In a diptych I’m sharing my experiences, common practices and challenges of implementing Microsoft Intune PFX connector as certificate deployment mechanism in the enterprise.
In my first blog post I covered the basics of implementing a certificate deployment infrastructure based on Microsoft Intune PFX connector. Explained the differences and considerations whether to choose SCEP or PFX as your certificate deployment solution. And explained the certificate issuing workflow. In this second post I’ll go in more detail of the anatomy of the Intune Certificate Connector, setup. Explaining the renewal and revocation process(flow) works. And lastly I give you some pointers where to start your journey, in case of troubleshooting certificate deployment issues.
Part 2 – Deploying Microsoft Intune Connector in an Enterprise world: troubleshooting
The Intune Certificate Connector forms the connection between your on-premise certificate (CA) infrastructure and Microsoft Intune cloud services in order to issue certificates to you managed endpoints. The Intune Certificate Connector can be downloaded once you enabled the Certificate Connector in your Intune subscription.
During the setup of the Intune Certificate Connector you’ve the option to configure SCEP and PFX of PFX only.
By default the Windows service of the Intune Certificate Connector runs under the computer account security context of where the Intune Certificate Connector is installed on. Make sure when specified a service account, it has Issue and Manage Certificates permission on your issuing Certificate Authority (specifying a service account is optional).
Once you installed and successfully registered the Intune Certificate Connector the connection status appears Active in you Intune subscription. From here you’ll deploy a trusted root and intermediate (if applicable) followed by a PFX certificate profile. In the table below all components shown of which the Intune Certificate Connector consists of.
Location where all components of the Intune Certificate Connector are located.
|C:\Program Files\Microsoft Intune
This is the folder location where the Intune Service Connector UI, configuration and log file are located.
|C:\Program Files\Microsoft Intune\NDESConnectorUI
This is the location where the Intune Connector Services stores it’s log files, including certificate request, renewal or revocation.
|C:\Program Files\Microsoft Intune\NDESConnectorSVC\Logs\Logs
This is the folder location where the Intune Service Connector services and configuration file are located.
|Intune Connector Service
C:\Program Files\Microsoft Intune\NDESConnectorSvc\NDESConnector.exe
|Event Viewer||Application and Services Logs\Microsoft Intune Connector
Troubleshooting Intune Certificate Connector can be challenging. Understanding the process and autonomy gives you a good starting point to successfully determine the issue or even solve your problem. In the table below most common steps involved are listed in chronological order.
|1.||Intune Connector||Services||Make sure the Intune Connector services is running||C:\Windows\System32\services.msc|
|2.||Intune Connector||Event viewer||Make sure no errors/warnings events reported||Application and Services Logs\Microsoft Intune Connector|
|3.||Intune Connector||Connectivity/ Network||Make sure Intune Connector connection state has no issues||C:\Program Files\Microsoft Intune\NDESConnectorUI|
|4.||Intune Connector||Log files||Make sure no errors reported in Intune Connector transaction log file(s)||C:\Program Files\Microsoft Intune\NDESConnectorSvc\Logs\Logs|
|5.||Intune Connector||Log files||Make sure no errors reported in Intune Connector UI log file||C:\Program Files\Microsoft Intune\NDESConnectorUI\Logs|
|6.||Certificate Authority||Certificate Services||Make sure the computer account of the Intune Connector has granted access to your CA(s)||C:\Windows\System32\certsrv.msc|
|7.||Certificate Authority||Certificate Services||Make sure the service account of the Intune Connector has granted access to the certificate template||C:\Windows\System32\certsrv.msc|
|8.||Certificate Authority||Event viewer||Make sure no errors/warnings events reported||Application and Services Logs\Certificate Services|
|9.||Intune Connector||Processing||Make sure no PFX requests files (PFR) are in Failed PFXRequest folder||C:\Program Files\Microsoft Intune\PfxRequest\Failed|
|10.||Intune Connector||Processing||Make sure no PFX requests files (PFR) are queued in Processing PFXRequest folder, the PFX requests files (PFR) size are 2KB||C:\Program Files\Microsoft Intune\PfxRequest\Processing|
|11.||Intune Connector||Successful||Make sure PFX requests files (PFR) size is 7KB or larger||C:\Program Files\Microsoft Intune\PfxRequest\Successful|
|12.||Contact Microsoft Intune support|
WCF Trace Viewer
The log files of the Intune Certificate Connector are generated in a *.svclog file extension. Best way to analyze these log files in a readable format is Windows Trace viewer. Windows Communication Foundation (WCF) Service Trace Viewer Tool helps you analyze diagnostic traces that are generated by WCF. Service Trace Viewer provides a way to easily merge, view, and filter trace messages in the log so that you can diagnose, repair, and verify WCF service issues.
The Intune Certificate Connector is frequently updated and includes often fixes or (service) improvements. Unfortunately both Silverlight- and new Azure Intune portal doesn’t provide insights (yet) whether you’ve installed the latest version of the connector.
When you’re planning to update the connector than it’s good to know there is no impact other than the Intune Certificate Connector services will be restarted during the upgrade. There is no need to provide your Intune Service admin or Global admin credentials. The service credentials (certificate) remains preserved.
In case you’ve to re-register the Intune Certificate Connector you must delete SC_Online_Issuing certificate(s) (Local Computer)\Personal\Certificates) prior to re-register the Intune Certificate Connector. Re-registering might be required as part of a fallback scenario as described in my first blog. Re-registering doesn’t require you to reinstall the Intune Certificate Connector. The re-registration is initiated by starting the Intune Certificate Connector UI.
When the default log files are insufficient, the log level (debug/verbose) can be configured by adjusting the NDESConnector.exe.config. Besides log levels, we can adjusts the TimeFrequency, PFXTimeFrequency and IntuneServiceTimeout.
Be reluctant on changing your certificate parameters in your certificate policies. Changing one of these parameters will cause reissuing of all certificates! This impacts the user(s) of which the certificate policy were targeted to.
|Certificate Template Parameters:
- Configure certificate infrastructure (classic Intune portal)
- How to configure certificates in Microsoft Intune (new Intune Azure portal)
- Configure your Microsoft Intune certificate infrastructure for PKCS (PFX)
- Configure certificate infrastructure for SCEP in Microsoft Intune