Troubleshooting

I deployed SCEPman from GitHub and it used to work, but now the Web App does not start anymore

If the error is '503 Cannot download ZIP', then the web app cannot download the ZIP with the application binaries from the URL configured in the app setting WEBSITE_RUN_FROM_PACKAGE (see Application Configuration).

The URL https://github.com/glueckkanja/gk-scepman/raw/master/dist/Artifacts.zip that we had recommended for GitHub deployments in earlier versions of this documentation redirects to the URL https://raw.githubusercontent.com/glueckkanja/gk-scepman/master/dist/Artifacts.zip. Microsoft changed the behavior of some of their Web Apps and now some versions do not support redirects together with WEBSITE_RUN_FROM_PACKAGE. Hence, you need to change the URL to https://raw.githubusercontent.com/glueckkanja/gk-scepman/master/dist/Artifacts.zip.

Trusted Root Certificate is deployed but my Device Certificate via SCEP Profile results in an Error

The SCEP profile will result in an error if the certificate deployment was not successful. Errors can have several reasons:

SCEP certificate profile is configured with an error

This could happen when a wrong trusted root certificate was selected in the SCEP certificate profile. This is also shown in the event log:

  1. Open the Windows Events application

  2. Click Applications and Services Logs

  3. Next, click Microsoft

  4. Then, click Windows

  5. Scroll down and search for DeviceManagement-Enterprise-Diagnostics-Provider and click it.

  6. In the window which will appear, click Admin

  7. Scroll through the list an search for event ID 32

  8. It contains a short error report

    • SCEP: Certificate enroll failed. Result (The hash value is not correct.).

SCEPman Azure Web App is not running

Check if the Azure resource is up and running.

SCEPman has a configuration or internal problem

Check Azure Web App log files via Advanced Tools:

  1. Go to Kudu

  2. Use CMD

  3. Navigate to LogFiles

  4. Then, Application

Click on the download icon on the latest .txt file and review it

Additional way of logging

  1. Configure the App Services Logs

  2. Check the Log Stream of the App Service.

  1. Monitor the log stream

  2. Reproduce the error

  3. Look for the log starting with Request validation unsuccessful, as Intune validation threw an exception

  4. These message should have more details

My Certificate does not have the correct OCSP URL Entry

This is just a problem before version 1.2

If the device certificate has a localhost URL for the OCSP entry in the certificate like this:

The App Service is missing an important application setting with the name AppConfig:BaseUrl set to the azurewebsite URL. To fix this, add the variable and save the App Service config:

AppConfig:BaseUrl
https://scepman-XXXXX.azurewebsites.net

Delete this certificate from the device and do the MDM sync. If you did it you will see a proper URL for the OCSP entry:

Revocation of a Certificate

First, you need to check the validity of the device certificate. Therefore, open a command prompt as administrator and type the following command:

certutil -verifyStore MY

Look at the certificate with the device ID issued by the SCEPman-Device-Root-CA-V1 and verify if the certificate is valid (see last line).

To verify that the OCSP responder is working, you can look at the OCSP url cache with the following command:

certutil -urlcache OCSP

If you want to revoke a user certificate, you have two options:‌

  1. Deleting the user from Azure AD or

  2. Block sign-in for the user

If you want to revoke a device certificate, you have two options:

  1. Deleting the device from Azure AD or

  2. Disabling a device

The following example shows the the second option 'Disabling a device'(the result for user certificates will be the same):

  1. Navigate to Devices - All devices in your Azure AD

  2. Choose a device

  3. Click Disable

Next, type in the following command again:

certutil -verifyStore MY

As you can see in the last line, the Certificate is REVOKED

When you enable the device in Azure AD again and you type in the command from above again, the certificate should be marked as valid.

It can take up to 5 minutes before the prompt 'Marked as valid' appears.

As an alternate you can export the device certificate and use certutil to display a small certutil UI for the OSCP check:

certutil -url <path-to-exported-device-certificate>

My SCEP configuration profile shows pending and is not applied

The SCEP configuration profile depends on the Trusted Root certificate profile. Assign both profiles to the same Azure Active Directory user or device group to make sure the user or device overlaps and both profiles are targeted to the device. Do not mix user and device groups. If you see pending as status for the configurations profiles in Intune for a long time, the assignment is probably wrong.

Access Point cannot verify an authentication certificate that SCEPman has issued

Symptoms: Cisco ISE shows an OCSP unreachable error. Aruba ClearPass also has this problem. The server, seemingly SCEPman, answers with an TCP reset packet to the OCSP request.

Cause: Both Cisco ISE as well as Aruba ClearPass do not support HTTP 1.1 when looking up OCSP and do not send a host header in their OCSP request. Therefore, they cannot connect to a general SCEPman instance running on Azure App Services. The error message may look like this:

Solution: Please see here.