microsoft Intune hybrid to mobile devices. It is good to mention that it was working before. I started seeing the following combination of error messages on specific Certificate Profile settings.

Name Type Error Category Error ID Description
Certificate already issued Setting Discovery 0x87D17D04 22004: Unsupported certificate configuration
Certificate configuration parameters Setting Enforcement 0x87D1FDE8 Remediation failed

The first error message seems very straight forward. At least, assuming that it is accurate. However, as the Certificate Profile deployment was working before, I couldn’t imagine that the issue was related to the configuration of the certificate, certificate profile or certificate template.

I had to look further. The first thing I did was checking the external availability of NDES. I did that by checking the external URL of NDES, via https://externalFQDN/certsrv/mscep/mscep.dll. That external URL gave me an HTTP Error 503. The service is unavailable error message. The logical second thing I did was checking the internal availability of NDES. I did that by checking the internal URL of NDES, on the WAP server, via https://internalFQDN/certsrv/mscep/mscep.dll. That internal URL gave me an expected 403 – Forbidden: Access is denied error message.

Now the issue is narrowed down to the publishing mechanism used for NDES.

Solution

In this case it turned out to be the Web Application Proxy Service service that was in a Stopped state. Simply starting the service again solved the issue. After looking a bit further, I noticed that the service initially failed to start due to connection issues with the AD FS server. By default, the service tries to restart twice. After the third failure the service won’t retry again. However, in this case the connection came back to life after the third failure of the service.

In case the HTTP Error 503. The service is unavailable error message also shows while checking the internal URL of NDES, the problem is likely related to NDES itself. In that case the issue is likely related to the application pool, named SCEP, used by NDES.

A good summary would be that the 22004: Unsupported certificate configuration error message is often related to any HTTP Error 503. The service is unavailable error message in the NDES publishing chain.

Key configurations steps for implementing the ability to deploy certificate profiles with ConfigMgr 2012

This blog post is about key configuration steps, which are often forgotten, for implementing the ability to deploy certificate profiles with ConfigMgr 2012. By key configuration steps, I’m talking about the key configurations of every component used for creating the ability to deploy certificate profiles. That means Internet Information Services (IIS), Network Device Enrollment Service (NDES), the Certificate Registration Point site system role, the Configuration Manager Policy Module and even Web Application Proxy (WAP). To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide. Good step-by-step information can be found in the More information section of this blog.

Internet Information Services

imageThe first component I would like to mention is probably the most known component, which is IIS. For IIS to support the long URLs, that come with certificate requests, the following adjustments should not be forgotten:

  • The HKLM\System\CurrentControlSet\Services\HTTP\Parameters registry key must have the following DWORD values:
    • MaxFieldLength key to 65534.
    • MaxRequestBytes key to 16777216.
  • The request-filtering on the Default website must also adjusted to the following values.
    • Maximum allowed content length (Bytes): 30000000
    • Maximum URL length (Bytes): 65534
    • Maximum query string (Bytes): 65534

Network Device Enrollment Service

imageThe next component is probably the core component for deploying certificate profiles, which is NDES. NDES is a role service of Active Directory Certificate Services (AD CS). For NDES to deploy the correct certificate template the following important configuration should not be forgotten:

  • The HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP registry key contains the default certificate that will be deployed. These values should be adjusted to the certificate template name that should be deployed;
  • The account used by the NDES application pool must have Read and Enroll permissions on the configured certificate profile. Without these permissions it will not be possible to request certificates.

Certificate Registration Point

imageThe component that brings it all together, from a ConfigMgr perspective, is the Certificate Registration Point site system role. To make this role function on the Internet there are two key things that should not be forgotten:

  • A public FQDN should be registered for publishing NDES on the Internet;
  • The public FQDN should be used in the configuration of the Certificate Registration Point, as that is the address that the clients will use to perform their certificate request.

Configuration Manager Policy Module

imageThe component that provides the communication between NDES and the Certificate Registration Point is the Configuration Manager Policy Module. This installation should not be forgotten! The installer can be found on the installation media in the folder \SMSSETUP\POLICYMODULE\X64.

During the installation it will request the root certificate as input. This certificate can be found on the primary site server in the certmgr.box inbox.

Web Application Proxy

imageThe component that is optional, but can be used to publish NDES to the Internet, is WAP. One key thing that should not be forgotten is that the December 2014 update rollup for Windows Server 2012 R2 should be installed (see: https://support.microsoft.com/kb/3013769/en-us).

More information

Configuring certificate profiles Configuration Manager
Certificate deployment with System Center 2012 R2 Configuration Manager and Windows Intune
SCEP certificate enrolling using ConfigMgr, CRP, NDES and Windows Intune
Hotfix: Large URI request in Web Application Proxy on Windows Server 2012 R2

Deploying Certificate Profiles with ConfigMgr 2012

This week I want to devote a post to something new in ConfigMgr 2012 R2, which is still in a preview state, called Certificate Profiles. These profiles integrate directly with Active Directory Certificate Services (ADCS), and the Network Device Enrollment Service (NDES) role, to provision managed devices with authentication certificates. This means that another Group Policy setting is coming to ConfigMgr AND, maybe even bigger, this creates a possibility to automatically deploy certificates to non-domain devices. 

