Monday, 25 July 2016

Intune and SCCM behind forward and reverse proxies

Last week I spent many hours trying to troubleshoot Intune with SCCM as a management point. The infrastructure in subject contains NDES server which should request certificates from on premise CA and push them do devices. One of the customer requests was that the SCCM server should connect to only through their forward proxy. The other request was that NDES should be published through their reverse proxy.

Everything went fine initially, the devices enrolled successfully and applications installed correctly. However, we could not get certificates to install. At one point, certificates would get issued and visible in Certificate Authority but never pushed to the device. At other times, we would receive this error in CRP.log on SCCM:

Key usage in CSR: "160" and challenge: "224" do not match for CertRequestId: ModelName=ScopeId_4599798C-283A-4BB1-9860-0968EE55B8A9/ConfigurationPolicy_b97bbe55-4fcb-4f25-8516-208eb5945ee8;Version=1;Hash=1524076804 CertificateRegistrationPoint 7/11/2016 3:24:39 PM 12 (0x000C)

I tracked the issue down to caching reverse and forward proxies. When the request from device reached NDES public endpoint, it would forward the cached request to NDES and not the actual one. Also, regarding forward proxy, SCCM pushes and pulls the data from It seems that it received incorrect data from forward caching proxy and that is why we got Key usage mismatch although we were positive that Key usages were correctly set in the certificate template and SCEP policy.

Anyway, we have turned of reverse proxy caching for NDES server and forward proxy caching for SCCM Site Server role and everything works perfect now.