SCEP/NDES IIS 401.2 unauthorized

Question

User-241286667 posted

I'm frustrated with an SCEP/NDES authentication issue.

This is my first time setting up a CA and NDES, so I've been doing my research, maybe a little too much. I've learned a lot in this endeavor, but, I'm about to throw this out the window.

I am trying to set up SCEP on a Palo Alto 3220 using a user authentication cert template for GlobalProtect. I've double and triple checked security settings on the template and made sure the template I want to use is in the MSCEP registry entry on the NDES server.

I've set up my CA and NDES servers (even ripped them out and started from scratch at one point), and everything seems to be going well. My computer certs are being automatically issued by AD, and requesting/installing certs from the CA is working as it should. With NDES, I'm able to authenticate to https://1.1.1.1/certsrv/mscep_admin and obtain the thumbprint and code for SCEP set up, however, whenever I complete SCEP profile set up for my Palo Alto firewall, I get an Unable to fetch SCEP profile from CA error - looking at the NDES server, it's getting a 401.2 error.

I've run Microsoft's NDES configuration validation script, as well. Everything's come back working, except for Intune specific things (such as NDESPolicy module registry entry). I've also enabled Failed Request logs, and the only thing it comes back with is Access is denied.  I have also moved "NTLM" to the top of Windows Authentication, still no go.

Has anyone here run into this before, or can just offer some insight?

Answer 1

User690216013 posted

I've also enabled Failed Request logs, and the only thing it comes back with is Access is denied.

I don't think FRT log only gave you that little information. It usually contains far more, such as the module that experienced the error, and the actual error page (HTML) to reveal application specific info. You just need more patience to digest.

I'm frustrated with an SCEP/NDES authentication issue.

Besides, if the error came from SCEP/NDES modules, not IIS built-in ones, then this forum probably won't help you further. You have to discuss with Intune specialists via https://techcommunity.microsoft.com/t5/microsoft-intune/bd-p/Microsoft-Intune

Answer 2

User-848649084 posted

you could try  to uninstall NDES (all the CA roles) and all the IIS roles. Then reinstall just the NDES roles and whatever IIS role services it wants to install. Do not select any additional roles or features on this first install. Once you have SCEP challenges working both remotely and locally (without prompts for password), you can go back and install the additional required roles and features for CMS and continue on with the CMS implementation.

WARNING: Do not uninstall .NET Framework 4.5 from Windows Server 2012 R2. This uninstalls the computer’s GUI, leaving you with something that looks like a Windows Server Core installation. It’s OK to uninstall ASP.NET 4.5, but it’s not required in order to fix the issue.

Answer 3

User-241286667 posted

you could try  to uninstall NDES (all the CA roles) and all the IIS roles. Then reinstall just the NDES roles and whatever IIS role services it wants to install. Do not select any additional roles or features on this first install.

So, I actually did this - I removed ALL AD CS roles, I even reverted the server to a snapshot before I installed anything at all. After installing NDES, and going through initial configuration, I noticed that the CertSrv folder with the mscep and mscep_admin sites were not there - have you run into this before?