Unable to fetch tenant id.
Closed this issue · 4 comments
ejoebstl commented
Hello,
I'm currently evaluating a trial deployment for a larger project.
However, I cant get SCEPman to run, it fails with the error Unable to fetch the tenant id. Ensure that app permission Directory.Read.All has admin consent or see error logs to troubleshoot the issue..
I'm pretty confident the permission setup should be correct. I followed the documentation closely:
App registration:
App registration permissions:
App Service Configuration:
The logs do not show any errors, just the requests, even with verbose logging.
What could I do to troubleshoot this error?
ejoebstl commented
Brief update: After some waiting, SCEPman shows that Azure AD and Intune are connected. The error regarding the tenant ID remains though.
Certificate enroll fails with an internal server error:
021-01-16 09:28:38 XXXXX-SCEPMAN-DEV GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACaps&message=default&X-ARR-LOG-ID=d9061a4b-a5c4-4fbf-9d24-a3bc04602a78 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 200 0 0 484 1218 223
2021-01-16 09:28:38 XXXXX-SCEPMAN-DEV GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default&X-ARR-LOG-ID=cb5db636-2f38-4263-9048-f9c624134a60 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 200 0 0 1489 1218 19
2021-01-16 09:28:41 XXXXX-SCEPMAN-DEV POST /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&X-ARR-LOG-ID=86e8ac5a-2bb5-4ff1-8bbb-9fd3e4b2d8e5 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 500 0 0 385 8796 687
2021-01-16 09:29:06 XXXXX-SCEPMAN-DEV GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACaps&message=default&X-ARR-LOG-ID=e05e85bb-2ee7-4062-9cde-269f13de8ee7 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 200 0 0 484 1218 31
2021-01-16 09:29:06 XXXXX-SCEPMAN-DEV GET /certsrv/mscep/mscep.dll/pkiclient.exe operation=GetCACert&message=default&X-ARR-LOG-ID=4d364955-b3a2-442a-81c8-ff6c4fee4e3d 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 200 0 0 1489 1218 15
2021-01-16 09:29:06 XXXXX-SCEPMAN-DEV POST /certsrv/mscep/mscep.dll/pkiclient.exe operation=PKIOperation&X-ARR-LOG-ID=0342636b-1d0c-4feb-a85d-8bf6c6b0524d 443 - 91.65.46.90 Mozilla/4.0+(compatible;+Win32;+NDES+client) - - XXXXX-scepman-dev.azurewebsites.net 500 0 0 385 8796 193
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>IIS Detailed Error - 500.0 - Internal Server Error</title><style type="text/css"><!--body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;}code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}.config_source code{font-size:.8em;color:#000000;}pre{margin:0;font-size:1.4em;word-wrap:break-word;}ul,ol{margin:10px 0 10px 5px;}ul.first,ol.first{margin-top:5px;}fieldset{padding:0 15px 10px 15px;word-break:break-all;}.summary-container fieldset{padding-bottom:5px;margin-top:4px;}legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px;font-weight:bold;font-size:1em;}a:link,a:visited{color:#007EFF;font-weight:bold;}a:hover{text-decoration:none;}h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;}h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}h4{font-size:1.2em;margin:10px 0 5px 0;}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;color:#FFF;background-color:#5C87B2;}#content{margin:0 0 0 2%;position:relative;}.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}.content-container p{margin:0 0 10px 0;}#details-left{width:35%;float:left;margin-right:2%;}#details-right{width:63%;float:left;overflow:hidden;}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;font-size:1em;color:#FFF;text-align:right;}#server_version p{margin:5px 0;}table{margin:4px 0 4px 0;width:100%;border:none;}td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;}th{width:30%;text-align:right;padding-right:2%;font-weight:bold;}thead th{background-color:#ebebeb;width:25%;}#details-right th{width:20%;}table tr.alt td,table tr.alt th{}.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;}.clear{clear:both;}.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;}--></style>
</head><body>
<div id="content"><div class="content-container"><h3>HTTP Error 500.0 - Internal Server Error</h3><h4>The page cannot be displayed because an internal server error has occurred.</h4></div><div class="content-container"><fieldset><h4>Most likely causes:</h4><ul> <li>IIS received the request; however, an internal error occurred during the processing of the request. The root cause of this error depends on which module handles the request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li> <li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user does not have permission to use this DLL.</li> <li>The request is mapped to a managed handler but the .NET Extensibility Feature is not installed.</li> </ul></fieldset></div><div class="content-container">
<fieldset><h4>Things you can try:</h4><ul> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li> <li>Verify the permissions for the DLL.</li> <li>Install the .NET Extensibility feature if the request is mapped to a managed handler.</li> <li>Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click <a href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul></fieldset></div>
<div class="content-container"><fieldset><h4>Detailed Error Information:</h4><div id="details-left"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Module</th><td> AspNetCoreModuleV2</td></tr><tr><th>Notification</th><td> ExecuteRequestHandler</td></tr><tr class="alt"><th>Handler</th><td> aspNetCore</td></tr><tr><th>Error Code</th><td> 0x00000000</td></tr>
</table></div><div id="details-right"><table border="0" cellpadding="0" cellspacing="0"><tr class="alt"><th>Requested URL</th><td> https://XXXXX-scepman-dev:80/certsrv/mscep/mscep.dll/pkiclient.exe?operation=PKIOperation</td></tr><tr><th>Physical Path</th><td> D:\home\site\wwwroot\certsrv\mscep\mscep.dll\pkiclient.exe</td></tr><tr class="alt"><th>Logon Method</th><td> Anonymous</td></tr><tr><th>Logon User</th><td> Anonymous</td></tr>
</table><div class="clear"></div></div></fieldset></div>
<div class="content-container"><fieldset><h4>More Information:</h4>This error means that there was a problem while processing the request. The request was received by the Web server, but during processing a fatal error occurred, causing the 500 error.<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&IIS70Error=500,0,0x00000000,14393">View more information »</a></p><p>Microsoft Knowledge Base Articles:</p>
</fieldset></div></div></body></html>
cekageka commented
@okieselbach @bb-froggy Any idea? Looks like permission but I am sure you have more detailed insights.
ejoebstl commented
Through a follow up, we figured out the error.
I changed the subject line of the certificate, due to server restrictions on our end.
However, the subject line of the certificate is required to be the Device ID (CN={{AzureADDeviceId}}). Otherwise SCEPman fails to identify the device sending the CSR.
cekageka commented
Thanks for the update!