Windows 10: Unable to Install SCEP Cert . The client and server cannot communicate, because they do...

NDES/SCEp configured as per MS docs , but SCEP certificates cannot be issues to clients . I get these errors on the server event logs , intune > CertificateConnectors > Operational Event ID : 2 SCEP Policy Module:Error occured while processing verify request.System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection

:)

 

Communicating with the DNS server

Since you got the error "unable to contact your DHCP server", this could be due to a disabled DHCP client. We suggest following these steps to enable it:

• Click Start.
• Type services.msc and press
  Enter.
• Find DHCP Client from the list of services and check the status.
• If DHCP Client isn't running, right-click it and choose
  Start.
• The DHCP Client Startup type should be
  Automatic. If it's not, double-click it, choose Automatic.
• Click Apply.
• Click OK.

Check if you can use the ipconfig /renew command after enabling the DHCP Client. If you're still unable to connect to the Internet after this, we recommend uninstalling your network
adapter driver by following these steps:

• Right-click the Start button and choose Device manager.
• Click the arrow beside Network adapters and double-click your network adapter.
• Go to the Driver tab.
• Click Uninstall device.
• Restart your computer. This will prompt Windows to automatically reinstall the correct driver.

Let us know what happens after enabling the DHCP Client and reinstalling the network adapter driver.

 

SCEP Server(sub-CA) issues only once CA certificate instead of certificate chain

Hi ,

I configured a CA server in windows server 2008 with rootCA(windows server 2008)-->SubCA1(windows server 2008)--->SubCA2 (windows server 2008)

and configured NDES in SubCA2 and when I send a SCEP request to subCA2 .

It issues me a certificate and CA certificate(public key) and CA certificate only has subCA2 certificate but does not present a certificate chain .

But when I go to issued certificates in SubCA2 it shows the entire certification path till rootCA. Is there a way to send entire certificate chain to SCEP client or is this expected behavior

 

Client certificate authentication- How to install a key/cert pair

I have a website that requires a client certificate (key) for access. We have an internal AD-based CA configured. I have a working Key/Cert pair on my system which successfully permits access to the website from multiple Windows-based clients so I know
the authentication is working.

What I'm having trouble with is importing the PFX (key/cert pair) into my HD7. It asks for the password as expected but when I've included "all certificates in the certification path if possible", the import to my HD7 seems as though it's only importing
the CA (the enterprise CA). I get this impression because it shows the name of the certificate authority, showing the Thumbprint, etc.

Thinking that WP7 is only importing the 'highest' certificate in the chain, I re-exported my key-pair without the cert paths option. When importing this file, it asks for the password again but upon entering the password it immediately reports that "Your
phone successfully added one or more certificates" without first showing any information or details about the certificate as it had with the CA.

Needless to say, when I attempt to access the certificate-authenticated website from my HD7 the response is the same as if no key were available. I believe this is the case and that indeed the key is not being imported.

What am I missing? I don't necessarily need my domain-based key pair (actually would prefer to not use that)... can I generate a key-pair on the phone itself and then export the certificate... importing and assigning it on the IIS server?