Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting


In a diptych I’m sharing my experiences, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in the enterprise.

IntunePFX

In my first blog post I covered the basics of implementing a certificate deployment infrastructure based on Microsoft Intune PFX connector. Explained the differences and considerations whether to choose SCEP or PFX as your certificate deployment solution. And explained the certificate issuing workflow. In this second post I’ll go in more detail of the anatomy of the Intune Certificate Connector, setup. Explaining the renewal and revocation process(flow) works. And lastly I give you some pointers where to start your journey, in case of troubleshooting certificate deployment issues.

Part 1 – Deploying Microsoft Intune Connector in an Enterprise world: common practices

Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting

Anatomy

The Intune Certificate Connector forms the connection between your on-premise certificate (CA) infrastructure and Microsoft Intune cloud services in order to issue certificates to you managed endpoints. The Intune Certificate Connector can be downloaded once you enabled the Certificate Connector in your Intune subscription.

During the setup of the Intune Certificate Connector you’ve the option to configure SCEP and PFX of PFX only.

PFX2Setup

Service Account

By default the Windows service of the Intune Certificate Connector runs under the computer account security context of where the Intune Certificate Connector is installed on. Make sure when specified a service account, it has Issue and Manage Certificates permission on your issuing Certificate Authority (specifying a service account is optional).

PFX2Register

Once you installed and successfully registered the Intune Certificate Connector the connection status appears Active in you Intune subscription. From here you’ll deploy a trusted root and intermediate (if applicable) followed by a PFX certificate profile. In the table below all components shown of which the Intune Certificate Connector consists of.

Value
Binaries

Location where all components of the Intune Certificate Connector are located.

C:\Program Files\Microsoft Intune

PFX2AutonomyBinaries

Interface

This is the folder location where the Intune Service Connector UI, configuration and log file are located.

C:\Program Files\Microsoft Intune\NDESConnectorUI

PFX2AutonomyInterface

Log Files

This is the location where the Intune Connector Services stores it’s log files, including certificate request, renewal or revocation.

C:\Program Files\Microsoft Intune\NDESConnectorSVC\Logs\Logs

PFX2AutonomyLogFiles

Registry HKLM\Software\Microsoft\MicrosoftIntune

PFX2AutonomyRegistry

Windows Services

This is the folder location where the Intune Service Connector services and configuration file are located.

Intune Connector Service

C:\Program Files\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe

PFX2AutonomyServices

Event Viewer Application and Services Logs\Microsoft Intune Connector

PFX2AutonomyServices1

Troubleshooting

Troubleshooting Intune Certificate Connector can be challenging. Understanding the process and autonomy gives you a good starting point to successfully determine the issue or even solve your problem. In the table below most common steps involved are listed in chronological order.

Components What Location
1. Intune Connector Services Make sure the Intune Connector services is running C:\Windows\System32\services.msc
2. Intune Connector Event viewer Make sure no errors/warnings events reported Application and Services Logs\Microsoft Intune Connector
3. Intune Connector Connectivity/ Network Make sure Intune Connector connection state has no issues C:\Program Files\Microsoft Intune\NDESConnectorUI
4. Intune Connector Log files Make sure no errors reported in Intune Connector transaction log file(s) C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs
5. Intune Connector Log files Make sure no errors reported in Intune Connector UI log file C:\Program Files\Microsoft Intune\NDESConnectorUI\Logs
6. Certificate Authority Certificate Services Make sure the computer account of the Intune Connector has granted access to your CA(s) C:\Windows\System32\certsrv.msc
7. Certificate Authority Certificate Services Make sure the service account of the Intune Connector has granted access to the certificate template C:\Windows\System32\certsrv.msc
8. Certificate Authority Event viewer Make sure no errors/warnings events reported Application and Services Logs\Certificate Services
9. Intune Connector Processing Make sure no PFX requests files (PFR) are in Failed PFXRequest folder C:\Program Files\Microsoft Intune\PfxRequest\Failed
10. Intune Connector Processing Make sure no PFX requests files (PFR) are queued in Processing PFXRequest folder C:\Program Files\Microsoft Intune\PfxRequest\Processing
11. Intune Connector Processing Make sure PFX requests files (PFR) size is 7KB or larger C:\Program Files\Microsoft Intune\PfxRequest\Processing
12. Contact Microsoft Intune support

WCF Trace Viewer

The log files of the Intune Certificate Connector are generated in a *.svclog file extension. Best way to analyze these log files in a readable format is Windows Trace viewer. Windows Communication Foundation (WCF) Service Trace Viewer Tool helps you analyze diagnostic traces that are generated by WCF. Service Trace Viewer provides a way to easily merge, view, and filter trace messages in the log so that you can diagnose, repair, and verify WCF service issues.

PFX2TraceViewer

https://msdn.microsoft.com/en-us/library/ms732023(v=vs.110).aspx

Miscellaneous

The Intune Certificate Connector is frequently updated and includes often fixes or (service) improvements. Unfortunately both Silverlight- and new Azure Intune portal doesn’t provide insights (yet) whether you’ve installed the latest version of the connector.

When you’re planning to update the connector than it’s good to know there is no impact other than the Intune Certificate Connector services will be restarted during the upgrade. There is no need to provide your Intune Service admin or Global admin credentials. The service credentials (certificate) remains preserved.

In case you’ve to re-register the Intune Certificate Connector you must delete SC_Online_Issuing certificate(s) (Local Computer)\Personal\Certificates) prior to re-register the Intune Certificate Connector. Re-registering might be required as part of a fallback scenario as described in my first blog. Re-registering doesn’t require you to reinstall the Intune Certificate Connector. The re-registration is initiated by starting the Intune Certificate Connector UI.

Advanced Troubleshooting

When the default log files are insufficient, the log level (debug/verbose) can be configured by adjusting the NDESConnector.exe.config. Besides log levels, we can adjusts the TimeFrequency, PFXTimeFrequency and IntuneServiceTimeout.

NDESConnector.exe.config
System.Diagnostics  PFX2NDESConfig
AppSettings  PFX2NDESConfig2
Registry

HKLM\Software\Microsoft\Jupiter\logging

 PFX2AutonomyRegistry2

Important!

Be reluctant on changing your certificate parameters in your certificate policies. Changing one of these parameters will cause reissuing of all certificates! This impacts the user(s) of which the certificate policy were targeted to.

Certificate Template Parameters:

    • KSPSetting
    • CertificateStoreLocation
    • TemplateName
    • SubjectNameFormat
    • SubjectAlternativeNameFormat
    • CertificateValidityPeriod
 PFX2ProfileiOS

Sources

  • Configure certificate infrastructure (classic Intune portal)

https://docs.microsoft.com/en-us/intune/deploy-use/configure-certificate-infrastructure-for-pfx

  • How to configure certificates in Microsoft Intune (new Intune Azure portal)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-certificates

  • Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-pfx

  • Configure certificate infrastructure for SCEP in Microsoft Intune

https://docs.microsoft.com/en-us/intune-azure/configure-devices/configure-certificate-infrastructure-for-scep

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s