Reset Search
 

 
Article

KB40549 - Users are intermittently failing to generate certificate through Pulse Connect Secure Onboarding feature.

Printable View
« Go Back

Information

 
Last Modified Date4/13/2017 11:16 PM
Synopsis
This article describes an issue where Users are intermittently failing to obtain certificate using PCS Enterprise Onboarding feature.
Problem or Goal
End users are failing to generate certificate when using the On-boarding feature.

In the event logs, the following message will appear: 
2016/10/05 17:28:41 - SCEP operation: 'ENROLL' failed, reason: 'pkiStatus: failure, 
failInfo(2): invalid request (challenge/key size may be incorrect)'
2016/10/05 17:28:41 - SCEP server failed to issue certificate 'CN= USER1.PULSE.NET, 
OU=AdminUsers'

In User Access logs, following messages will appear: 
2016/10/05 17:59:16 - Login succeeded for user1.pulse.net /cert (session:0f595e35) 
from XX.XX.XX.XX.
2016/10/05 17:59:38 - User user1.pulse.net attempting to on-board device: successful 
2016/10/05 17:59:38 - Cannot build profile for device due to: failed to obtain cert 
for CSR Template: XXXXX
Cause
This issue occurs due to an incorrect challenge sent to the SCEP server.  By default, the challenge of the SCEP server will change every hour. If the challenge is changed and is not modified in the PCS device under SCEP configuration, a new certificate cannot be generated by the SCEP server.

 

Solution
To resolve this issue, make the following registry modification on the SCEP server.  This will ensure the challenge does not expire.
  
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\MSCEP\UseSinglePassword
Name: UseSinglePassword
Type: REG_DWORD
Value: 1
The above steps are in reference to Microsoft Support article 959193

Workaround:

If the above registry change is not possible, the administrator needs to update the challenge manually on the PCS device, each time the challenge is changed in the SCEP server.
  1. To confirm the challenge on the SCEP server, access http://FQDN-of-NDES-server/certsrv/mscep_admin/. The page will output the latest challenge with the expiration time.
  2. Login to the PCS admin UI.
  3. Navigate to Users > Enterprise Onboarding > SCEP Configuration.
  4. In the Challenge field, provide the updated challenge.
  5. Click Save Changes.
User-added image
Related Links
Attachment 1 
Created ByKshitij Gupta

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255