On 29th July 2021, Microsoft started a cycle by announcing the launch of the new unified Certificate Connector for Intune.
The change was about replacing the 3 separate certificate connectors for SCEP, PKCS, and imported PFX with a single certificate connector, each instance of which can be configured to support the delivery of either type of certificate, individually or simultaneously.
On April 2022, Microsoft announced that certificate connectors earlier than version 6.2101.13.0 will be deprecated and will show a status of Error. However, this was not to affect the functionality of the said connector till the actual time of deprecation.
And as of June 1, 2022, Microsoft announced that the Intune certificate connectors (includes both the PFX Certificate Connector for Microsoft Intune and Microsoft Intune Connector) earlier than version 6.2101.13.0 may no longer work as expected and stop connecting to the Intune service, thus bringing an end to the cycle that started back in July 2021.
In my lab environment, I was still using the 6.1806.6.0 version of the Microsoft Intune Certificate connector.
And as such, it was quite understandable why the Certificate connector status in the portal was showing up in an Error state.
The Certificate connector usually comes up in an error state when it is unable to communicate properly with Intune due to proxy/network issues happening at the server side. If you see the Connector in an Error state, do check the Intune Certificate Connector events on the NDES server to confirm that it is not an actual error.
Though as per the MS announcement, this connector should have stopped working, i.e. stopped responding to new cert enrolment requests as received, however, that was not quite the case for us. It was still working fine, and I think this is why it still worked, as described in the Microsoft document itself.
But anyways, if you are also in the same situation, you should not probably continue and instead, plan for a CR to work the connector upgrade. And this simple blog post is all about sharing my recent experience of working on an Intune certificate connector upgrade.
So without wasting any further time, let’s get started.
The Intune Certificate Connector upgrade process is a sequential workflow having two phases with each phase having its own unique task set.
Table of Contents
Phase 1 – Preparations for Intune Certificate Connector upgrade task
If you are working on Intune Certificate Connector upgrade for an environment and you are not aware of the network/proxy config of the NDES server, the first thing you should do is to get those details as it will be of immense importance later on.
Retrieve Proxy information
If the network traffic from the NDES server to the Internet is via an outbound Proxy/Firewall, you will need to get those details as it will be of immense importance later on.
The Proxy/Firewall should be configured to allow the traffic to the Intune required network endpoints.
Open the connector user interface (UI) from %ProgramFiles%\Microsoft Intune\NDESConnectorUI\NDESConnectorUI.exe and from the UI wizard, on the Enrollment tab, check the proxy configuration of the existing connector.
You can also check and get the current proxy config information of the existing connector from its registry entry as well. Unfortunately, I forgot to take a snap of it before uninstalling the old connector and as such cannot show it here.
To avoid problems later on, confirm if the proxy information retrieved as above matches with what is set locally on the NDES server as well.
For that, open a CMD console with Admin rights and use the “netsh winhttp show proxy
” command without quotes to check the current proxy config.
The certificate connector for Intune uses Microsoft Windows HTTP Services (WinHTTP) for communication with the Intune cloud service endpoints. The WinHTTP configuration setting is independent of the Windows Internet (WinINET) browsing proxy settings. For more information, see WinHTTP vs WinINET.
As such, it is essential that proxy is also set at the SYSTEM level for the NDES server for the Intune Certificate connector to be able to successfully communicate with Intune. You can check that easily with the PSEXEC tool.
With the proxy information details confirmed and retrieved for later use, you can now proceed to the next stage.
Retrieve NDES Service Account information
The certificate connector configuration will ask you to specify whether to use the NDES server’s SYSTEM account or a domain account (usually the NDES service account) for certificate revocation purposes. If going with a domain account, the account must have
- Logon as Service
- Issue and Manage Certificates permissions on the Certification Authority (required only for revocation scenarios).
- Read and Enroll permissions on the certificate template that will be used to issue certificates.
Uninstall the existing (old) connector
Go to the control panel and initiate the uninstall of the existing connector (old) on the NDES server.
Though it is not mandatory, I found that it is better to stop the IIS service and then proceed with the existing (old) certificate connector uninstallation. This is because if you do not stop IIS, the uninstall process of the connector gets interrupted by the w3wp.exe which is related to the SCEP app pool in IIS.
Some Housekeeping
With the connector uninstalled, you need to do some clean-up activities before you can continue with the installation of the new certificate connector.
- In the MEM Admin portal, navigate to Tenant administration > Connectors and tokens > Certificate connectors and delete the existing connector from there. [If you have multiple entries due to HA config, delete the one that you are currently in the process of upgrading.]
- On the NDES server, use certlm.msc to get to the local machine certificate store and from there, under Personal certificates, search for the certificate issued by Microsoft Intune Certificate Connector CA and delete it.
This was the certificate that was obtained during the installation and config of the previous connector post successful sign-in. We don't need it anymore.
- Start/Restart the IIS service as per your situation and confirm that you see the generic NDES green landing page on browsing the MSCEP URL.
At this point, if you do not get the screen as above but instead get any HTTP error displayed, you would need to troubleshoot your SCEP/NDES configuration. You can take help from my previous article.
And, finally updating .Net
Microsoft document mentions .NET version 4.7.2 as the pre-requisite for installing the connector. However, on many occasions, I have encountered an error regarding .NET while setup even when the target server is updated to have .NET 4.7.2 installed. For me, I found that it gets solved if I update the target server with the .NET version 4.8 runtime. Maybe just me!
