Hy all,
i have a problem with certificate profiles deployment via SCCM 2012 R2.
My Testlab:
Server 2012 R2 - DC
Server 2012 R2 - CA
Server 2012 R2 - SCCM 2012 R2, Intune Subscription ...
Server 2012 R2 - NDES, SCCM Site System with Certificate Registration Point, Policy Module
NDES Service Account (SPN for NDES Server)
CA:
Administrative Rights for NDES Service Account
CEP Encryption (Read&Enroll for NDES Service)
Exchange Enrollment Agent (Offline request) (Read&Enroll for NDES Service Account)
Webserver Certificate for NDES, SCCM Server (Dublicatet Webserver Template)
Client Authentication Certificate for NDES, SCCM Server (Dublicatet Template for Client Authentication)
"Custom IPSec V2" Template, (Dublicatet Template of IPSec (offline request), Read&Enroll for NDES Service Account)
Policy Module on NDES Server
In the Wizard i selected the Client Authentication Certificate
NDES Server
Installed "Network Device Enrollment Service" Role Service
SCCM Site System, SCEP Role
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxFieldLength
Type DWORD
Data: 65534 (decimal)
Location: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
Value: MaxRequestBytes
Type DWORD
Data: 65534 (decimal)
SSL settings to Require SSL , Ignore client certificates.
NDES Service Account member of IIS_IUSRS
IIS - Webserver Certificate for :443 Binding
HKLM\SOFTWARE\Microsoft\Cryptography\MSCEP
EncryptionTemplate, GeneralPurposeTemplate, SignatureTemplate
i set it to "CustomIPSecV2"
SCCM:
Installed Certificate Registration Point on NDES Server
Certificate Registration Point Properties - URL for the Network Device Enrollment Service ...
I set it to: https://externalfqdn/certsrv/mscep/mscep.dll
Certificate Root CA Profile
Certificate Profile for "CustomIPSecV2" Certificate
Now i have following error for the deployment of the "CustomIPSecV2" Certificate: 0X87D1FDE8 Remediation failed
I can not find any error in the logs (SCCM, crp.log, NDESPlugin.log, crpctrl.log)
In the IIS log there are following entries:
2014-08-02 18:57:41 fe80::10b7:f62:ec3c:605d%12 POST /CMCertificateRegistration/certificate/generatechallenge - 443 - fe80::10b7:f62:ec3c:605d%12 SMS_CERTIFICATE_REGISTRATION_POINT - 201 0 0 3502
2014-08-02 14:07:40 172.16.0.8 GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=MDM 443 - 144.11.115.119 - - 200 0 0 68
What can i do?
Thanks in Advance ..