Android Enterprise SCEP user and device issuing errors

%3CLINGO-SUB%20id%3D%22lingo-sub-1218407%22%20slang%3D%22en-US%22%3EAndroid%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1218407%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20attempting%20to%20deliver%20Android%20Enterprise%20SCEP%20certificates%20(both%20user%20and%20device%20based)%20and%20both%20seem%20to%20fail.%20We%20have%20our%20environment%20set%20up%20for%20iOS%20SCEP%20and%20Android%20Device%20Admin%20SCEP%20certificates%20and%20they%20work%20fine.%20Using%20the%20same%20settings%20in%20the%20Android%20Enterprise%20profiles%20they%20fail%20with%20the%20error%20of%20%220%20(No%20error%20code)%22%20Does%20anyone%20know%20of%20anything%20that%20might%20be%20causing%20this%3F%20I%20reached%20out%20to%20the%20networking%20team%20to%20look%20in%20the%20logs%2C%20but%20they%20don't%20see%20any%20that%20sticks%20out%20that%20would%20cause%20this%20to%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176013i0B554CDD3862D746%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223-9-2020%203-10-28%20PM.jpg%22%20alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1218407%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESCEP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383263%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383263%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20news%20on%20this%3F%20hitting%20the%20same%20wall%20atm%20%3D)%3C%2Fimg%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252067%22%20target%3D%22_blank%22%3E%40kkeirstead%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%2C%20posted%20a%20summary%20of%20my%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20got%20a%20couple%20of%20Samsung%20Galaxy%206%20tabs%20that%20are%20enrolled%20with%20knox%20into%20Dedicated%20devices%20in%20Intune.%20They%20are%20configured%20as%20Kiosk%20devices%20with%20managed%20homescreen.%20They%20are%20fully%20patched%20to%20Android%2010%2C%20latest%20updates.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20try%20to%20deploy%20SCEP%20device%20certificates%20to%20them%20for%20Wifi%20auth.%20I%20got%20the%20backend%20infrastructure%20setup%20with%20ndes%2C%20ca%2C%20Intune%20cert%20connector%20and%20an%20azure%20app%20proxy.%2C%20We%20are%20using%20User%20certificates%20on%20our%20Android%20Work%20Profile%20phones%2C%20iPads%20and%20iPhones%20from%20the%20same%20backend.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20get%20my%20root%20CA%20certificate%20deployed%20to%20the%20device.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EBut%20i%20can't%20understand%20why%20i%20don't%20get%20a%20scep%20device%20cert%2C%20in%20intune%20the%20only%20error%20i%20can%20see%20is%20%22Error%200%22%20in%20my%20profile%20configuration%20status.%20I%20went%20through%20the%20ndes%20logs%20and%20there%20i%20can%20see%20a%20connection%20to%20the%20web%20server%20with%20result%20200%20from%20my%20Android%20device%20which%20should%20be%20that%20it's%20Ok.%20Then%20nothing%20else%2C%20no%20requests%20are%20being%20made%20to%20the%20CA%20and%20nothing%20in%20the%20other%20logfiles.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIn%20the%20scep%20settings%20i'm%20not%20sure%20what%20configuration%20i%20should%20use.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI've%20tried%20alot%20of%20different%20settings%20in%20the%20Subject%20name%20format%20and%20alternative%20name%20Right%20now%20i%20have%20CN%3D%7B%7BAAD_Device_ID%7D%7D%20for%20Subject%20name%20format%20and%20Subject%20alternative%20name%20UPN%20%7B%5BAAD_Device_ID%7D%7D%40domain.local.%20These%20im%20not%20sure%20about.%20I%20read%20that%20i%20need%20UPN%20to%20get%20wifi%20working%20when%20i%20actually%20get%20the%20cert.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERest%20of%20the%20configuration%20is%20identical%20to%20the%20working%20User%20Certs.%20Certificate%20validity%20period%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E1%20Years%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20usage%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20encipherment%2C%20Digital%20signature%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20size%20(bits)%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E2048%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EHash%20algorithm%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESHA-1%2C%20SHA-2%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERenewwal%20threshold%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESCEP%20Server%20Urls%20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3Ehttps%3A%2F%2F%22myserver%22.msappproxy.net%2Fcertsrv%2Fmsc%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EAny%20ideas%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1403599%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403599%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444733%22%20target%3D%22_blank%22%3E%40pejtan66%3C%2FA%3E%26nbsp%3BI%20wish%20I%20had%20more%20information%20to%20give%20you.%20The%20main%20issue%20we%20were%20having%20is%20the%20root%20cert%20we%20were%20deploying%20didn't%20match%20the%20root%20certificate%20on%20the%20NDES%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20seeing%20some%20successful%20deployments%20on%20some%20devices%20but%20on%20others%20I'm%20seeing%20the%20same%20%22Error%200%22%20error%20on%20those%20devices.%20I%20can't%20tell%20what%20would%20be%20different%20between%20those%20devices%2C%20they%20are%20enrolled%20into%20the%20same%20profile%2C%20the%20same%20OS%20and%20the%20same%20tablet%20type.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

We are attempting to deliver Android Enterprise SCEP certificates (both user and device based) and both seem to fail. We have our environment set up for iOS SCEP and Android Device Admin SCEP certificates and they work fine. Using the same settings in the Android Enterprise profiles they fail with the error of "0 (No error code)" Does anyone know of anything that might be causing this? I reached out to the networking team to look in the logs, but they don't see any that sticks out that would cause this to fail.

 

3-9-2020 3-10-28 PM.jpg

2 Replies
Highlighted

Any news on this? hitting the same wall atm =) @kkeirstead 

 

Edit, posted a summary of my problem.

 

I got a couple of Samsung Galaxy 6 tabs that are enrolled with knox into Dedicated devices in Intune. They are configured as Kiosk devices with managed homescreen. They are fully patched to Android 10, latest updates.
I try to deploy SCEP device certificates to them for Wifi auth. I got the backend infrastructure setup with ndes, ca, Intune cert connector and an azure app proxy., We are using User certificates on our Android Work Profile phones, iPads and iPhones from the same backend.
 
I get my root CA certificate deployed to the device.
 
But i can't understand why i don't get a scep device cert, in intune the only error i can see is "Error 0" in my profile configuration status. I went through the ndes logs and there i can see a connection to the web server with result 200 from my Android device which should be that it's Ok. Then nothing else, no requests are being made to the CA and nothing in the other logfiles.
 
In the scep settings i'm not sure what configuration i should use.
I've tried alot of different settings in the Subject name format and alternative name Right now i have CN={ {AAD_Device_ID} } for Subject name format and Subject alternative name UPN { [AAD_Device_ID} }@domain.local. These im not sure about. I read that i need UPN to get wifi working when i actually get the cert.
Rest of the configuration is identical to the working User Certs. Certificate validity period
1 Years
Key usage
Key encipherment, Digital signature
Key size (bits)
2048
Hash algorithm
SHA-1, SHA-2
Renewwal threshold
20
SCEP Server Urls
https://"myserver".msappproxy.net/certsrv/msc
Any ideas?
 
Highlighted

@pejtan66 I wish I had more information to give you. The main issue we were having is the root cert we were deploying didn't match the root certificate on the NDES server.

 

I am seeing some successful deployments on some devices but on others I'm seeing the same "Error 0" error on those devices. I can't tell what would be different between those devices, they are enrolled into the same profile, the same OS and the same tablet type.