Certificate profile deployment failed with the error ‘22004: Unsupported certificate configuration’

Tweet_NDESThis week a short blog post about an issue that I ran into, and tweeted about, the other week. Due to the strange error message I thought it would definitely be blog worthy. The error description was 22004: Unsupported certificate configuration. However, the actual issue did not come close to what the description would imply. This post will provide a brief overview of the scenario, the issue and the solution.

Scenario

Env_OverviewLet’s start with a brief overview of the scenario. The environment contains Active Directory Federation Services (AD FS) and Web Application Proxy (WAP) for providing single sign-on (SSO) to the cloud services of Office 365 and Microsoft Intune. Microsoft Intune is used in a hybrid configuration with ConfigMgr and is fully configured to deploy certificate profiles. The required Network Device Enrollment Service (NDES) is published through WAP.

Issue

Now let’s have a look at the issue that I started seeing with deploying Certificate Profiles via Microsoft Intune hybrid to mobile devices. It is good to mention that it was working before. I started seeing the following combination of error messages on specific Certificate Profile settings.

Name Type Error Category Error ID Description
Certificate already issued Setting Discovery 0x87D17D04 22004: Unsupported certificate configuration
Certificate configuration parameters Setting Enforcement 0x87D1FDE8 Remediation failed

The first error message seems very straight forward. At least, assuming that it is accurate. However, as the Certificate Profile deployment was working before, I couldn’t imagine that the issue was related to the configuration of the certificate, certificate profile or certificate template.

I had to look further. The first thing I did was checking the external availability of NDES. I did that by checking the external URL of NDES, via https://externalFQDN/certsrv/mscep/mscep.dll. That external URL gave me an HTTP Error 503. The service is unavailable error message. The logical second thing I did was checking the internal availability of NDES. I did that by checking the internal URL of NDES, on the WAP server, via https://internalFQDN/certsrv/mscep/mscep.dll. That internal URL gave me an expected 403 – Forbidden: Access is denied error message.

Now the issue is narrowed down to the publishing mechanism used for NDES.

Solution

In this case it turned out to be the Web Application Proxy Service service that was in a Stopped state. Simply starting the service again solved the issue. After looking a bit further, I noticed that the service initially failed to start due to connection issues with the AD FS server. By default, the service tries to restart twice. After the third failure the service won’t retry again. However, in this case the connection came back to life after the third failure of the service.

In case the HTTP Error 503. The service is unavailable error message also shows while checking the internal URL of NDES, the problem is likely related to NDES itself. In that case the issue is likely related to the application pool, named SCEP, used by NDES.

A good summary would be that the 22004: Unsupported certificate configuration error message is often related to any HTTP Error 503. The service is unavailable error message in the NDES publishing chain.

Leave a Comment