Reset Search



KB40549 - Users are intermittently failing to generate certificate through Pulse Connect Secure Onboarding feature.

« Go Back


Last Modified Date4/13/2017 11:16 PM
This article describes an issue where Users are intermittently failing to obtain certificate using PCS Enterprise Onboarding feature.
Problem or Goal
End users are failing to generate certificate when using the On-boarding feature.

In the event logs, the following message will appear:
2016/10/05 17:28:41 - SCEP operation: 'ENROLL' failed, reason: 'pkiStatus: failure, 
failInfo(2): invalid request (challenge/key size may be incorrect)'
2016/10/05 17:28:41 - SCEP server failed to issue certificate 'CN= USER1.PULSE.NET, 

In User Access logs, following messages will appear:
2016/10/05 17:59:16 - Login succeeded for /cert (session:0f595e35) 
from XX.XX.XX.XX.
2016/10/05 17:59:38 - User attempting to on-board device: successful 
2016/10/05 17:59:38 - Cannot build profile for device due to: failed to obtain cert 
for CSR Template: XXXXX
This issue occurs due to an incorrect challenge sent to the SCEP server.  By default, the challenge of the SCEP server will change every hour. If the challenge is changed and is not modified in the PCS device under SCEP configuration, a new certificate cannot be generated by the SCEP server.


To resolve this issue, make the following registry modification on the SCEP server.  This will ensure the challenge does not expire.
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Value: 1
The above steps are in reference to Microsoft Support article 959193


If the above registry change is not possible, the administrator needs to update the challenge manually on the PCS device, each time the challenge is changed in the SCEP server.
  1. To confirm the challenge on the SCEP server, access http://FQDN-of-NDES-server/certsrv/mscep_admin/. The page will output the latest challenge with the expiration time.
  2. Login to the PCS admin UI.
  3. Navigate to Users > Enterprise Onboarding > SCEP Configuration.
  4. In the Challenge field, provide the updated challenge.
  5. Click Save Changes.
User-added image
Related Links
Attachment 1 
Created ByKshitij Gupta



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255