cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Android Enterprise SCEP user and device issuing errors

%3CLINGO-SUB%20id%3D%22lingo-sub-1218407%22%20slang%3D%22en-US%22%3EAndroid%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1218407%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20attempting%20to%20deliver%20Android%20Enterprise%20SCEP%20certificates%20(both%20user%20and%20device%20based)%20and%20both%20seem%20to%20fail.%20We%20have%20our%20environment%20set%20up%20for%20iOS%20SCEP%20and%20Android%20Device%20Admin%20SCEP%20certificates%20and%20they%20work%20fine.%20Using%20the%20same%20settings%20in%20the%20Android%20Enterprise%20profiles%20they%20fail%20with%20the%20error%20of%20%220%20(No%20error%20code)%22%20Does%20anyone%20know%20of%20anything%20that%20might%20be%20causing%20this%3F%20I%20reached%20out%20to%20the%20networking%20team%20to%20look%20in%20the%20logs%2C%20but%20they%20don't%20see%20any%20that%20sticks%20out%20that%20would%20cause%20this%20to%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176013i0B554CDD3862D746%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223-9-2020%203-10-28%20PM.jpg%22%20alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1218407%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESCEP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383263%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383263%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20news%20on%20this%3F%20hitting%20the%20same%20wall%20atm%20%3D)%3C%2Fimg%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252067%22%20target%3D%22_blank%22%3E%40kkeirstead%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%2C%20posted%20a%20summary%20of%20my%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20got%20a%20couple%20of%20Samsung%20Galaxy%206%20tabs%20that%20are%20enrolled%20with%20knox%20into%20Dedicated%20devices%20in%20Intune.%20They%20are%20configured%20as%20Kiosk%20devices%20with%20managed%20homescreen.%20They%20are%20fully%20patched%20to%20Android%2010%2C%20latest%20updates.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20try%20to%20deploy%20SCEP%20device%20certificates%20to%20them%20for%20Wifi%20auth.%20I%20got%20the%20backend%20infrastructure%20setup%20with%20ndes%2C%20ca%2C%20Intune%20cert%20connector%20and%20an%20azure%20app%20proxy.%2C%20We%20are%20using%20User%20certificates%20on%20our%20Android%20Work%20Profile%20phones%2C%20iPads%20and%20iPhones%20from%20the%20same%20backend.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20get%20my%20root%20CA%20certificate%20deployed%20to%20the%20device.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EBut%20i%20can't%20understand%20why%20i%20don't%20get%20a%20scep%20device%20cert%2C%20in%20intune%20the%20only%20error%20i%20can%20see%20is%20%22Error%200%22%20in%20my%20profile%20configuration%20status.%20I%20went%20through%20the%20ndes%20logs%20and%20there%20i%20can%20see%20a%20connection%20to%20the%20web%20server%20with%20result%20200%20from%20my%20Android%20device%20which%20should%20be%20that%20it's%20Ok.%20Then%20nothing%20else%2C%20no%20requests%20are%20being%20made%20to%20the%20CA%20and%20nothing%20in%20the%20other%20logfiles.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIn%20the%20scep%20settings%20i'm%20not%20sure%20what%20configuration%20i%20should%20use.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI've%20tried%20alot%20of%20different%20settings%20in%20the%20Subject%20name%20format%20and%20alternative%20name%20Right%20now%20i%20have%20CN%3D%7B%7BAAD_Device_ID%7D%7D%20for%20Subject%20name%20format%20and%20Subject%20alternative%20name%20UPN%20%7B%5BAAD_Device_ID%7D%7D%40domain.local.%20These%20im%20not%20sure%20about.%20I%20read%20that%20i%20need%20UPN%20to%20get%20wifi%20working%20when%20i%20actually%20get%20the%20cert.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERest%20of%20the%20configuration%20is%20identical%20to%20the%20working%20User%20Certs.%20Certificate%20validity%20period%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E1%20Years%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20usage%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20encipherment%2C%20Digital%20signature%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20size%20(bits)%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E2048%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EHash%20algorithm%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESHA-1%2C%20SHA-2%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERenewwal%20threshold%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESCEP%20Server%20Urls%20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3Ehttps%3A%2F%2F%22myserver%22.msappproxy.net%2Fcertsrv%2Fmsc%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EAny%20ideas%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1403599%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403599%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444733%22%20target%3D%22_blank%22%3E%40pejtan66%3C%2FA%3E%26nbsp%3BI%20wish%20I%20had%20more%20information%20to%20give%20you.%20The%20main%20issue%20we%20were%20having%20is%20the%20root%20cert%20we%20were%20deploying%20didn't%20match%20the%20root%20certificate%20on%20the%20NDES%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20seeing%20some%20successful%20deployments%20on%20some%20devices%20but%20on%20others%20I'm%20seeing%20the%20same%20%22Error%200%22%20error%20on%20those%20devices.%20I%20can't%20tell%20what%20would%20be%20different%20between%20those%20devices%2C%20they%20are%20enrolled%20into%20the%20same%20profile%2C%20the%20same%20OS%20and%20the%20same%20tablet%20type.%3C%2FP%3E%3C%2FLINGO-BODY%3E
kkeirstead
Occasional Contributor

