Troubleshooting
Problem
Symptom
When right-click on the certificate, Run As Admin, then select the required features / select the service account / MFA option / proxy connection (if needed) / then select the allowed AD user / password to get the connection (Azure AD Sign In) / to sync the on-premises AD with Azure AD. The following error message appears:
Cause
The above error message comes from the following statement:
Azure Active Directory User
When configuring the connector, you'll need to use a user account that: is either a Global Admin or Intune Admin, has an Intune license assigned, and must be a synchronized account from your local Active Directory.
Usually, the user account used to establish the Certificate Connection requires a synchronized account form the On-Premises AD account, if you use an Azure AD account, the above error message will appear.
Environment
- MS Intune
- On-premises Active Directory
- Azure Active Directory
Diagnosing The Problem
Even though after re-installing the connector software, checking the correct user permissions and grant additional permissions, the Azure AD will always fail. The key is the user account must be created from the on-premises AD environment, then it must be synced on the Azure AD environment.
Resolving The Problem
To solve this issue, it is very important to use a valid Azure AD account that is synchronized with its corresponding on-premises AD account. Then repeat the steps shown in the Objective section by using this account.
Consider that, the involved user account must have access to the Windows Server, communicate with Intune and access to the CA to service the PKI request: Certificate connector service account section, see the links section.
Related text:
The certificate connector requires an account to use as a service account. This account is used by the connector to access the Windows Server, communicate with Intune, and access the Certification Authority to service PKI requests.
The connector service account must have the following permissions:
- Logon as Service
- Issue and Manage Certificates permissions on the Certification Authority (required only for revocation scenarios).
- Read and Enroll permissions on any certificate template that you’ll use to issue certificates.
- Permissions to the Key Storage Provider (KSP) that’s used by PFX Import. See the "Import PFX Certificates" section from the "Configure and use imported PKCS certificates with Intune" Microsoft's article, for further information.
The following options are supported for use as the certificate connector service account:
- SYSTEM
- Domain user - Use any domain user account that is an administrator on the Windows Server.
Then install the connector:
Download and install the connector software
- Sign in to the Microsoft Intune admin center.
- Select Tenant administration > Connectors and tokens > Certificate connectors > Add.
- On the Install the certificate connector pane, select the certificate connector link to download the connector software. Save the file to a location that’s accessible from the server where you're going to install the connector.
4. Sign in to the Windows Server that will host the certificate connector and confirm that the prerequisites for the certificate connector are installed (See Microsoft's article, "Prerequisites for the Certificate Connector for Microsoft Intune") for further reference.
To use the Simple Certificate Enrollment Protocol (SCEP) with a Microsoft Certification Authority (CA), confirm that the Network Device Enrollment Service (NDES) role is installed.
5. Use an account with admin permissions to the server to run the installer (IntuneCertificateConnector.exe). The installer also installs the policy module for NDES. The policy module runs as an application in IIS.
Note: When IntuneCertificateConnector.exe runs to install a new connector or an existing connector auto upgrades while the Windows Event Viewer is open, the installation process logs a message similar to the following with an Event ID 1000 from the source Microsoft-Intune-CertificateConnectors cannot be found:
- Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
You can safely ignore this message. This message displays because the event viewer manifest for the connector could not load while the event viewer is open. After the event viewer closes and then reopens, the correct messages display.
6. Review and agree to the license terms and conditions, and then select Install to continue. Select Options to choose a different installation folder.
7. The connector installation takes only a moment. After installation, the setup presents two options:
- Configure Now – Select this option to close the connector installation and open the Certificate Connector for Microsoft Intune wizard, which you use to configure the certificate connector on the local server (See the "Configure the certificate connector" section from the "Install the Certificate Connector for Microsoft Intune" Microsoft's article.).
- Close - This option closes the connector installation without configuring the connector. If you choose to Close the install at this time, later you can run the Certificate Connector for Microsoft Intune wizard to launch the connector configuration program. By default, the wizard is found in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Intune.
After a connector installs, you can run the installation program again to uninstall the connector.
For further information can be found under Microsoft's document titled "Install the Certificate Connector for Microsoft Intune".
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
27 December 2024
UID
ibm17179951