I have identified the problem to be between our MDM solution and AD.
Problem with Certificate Services for EAP-TLS authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
I am trying to enroll iOS devices via SCEP using Certificate Services. Devices are failing to get the correct attributes for certificates, namely "NT Principal Name". I have one user that it's working properly, but the rest of my users it's not. Any reason why I am getting it to work for one user but not the rest?
TIA!
Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
8 answers
Sort by: Most helpful
-
Deleted
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
-
Anonymous
2024-03-01T13:08:13+00:00 -
Anonymous
2024-03-01T08:11:06+00:00 Hello Matthew Vaughan- [O365],
Good day!
Based on the decryption "Only missing attribute of "NT Principal Name" in certs.", would you please provide the screenshot about it?
So you can enroll certificate the successfully, but you can not use such certificate normally, am I right?
Best Regards,
Daisy Zhou -
Anonymous
2024-02-26T21:30:56+00:00 - Attributes are same for working user and non-working user
- Security group has permissions to read and enroll certs.
- Permissions for cert template is set properly.
- There are no cert failures. Only missing attribute of "NT Principal Name" in certs.
-
Anonymous
2024-02-26T07:44:33+00:00 Hello Matthew Vaughan- [O365],
Thank you for posting on the Microsoft Community Forum.
1.Where and how you set "NT Principal Name" when you enroll iOS device certificates?
2.Please check how to set "NT Principal Name" correctly?
3.Please perform the same steps on non-working user as working user.
4.Can you enroll certificate successfully? Or maybe you can not enroll certificate successful?5.Or maybe you can enroll certificate successfully, but can not use it successfully with any error message?
Based on your description, here are some suggested steps to help you diagnose and troubleshoot the issue:
- Check User Attributes: Ensure that the attributes of the user object are configured correctly in Active Directory. Particular attention is paid to attributes related to certificate requests, such as Common Name (CN), Organization (O), and so on. Ensure that these attributes are consistent with the requirements of the certificate template.
- Check the security group that the user belongs to: Make sure that all users belong to the same security group that has access to the certificate service and the permission to request certificates. In Active Directory, check the security group that the user belongs to ensure that there are no restrictions associated with certificate requests.
- Permissions for the certificate template: Check the permission settings for the certificate template to make sure that all users have the appropriate permissions. In the Certificate Authority Management Console, edit the certificate template related to SCEP to view read and request permissions.
- Certificate Request Logs: View the certificate request logs on the certificate authority server for details about the failed requests. Compare the requests of users who work with those that don't work to see if there are any significant differences.
I hope you the information above is helpful.
If you have any questions or concerns, please do not hesitate to let us know.
Best Regards,
Daisy Zhou