Monday, December 18, 2017

Exchange Online Certificate Based Authentication

Hey guys!

Today I want to build upon the last post surrounding Intune and certificate services. Once we get the certificates onto the devices the next step is to configure our services to accept certs as a form of authentication. 

I want to talk about configuring Exchange Online in this post and some caveats when setting that up. 

Per usual I dont want to spell out a guide for everyone. Those can be found in a multitude of places. There is a good one here.

What I do want to talk about are some of the gaps that this guide didnt cover. 

First thing is the intermediary. In a best practice PKI deployment you should have a Root and an Int certificate. I would publish both certificates and CRLs to Azure AD using the guide above. When you deploy the Int cert be sure you change the powershell from this


$Cert=Get-Content -Encoding byte "Location of Root CA CER file"

$New_CA=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation



$New_CA.crlDistributionPoint="CRL Distribution URL"

New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $New_CA

To this "$New_CA.AuthorityType=1" this will specify the cert we upload as the Int.

I reccomend putting the Int cert on the devices we deploy as well as accepting it for authentication in AzureAD

The next little gotcha they don't mention is that ADFS certificate based auth goes over a different port. It goes over port 49443 so make sure you aren't blocking that port coming into the WAPS.

And last but not least make sure that you configure ADFS to accept cert based auth. In ADFS 2016 its a little checkbox under authentication types.

Friday, December 8, 2017

Using a Public Certificate For Intune Certificates

Hello Everyone, long time no talk!

Today I want to go over an experience I had with a client setting up Certificate Based Authentication (CBA) to Exchange Online. 

To give a brief rundown of how this is accomplished I will put a couple bullett points below

1. Have an Internal PKI

2. Add and NDES Server to your PKI

3. Configure templates

4. Configure cert profiles in Intune

A great guide on how to accomplish this can be found here

The issue I ran into comes from the use of a trusted public certificate to secure the IIS server and Intune Certificate Connector instead of one from your internal PKI as in the steps Nickolaj provided in his blog. 

By default the NDES Server places its own DNS name in certain registry values that it expects the certificate to have. When using a public cert we need to change those values in the registry. 

The keys that need to be changed can be found at

The values that hold the server name should be changed to the namespace on the public cert. See example below. Client information has been removed but you get the idea.

After this change was made our SCEP certificates were getting to the devices. 

Hope this helps someone out there that may be hung up on this issue.

Until next time.