Today I want to go over an experience I had with a client setting up Certificate Based Authentication (CBA) to Exchange Online.
To give a brief rundown of how this is accomplished I will put a couple bullett points below
1. Have an Internal PKI
2. Add and NDES Server to your PKI
3. Configure templates
4. Configure cert profiles in Intune
A great guide on how to accomplish this can be found here
The issue I ran into comes from the use of a trusted public certificate to secure the IIS server and Intune Certificate Connector instead of one from your internal PKI as in the steps Nickolaj provided in his blog.
By default the NDES Server places its own DNS name in certain registry values that it expects the certificate to have. When using a public cert we need to change those values in the registry.
The keys that need to be changed can be found at
The values that hold the server name should be changed to the namespace on the public cert. See example below. Client information has been removed but you get the idea.
After this change was made our SCEP certificates were getting to the devices.
Hope this helps someone out there that may be hung up on this issue.
Until next time.