cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Android Enterprise SCEP user and device issuing errors

%3CLINGO-SUB%20id%3D%22lingo-sub-1218407%22%20slang%3D%22en-US%22%3EAndroid%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1218407%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20attempting%20to%20deliver%20Android%20Enterprise%20SCEP%20certificates%20(both%20user%20and%20device%20based)%20and%20both%20seem%20to%20fail.%20We%20have%20our%20environment%20set%20up%20for%20iOS%20SCEP%20and%20Android%20Device%20Admin%20SCEP%20certificates%20and%20they%20work%20fine.%20Using%20the%20same%20settings%20in%20the%20Android%20Enterprise%20profiles%20they%20fail%20with%20the%20error%20of%20%220%20(No%20error%20code)%22%20Does%20anyone%20know%20of%20anything%20that%20might%20be%20causing%20this%3F%20I%20reached%20out%20to%20the%20networking%20team%20to%20look%20in%20the%20logs%2C%20but%20they%20don't%20see%20any%20that%20sticks%20out%20that%20would%20cause%20this%20to%20fail.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176013i0B554CDD3862D746%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%223-9-2020%203-10-28%20PM.jpg%22%20alt%3D%223-9-2020%203-10-28%20PM.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1218407%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAndroid%20Enterprise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecertificates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIntune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMobile%20Device%20Management%20(MDM)%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESCEP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1383263%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1383263%22%20slang%3D%22en-US%22%3E%3CP%3EAny%20news%20on%20this%3F%20hitting%20the%20same%20wall%20atm%20%3D)%3C%2Fimg%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252067%22%20target%3D%22_blank%22%3E%40kkeirstead%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEdit%2C%20posted%20a%20summary%20of%20my%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20got%20a%20couple%20of%20Samsung%20Galaxy%206%20tabs%20that%20are%20enrolled%20with%20knox%20into%20Dedicated%20devices%20in%20Intune.%20They%20are%20configured%20as%20Kiosk%20devices%20with%20managed%20homescreen.%20They%20are%20fully%20patched%20to%20Android%2010%2C%20latest%20updates.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20try%20to%20deploy%20SCEP%20device%20certificates%20to%20them%20for%20Wifi%20auth.%20I%20got%20the%20backend%20infrastructure%20setup%20with%20ndes%2C%20ca%2C%20Intune%20cert%20connector%20and%20an%20azure%20app%20proxy.%2C%20We%20are%20using%20User%20certificates%20on%20our%20Android%20Work%20Profile%20phones%2C%20iPads%20and%20iPhones%20from%20the%20same%20backend.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI%20get%20my%20root%20CA%20certificate%20deployed%20to%20the%20device.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EBut%20i%20can't%20understand%20why%20i%20don't%20get%20a%20scep%20device%20cert%2C%20in%20intune%20the%20only%20error%20i%20can%20see%20is%20%22Error%200%22%20in%20my%20profile%20configuration%20status.%20I%20went%20through%20the%20ndes%20logs%20and%20there%20i%20can%20see%20a%20connection%20to%20the%20web%20server%20with%20result%20200%20from%20my%20Android%20device%20which%20should%20be%20that%20it's%20Ok.%20Then%20nothing%20else%2C%20no%20requests%20are%20being%20made%20to%20the%20CA%20and%20nothing%20in%20the%20other%20logfiles.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EIn%20the%20scep%20settings%20i'm%20not%20sure%20what%20configuration%20i%20should%20use.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EI've%20tried%20alot%20of%20different%20settings%20in%20the%20Subject%20name%20format%20and%20alternative%20name%20Right%20now%20i%20have%20CN%3D%7B%7BAAD_Device_ID%7D%7D%20for%20Subject%20name%20format%20and%20Subject%20alternative%20name%20UPN%20%7B%5BAAD_Device_ID%7D%7D%40domain.local.%20These%20im%20not%20sure%20about.%20I%20read%20that%20i%20need%20UPN%20to%20get%20wifi%20working%20when%20i%20actually%20get%20the%20cert.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERest%20of%20the%20configuration%20is%20identical%20to%20the%20working%20User%20Certs.%20Certificate%20validity%20period%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E1%20Years%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20usage%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20encipherment%2C%20Digital%20signature%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EKey%20size%20(bits)%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E2048%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EHash%20algorithm%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESHA-1%2C%20SHA-2%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ERenewwal%20threshold%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3E20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3ESCEP%20Server%20Urls%20%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3Ehttps%3A%2F%2F%22myserver%22.msappproxy.net%2Fcertsrv%2Fmsc%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%3CSPAN%3EAny%20ideas%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22%22%3E%3CDIV%20class%3D%22public-DraftStyleDefault-block%20public-DraftStyleDefault-ltr%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1403599%22%20slang%3D%22en-US%22%3ERe%3A%20Android%20Enterprise%20SCEP%20user%20and%20device%20issuing%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403599%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F444733%22%20target%3D%22_blank%22%3E%40pejtan66%3C%2FA%3E%26nbsp%3BI%20wish%20I%20had%20more%20information%20to%20give%20you.%20The%20main%20issue%20we%20were%20having%20is%20the%20root%20cert%20we%20were%20deploying%20didn't%20match%20the%20root%20certificate%20on%20the%20NDES%20server.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20seeing%20some%20successful%20deployments%20on%20some%20devices%20but%20on%20others%20I'm%20seeing%20the%20same%20%22Error%200%22%20error%20on%20those%20devices.%20I%20can't%20tell%20what%20would%20be%20different%20between%20those%20devices%2C%20they%20are%20enrolled%20into%20the%20same%20profile%2C%20the%20same%20OS%20and%20the%20same%20tablet%20type.%3C%2FP%3E%3C%2FLINGO-BODY%3E
kkeirstead
Occasional Contributor