Prerequisites

Even though this sounds, to me, really promising for the future of ConfigMgr, there is a small catch. That small catch is the third bullet of the prerequisites, following now:

  • Configuration Manager 2012 Service Pack 1 R2
  • Install and configure the Certificate Registration Point (which requires the NDES for ADCS). For a great installation guide see: http://technet.microsoft.com/en-us/library/dn270539.aspx
    • Note: The Certificate Registration Point doesn’t have to be installed on the NDES server.
  • Windows (RT) 8.1, iOS or Android clients

Part 1 – Root Certificate

When all the prerequisites are met, let’s start with configuring. The deployment of Certificate Profiles always consist out of two parts, deploying a root certificate followed by deploying a client certificate. So lets start with the first part, the configuration and deployment of a Certificate Profile for the root certificate:

  • RootCertPropIn the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
  • On the Home tab, in the Create group, click Create Certificate Profile and the Create Certificate Profile Wizard will popup.
  • On the General page, fill in with Name <aCPName>, select Trusted CA certificate and click Next.
  • On the Trusted CA Certificate page, browse (by clicking on Import) to the exported root certificate, select Computer certificate store – Root and click Next.
  • On the Supported Platforms page, select Windows 8.1 Preview and click Next.
    • Note: All the other supported platforms are iPhone/ iPod/ iPad 5 and 6 and all Android devices.
  • On the Summary page click Next.
  • On the Completion page click Close.

Now the configuration is created it’s time for the deployment. An important step of this deployment is the remediation. So to deploy and remediate the Certificate Profile follow the next steps:

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
  • Select the new item <aCPName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Trusted CA Certificate Profile popup will show.
  • On the Deploy Trusted CA Certificate Profile popup, browse to a device collection, select Remediate noncompliant rules when supported and click Ok.

Part 2 – Client Certificate

After the Certificate Profile for the root certificate is deployed, it’s time to start with the configuration and deployment of a Certificate Profile for the client certificate. It’s important to note that a root certificate has to be deployed to enable a successful client certificate deployment. Also a Certificate Profile for the deployment of the root certificate is a prerequisite for a Certificate Profile for the deployment of a client certificate:

  • ClieCertProp1In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
  • On the Home tab, in the Create group, click Create Certificate Profile and the Create Certificate Profile Wizard will popup.
  • On the General page, fill in with Name <aCPName>, select Simple Certificate Enrollment Protocol (SCEP) settings and click Next.
  • On the SCEP Enrollment page, select Install to Trusted Platform (TPM) if present, then select Allow certificate enrollment on any device and click Next.
  • ClieCertPropOn the Certificate Properties page select with Certificate template name <aCertificateTemplate>, select with Root CA certificate the previously created Certificate Profile and click Next.
    • Note: All the other settings will be filled automatically, but are customizable, based on the selected template, but Read rights on the selected template are necessary for the user. Also the selected template has to be configured on the Network Device Enrollment Service server, in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.
  • On the Supported Platforms page, select Windows 8.1 Preview and click Next.
    • Note: All the other supported platforms are iPhone/ iPod/ iPad 5 and 6 and all Android devices.
  • On the Summary page click Next.
  • On the Completion page click Close.

Now the configuration is created it’s again time for the deployment. And again an important step of this deployment is the remediation. So to deploy and remediate the Certificate Profile follow the next steps:

  • In the Configuration Manager Console navigate to Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
  • Select the new item <aCPName> and on the Home tab, in the Deployment group, click Deploy and the Deploy Trusted CA Certificate Profile popup will show.
  • On the Deploy Trusted CA Certificate Profile popup, browse to a device collection, select Remediate noncompliant rules when supported and click Ok.

Result

These Certificate Profiles are handled via the Compliance Settings (see the standard compliancy log files). As soon as a device is non-compliant, AND Remediate noncompliant rules when supported is configured, the CCM Certificate Enrollment Agent will kick in. The Enrollment Agent will then communicate directly with NDES to do a certificate request via the Simple Certificate Enrollment Protocol (SCEP). The success and/ or failures of this process can be followed in a new log file named CertEnrollAgent.log. This log file will show information like this snippet of a successful enrolment on my workgroup device: CertEnroAgen

Another good place to look is a MMC with the Certificates snap-in, on the enrolled device. This will immediately show whether, or not the the Certificate Profile provided a successful enrollment of the a certificate: MMCCertSnapIn

The last good place to check, that I want to show, is the Certification Authority. A successful request should be visible with the Issued Certificates. This request will show as requester the service account of NDES:CertAuthIssuCert