‎Mar 09 2020 12:13 PM

‎Mar 09 2020 12:13 PM

Android Enterprise SCEP user and device issuing errors

Hi,

 

We are attempting to deliver Android Enterprise SCEP certificates (both user and device based) and both seem to fail. We have our environment set up for iOS SCEP and Android Device Admin SCEP certificates and they work fine. Using the same settings in the Android Enterprise profiles they fail with the error of "0 (No error code)" Does anyone know of anything that might be causing this? I reached out to the networking team to look in the logs, but they don't see any that sticks out that would cause this to fail.

 

3-9-2020 3-10-28 PM.jpg

1,345 Views
1 Like
2 Replies
Reply
2 Replies
pejtan66

‎May 12 2020 09:25 AM - edited ‎May 12 2020 01:15 PM

‎May 12 2020 09:25 AM - edited ‎May 12 2020 01:15 PM

Re: Android Enterprise SCEP user and device issuing errors

Any news on this? hitting the same wall atm =) @kkeirstead 

 

Edit, posted a summary of my problem.

 

I got a couple of Samsung Galaxy 6 tabs that are enrolled with knox into Dedicated devices in Intune. They are configured as Kiosk devices with managed homescreen. They are fully patched to Android 10, latest updates.
I try to deploy SCEP device certificates to them for Wifi auth. I got the backend infrastructure setup with ndes, ca, Intune cert connector and an azure app proxy., We are using User certificates on our Android Work Profile phones, iPads and iPhones from the same backend.
 
I get my root CA certificate deployed to the device.
 
But i can't understand why i don't get a scep device cert, in intune the only error i can see is "Error 0" in my profile configuration status. I went through the ndes logs and there i can see a connection to the web server with result 200 from my Android device which should be that it's Ok. Then nothing else, no requests are being made to the CA and nothing in the other logfiles.
 
In the scep settings i'm not sure what configuration i should use.
I've tried alot of different settings in the Subject name format and alternative name Right now i have CN={ {AAD_Device_ID} } for Subject name format and Subject alternative name UPN { [AAD_Device_ID} }@domain.local. These im not sure about. I read that i need UPN to get wifi working when i actually get the cert.
Rest of the configuration is identical to the working User Certs. Certificate validity period
1 Years
Key usage
Key encipherment, Digital signature
Key size (bits)
2048
Hash algorithm
SHA-1, SHA-2
Renewwal threshold
20
SCEP Server Urls
https://"myserver".msappproxy.net/certsrv/msc
Any ideas?
 
1 Like
Reply
kkeirstead

‎May 19 2020 12:02 PM

‎May 19 2020 12:02 PM

Re: Android Enterprise SCEP user and device issuing errors

@pejtan66 I wish I had more information to give you. The main issue we were having is the root cert we were deploying didn't match the root certificate on the NDES server.

 

I am seeing some successful deployments on some devices but on others I'm seeing the same "Error 0" error on those devices. I can't tell what would be different between those devices, they are enrolled into the same profile, the same OS and the same tablet type.

1 Like
Reply