SCEP certificates are not pushed to iOS-Devices - "Remediation failed" (Network Steve Forum)

SCEP certificates are not pushed to iOS-Devices - "Remediation failed"

Hi!

We would like to push certificates to our mobile devices via SCCM2012R2 and Intune to be able to define VPN- and WiFi-Profiles in SCCM for our iOS-Devices.

I installed and configured the NDES-Role on a separate server, the certificate registration point on our SCCM site-server and the Policy module on our "NDES-server" as described in this tutorial:

http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2014/04/25/part-2-scep-certificate-enrolling-using-configmgr-2012-crp-ndes-and-windows-intune.aspx

The installation seems to be ok, the trusted root profile is pushed to the devices, but the SCEP profile isn't. The Deployment says "Remediation failed" with error ID 0X87D1FDE8.

NDESPlugin.log:

==========[ NDES policy module started in process 1868 ]========== NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
Calling Initialize... NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
certificate registration point web server is sccm.windows.awo-der-sommerberg.de NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
NDES thumbprint is ##############################. NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
certificate registration point webservice URL is CMCertificateRegistration NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
CA Issuer Name is CA.windows.awo-der-sommerberg.de\\CA NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
Certificate registration port number is 443 NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)
Exiting Initialize with 0x0 NDESPlugin 03.07.2015 12:42:57 2856 (0x0B28)

mscep.log:

402.534.948: Begin: 03.07.2015 12:42 57.233s
402.539.0: w3wp.exe
402.543.0: GMT + 2.00
2906.611.0:<2015/7/3, 12:42:57>: 0x0 (WIN32: 0): Calling INDESPolicy::Initialize
2901.1042.0:<2015/7/3, 12:42:57>: 0x80004005 (-2147467259 E_FAIL)
2905.902.0:<2015/7/3, 12:43:12>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): FCEBAEF6 1FBA15EF DD1BCB88 6D4C53C2 26AA7CFC
2905.902.0:<2015/7/3, 12:43:14>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): DC1D0C4E 6812FF4F 020852F5 A0447261 F9EABFD2
2905.902.0:<2015/7/3, 12:43:14>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 618C153A 6290B8B9 742B2822 2995BDF7 C3DFEF73
2905.902.0:<2015/7/3, 12:43:14>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 2EABAD5D 23EA217D 8D8806A8 C51E17CC 5650C705
2905.902.0:<2015/7/3, 12:43:14>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 29AF6C99 947E895B F35A00A0 DF4513DC 1A907C5D
2905.902.0:<2015/7/3, 12:43:14>: 0x80090349 (-2146892983 SEC_E_CERT_WRONG_USAGE): 17B493D5 4124BEC3 537FA93D 865293A2 1E7137A8
2906.1502.0:<2015/7/3, 12:43:14>: 0x8000ffff (-2147418113 E_UNEXPECTED)
2906.1948.0:<2015/7/3, 12:43:14>: 0x8000ffff (-2147418113 E_UNEXPECTED): 403 Forbidden (0x8000ffff)
2906.1502.0:<2015/7/4, 11:29:36>: 0x8000ffff (-2147418113 E_UNEXPECTED)
2906.1948.0:<2015/7/4, 11:29:36>: 0x8000ffff (-2147418113 E_UNEXPECTED): 403 Forbidden (0x8000ffff)

IIS-log:

107.20.10.221, -, 7/7/2015, 6:32:17, W3SVC1, NM2, 192.168.88.105, 199, 161, 1029, 200, 0, GET, /, -,
192.168.38.250, -, 7/7/2015, 8:03:47, W3SVC1, NM2, 192.168.88.105, 93, 250, 1400, 403, 5, GET, /, -,
192.168.38.250, -, 7/7/2015, 8:03:47, W3SVC1, NM2, 192.168.88.105, 0, 250, 1018, 200, 0, GET, /, -,
192.168.38.35, -, 7/7/2015, 10:31:30, W3SVC1, NM2, 192.168.88.105, 0, 383, 1477, 200, 0, GET, /certsrv/mscep/mscep.dll, -,
192.168.38.35, -, 7/7/2015, 10:31:33, W3SVC1, NM2, 192.168.88.105, 46, 409, 1477, 200, 0, GET, /certsrv/mscep/mscep.dll, -,
80.187.109.134, -, 7/7/2015, 10:35:52, W3SVC1, NM2, 192.168.88.105, 62, 409, 1477, 200, 0, GET, /certsrv/mscep/mscep.dll, -,
80.187.109.134, -, 7/7/2015, 10:49:32, W3SVC1, NM2, 192.168.88.105, 62, 409, 1477, 200, 0, GET, /certsrv/mscep/mscep.dll, -,
192.168.38.225, -, 7/7/2015, 11:52:17, W3SVC1, NM2, 192.168.88.105, 0, 432, 1477, 200, 0, GET, /certsrv/mscep/mscep.dll, -,
192.168.38.250, -, 7/7/2015, 12:03:38, W3SVC1, NM2, 192.168.88.105, 109, 250, 1400, 403, 5, GET, /, -,
192.168.38.250, -, 7/7/2015, 12:03:38, W3SVC1, NM2, 192.168.88.105, 0, 250, 1018, 200, 0, GET, /, -,

I followed different tutorials for installation and configuration several times, but every time I get the same results: No SCEP-Cert is deployed to devices and the same logs are created which, to be honest, don't give me a clue what the problem might be.

I can give detailed information about the configuration of all our components if needed.

I hope someone can look into this and help to point me in the right direction...

Regards,
Boris Rogalla

July 7th, 2015 7:51am

Hi Boris,

we are facing the exact same issue when doing a standalone installation of the NDES connector.

Could you find a solution to your problem?

Thanks a lot!

Best regards,

Fried

Free Windows Admin Tool Kit Click here and download it now

August 3rd, 2015 11:17am

This topic is archived. No further replies will be accepted.