‎Mar 09 2020 12:13 PM

‎Mar 09 2020 12:13 PM

Android Enterprise SCEP user and device issuing errors

Hi,

 

We are attempting to deliver Android Enterprise SCEP certificates (both user and device based) and both seem to fail. We have our environment set up for iOS SCEP and Android Device Admin SCEP certificates and they work fine. Using the same settings in the Android Enterprise profiles they fail with the error of "0 (No error code)" Does anyone know of anything that might be causing this? I reached out to the networking team to look in the logs, but they don't see any that sticks out that would cause this to fail.

 

3-9-2020 3-10-28 PM.jpg

2,438 Views
1 Like
6 Replies
Reply
6 Replies
pejtan66

‎May 12 2020 09:25 AM - edited ‎May 12 2020 01:15 PM

‎May 12 2020 09:25 AM - edited ‎May 12 2020 01:15 PM

Re: Android Enterprise SCEP user and device issuing errors

Any news on this? hitting the same wall atm =) @kkeirstead 

 

Edit, posted a summary of my problem.

 

I got a couple of Samsung Galaxy 6 tabs that are enrolled with knox into Dedicated devices in Intune. They are configured as Kiosk devices with managed homescreen. They are fully patched to Android 10, latest updates.
I try to deploy SCEP device certificates to them for Wifi auth. I got the backend infrastructure setup with ndes, ca, Intune cert connector and an azure app proxy., We are using User certificates on our Android Work Profile phones, iPads and iPhones from the same backend.
 
I get my root CA certificate deployed to the device.
 
But i can't understand why i don't get a scep device cert, in intune the only error i can see is "Error 0" in my profile configuration status. I went through the ndes logs and there i can see a connection to the web server with result 200 from my Android device which should be that it's Ok. Then nothing else, no requests are being made to the CA and nothing in the other logfiles.
 
In the scep settings i'm not sure what configuration i should use.
I've tried alot of different settings in the Subject name format and alternative name Right now i have CN={ {AAD_Device_ID} } for Subject name format and Subject alternative name UPN { [AAD_Device_ID} }@domain.local. These im not sure about. I read that i need UPN to get wifi working when i actually get the cert.
Rest of the configuration is identical to the working User Certs. Certificate validity period
1 Years
Key usage
Key encipherment, Digital signature
Key size (bits)
2048
Hash algorithm
SHA-1, SHA-2
Renewwal threshold
20
SCEP Server Urls
https://"myserver".msappproxy.net/certsrv/msc
Any ideas?
 
1 Like
Reply
kkeirstead

‎May 19 2020 12:02 PM

‎May 19 2020 12:02 PM

Re: Android Enterprise SCEP user and device issuing errors

@pejtan66 I wish I had more information to give you. The main issue we were having is the root cert we were deploying didn't match the root certificate on the NDES server.

 

I am seeing some successful deployments on some devices but on others I'm seeing the same "Error 0" error on those devices. I can't tell what would be different between those devices, they are enrolled into the same profile, the same OS and the same tablet type.

1 Like
Reply
tseip

‎Mar 30 2021 05:20 AM

‎Mar 30 2021 05:20 AM

Re: Android Enterprise SCEP user and device issuing errors

Did you ever find a solution to this? I have the exact same problem now.
0 Likes
Reply
Jirka1972

‎Apr 26 2021 04:22 AM

‎Apr 26 2021 04:22 AM

Re: Android Enterprise SCEP user and device issuing errors

@tseip 

 

The same problem. All Samsug A20 devices, Android Enterprise full manage, Android 10 OS, the same configuration profile. SCEP certificate deployment status: 525 OK, 315 error :(

0 Likes
Reply
pejtan66

‎Apr 26 2021 04:28 AM

‎Apr 26 2021 04:28 AM

Re: Android Enterprise SCEP user and device issuing errors

Update from me, maybe it helps someone else.

 

Our issue was because of something wrong with the certificate template. 

When we created a new one it worked.

0 Likes
Reply
SWFFL

‎May 10 2021 01:43 PM

‎May 10 2021 01:43 PM

Re: Android Enterprise SCEP user and device issuing errors

@pejtan66 

 

Was there a specific setting with the certificate template that you can share?  We are having the same issue with Android Enterprise with trying to deploy device certs.  iOS works for both user and device but Android will not get a certificate.  We have been working with Microsoft ...sharing logs and verifying settings, but no resolution so far.

0 Likes
Reply