Phase 2 – Installing the new Intune Certificate Connector
Since this is an upgrade task and not a new setup, it is assumed that the pre-requisites of the Intune Certificate Connector are already met. As such, with the preparation tasks checked and performed, we can proceed with the easy task of the new Certificate Connector installation.
To install the new connector, in the MEM Admin center, navigate to Tenant administration > Connectors and tokens > Certificate connectors and use the link to download the new connector setup.
Notice the change! There is now a single instance of the connector that is capable to be configured as and supporting the deployment of all the certificate types that are supported by Microsoft Intune. Previously we used to have had separate instances for the different certificate deployment types.
With the new Certificate Connector setup downloaded, its install time for the same. Now installing the connector is an easy piece, as all you need to do is trigger the install by double clicking the .exe setup file downloaded, agree to the license terms and conditions, and start the actual install.
Notice the change! We no longer need to bind a Client Auth EKU certificate to the connector during its installation.
With the connector successfully installed, you can click on the Configure Now button that is displayed at the end of the install wizard to configure the Intune Certificate Connector.
However, if you wish to do the configuration later for any reason whatsoever, you can click on the Close button instead. Later, to configure the connector, you can trigger the UI wizard by running the PFXCertificateConnectorUI.exe
from location C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI
Phase 3 – Configuring the new Intune Certificate Connector
The new Intune Certificate Connector configuration is driven via a familiar UI wizard which makes configuration an easy task.
It starts with the Welcome screen and all you need to do is click on Next.
On the next screen is where you get to choose the certificate deployment type you want the connector to be configured for. Select the feature (certificate deployment type) you want and click on Next.
Note that with this new Intune Certificate Connector, the same instance can now be configured for all the three types of certificate deployment.
On the next screen is where you get to choose whether the Intune Certificate Connector will run using the SYSTEM account or any DOMAIN account (usually the NDES Service Account).
Select the account type, provide the account details (in case of domain account), and click on Next.
For using a Domain account (NDES service account in usual), make sure the account has the Log on as a service right assigned to it on the NDES server (target server for connector install). When the NDES service account gets added to the IIS_IUSRS group as part of the NDES config, by virtue of that, it also inherits the Log on as a batch job right.
On the next screen, you need to provide Proxy information. This is important if the network connectivity of the NDES server is facilitated via a proxy, which is usually the case.
It is important to include the HTTP or HTTPS prefix for the proxy address, which is a change from proxy configurations for previous connectors. For example, if my lab proxy server FQDN is proxy.intunewithjoy.in, then I need to provide the proxy address as http://proxy.intunewithjoy.in
Once the details are filled in, click on Next.
On the next page, the configuration wizard runs several checks on the server to confirm if it meets the requirements for the Intune Certificate Connector. If you get any errors on this screen, you must review and resolve any errors or warnings before you can proceed further.
Since for us, all checks are met, we can continue by clicking on Next.
On the next screen, you would need to select the environment that hosts your Azure Active Directory (usually Public Commercial Cloud unless you are a GCC customer or from China), and then select Sign In.
You’ll be asked to authenticate your access. You need to use a user account that is either assigned with a Global Admin or an Intune Admin role with an Intune license assigned and the user account must be an AD synced account.
After you successfully authenticate to your Azure Active Directory, select Next to continue.
At this stage, the wizard tries to enroll the connector to Intune and apply the configuration.
If the above is successful, the utility continues to the Finish page where you finally get to select Exit to complete the configuration of the connector.
With all done, all that is left is to confirm the functionality.
A quick way to test this can be by checking the MSCEP URL if it is giving the expected HTTP 403 error, as the policy module is back intercepting the SCEP requests.
Again, if you do not get this but any other HTTP error like 500, 503, etc. you can refer to my troubleshooting article here.
If the connector is able to communicate with the Intune service properly (mostly problem occurs due to proxy!), the connector status should also reflect in a green state from the MEM Admin center indicating a successful upgrade.
Changes that you need to anticipate as an admin with the new Connector
The new Intune Certificate Connector undergoes many changes, but here I will try to highlight the ones that to me are the major ones.
First, the previous connector used to install the NDES Policy Module (implemented as IIS ISAPI extension) along with the CRP which used to perform the challenge validation. With the new connector, Microsoft has moved the challenge validation part from the server-side to the service-side, meaning once IIS on the NDES server receives a certificate request from the client, it is to be intercepted by the NDES Policy Module, and the request to be sent to Intune service for validation. Post validation Intune service will notify the NDES server about the validation result (Pass/Fail) based on which, a component of the new “Unified” Intune Certificate Connector will reach out to CA to make the certificate request on-behalf.
Since the major functionality of CRP is “moved to the cloud”, there is no need for the CRP and as such we do not see one with the new Intune Certificate Connector.
Second, once you have upgraded the Intune Certificate Connector to the latest supported version, the major difference from an admin perspective that you will notice is the log files.
With changes to the working folder structure of the connector, gone are our old friends, namely the NdesConnectorSvc, CRPlogs, and NdesPlugin logs.
Instead, with the new connector, what you get is event-based logs as shown below
The End
Well, that was all for today. Hope you will find this post informative and useful!
1 Trackback / Pingback
Comments are closed.