Intune certificate connector redundancy configuration

Eduardo Madrazo Bidea 0 Reputation points
2023-09-02T22:24:06.3733333+00:00

Hello everyone. 

In my organization we have been using Intune for more than a year for the distribution of certificates for authentication in the corporate wi-fi. For this we have an offline certifier and a certifier that issues certificates (2 Tier structure); and a second server where we have installed the NDES service, and that same server has the Intune certificate connector; using an Intune SCEP template we distribute the certificates to the computers. This configuration works correctly and during this time we have not detected any failures or problems in the system; but we are aware that we have a single point of failure if the Intune connector or the server that hosts the NDES service are offline the certificates will never reach the clients (another point of failure can also be the server that contains the certification authority).

 

For this we are thinking about a redundant system and this is when our questions arise. After reading documentation and reading that the Intune connector allows to have more than one instance installed it occurs to me that the best way would be to install a second server with NDES and with another Intune connector. So far I understand that it would be to follow the procedure that we have used to implement the first server, is this correct or should I take into account some other issue?

 

I have noticed that in the Intune SCEP template you can add more than one connection point (SCEP Server URLs) so we could add this second connector URL in that template. Would this be the correct way to proceed, or would I have to add a second certificate distribution template?

 

We also have questions about the possibility of including a second certification authority to issue certificates, in that case, how should I proceed? The NDES service only allows to connect to one certification authority, installing a second certification authority could make each of the servers with NDES point to one of those certification authorities. In that case, how should I configure the template in Intune, should it be two different templates or could I include it in the same template?

 

In this second configuration I also have questions about the revocation of the certificates, currently I have a public IIS server that is responsible for this function, the logic tells me that in that server should be the revocations of the two certification authorities and that the OSCP configuration should include the two certification authorities, is this right?

 

Would there be any other issue that I should take into account when implementing this installation?

 

Thank you very much in advance.

Microsoft Security | Intune | Other
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff
    2023-09-04T07:50:50.5433333+00:00

    @Raphael, Thanks for posting in Q&A. 

    According to your problem description, we understand that you want to configure the redundant configuration of NDES to achieve high availability of NDES.

    According to my investigation, I found that NDES cannot be clustered, nor can it be load balanced. To provide high availability, you need to install multiple NDES servers with the same configuration, and then uses Intune for load balancing. This is in line with your thinking.

    Here is the detailed information about high availability of NDES:

    Use Certificates to enable SSO for Azure AD join devices - Windows Security | Microsoft Learn

    For the SCEP certificate profile, you can just use one SCEP profile if the same configuration is used, and you only need to configure different URLS in the SCEP Server URLS.

     

    For high availability of CA, based on my researching., I find it seems to accomplish by deploying multiple issuing CAs. since each NDES can only point to one Issuing CA, I think you need to configure different NDES server to point to different Issuing CAs.

     

    For NDES to obtain the corresponding certificate according to that template, it is configured under the following registry on the NDES device.

    HKLM\Software\Microsoft\Cryptography\MSCEP.

    SignatureTemplate (corresponds to Signature purpose)

    EncryptionTemplate (corresponds to Encryption purpose)

    GeneralPurposeTemplate (corresponds to Signature and encryption purpose)

    For example, if we have selected Signature and encryption as the template purpose, we need to enter the template name as a key value for the GeneralPurposeTemplate key:

    User's image

    Here is the detailed information about how configure registry on NDES device:

    Support Tip - How to configure NDES for SCEP certificate deployments in Intune - Microsoft Community Hub

    For the high availability of OCSP, according to my researching, I found an article describing deploying the high availability of OCSP. If you want get deep in high availability of OCSP, please ask help for AD support.

    Here is a link about high availability of OCSP:

    Implementing an OCSP Responder: Part V High Availability - Microsoft Community Hub

    Hope all above can be helpful.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Eduardo Madrazo Bidea 0 Reputation points
    2023-09-20T20:44:05.39+00:00

    Thanks a lot for your answer. It's a great post.

    I've been preparing all our infrastructure to deploy your solution.

    I've created the second issuing intermediate-CA, I've deployed a second NDES server with intune connector and proxyapp connector... But, I`ve a question about scep profile on Intune. When I create a SCEP profile I've to choose the root certificate. Until now in the profile I've used to deploy certificates, I put my intermediate CA certificate as Root certificate field. And it works.

    If I want to deploy certificates using both intermediate-CAs do I have to put the Root certificate (not the intermediate one) or do I've to create a second SCEP profile a put as Root certificate the other intermediate-CA?

    I hope you can help

    Thanks in advance


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.