Loule-Corro
commented
10 months ago maybe a certificate template problem but not clear... i close the issue and analyze again.
Thank you for your job
Closed Loule-Corro closed 10 months ago
Loule-Corro
commented
10 months ago maybe a certificate template problem but not clear... i close the issue and analyze again.
Thank you for your job
Crypt32
commented
10 months ago not sure if i missed something but module seems to be enabled and working but when the requests are incoming, the subjecttype seems to be always for User Certificate and look for a UPn and not DNS name
Every template has subject type, which can be one of: User, Computer or CA type. When policy module examines request, I'm trying to read certificate template information from request and find matching template in AD. Then reading subject type and then doing logic branching: if template subject type is user, I'm doing UPN lookup only. If template subject type is computer, I'm doing DNS lookup only. In your case it appears that template subject type is user. You can confirm subject type of your template in template properties, Extensions tab and looking into Certificate Template Information extension.
Loule-Corro
commented
10 months ago Yes, after many checks it's ok now. Maybe a little upgrade would be to add an option to look for all SAN dns attributes. Tried to fork the project and make some modifications but i am almost lost in Visual Studio conf and dependencies.... :)
Crypt32
commented
10 months ago Maybe a little upgrade would be to add an option to look for all SAN dns attributes.
This doesn't fit the common practice. If you need to look for DNS, you really should use machine-type template. Since Intune expects a device (machine) certificate, then it is expected to enroll against machine-type template, not user.
Loule-Corro
commented
10 months ago i meant for device certificate, sure yes ! Not about the first reason why i opened the issue. For device certificates, maybe an option to look for all SAN DNS entries, disabled by default but could be useful for some cases.
Hi, not sure if i missed something but module seems to be enabled and working but when the requests are incoming, the subjecttype seems to be always for User Certificate and look for a UPn and not DNS name as you can see in a trace log: [30/11/2023 11:46:57] Found matching entry in Template/Requester table. [30/11/2023 11:46:57] Reading request extensions. [30/11/2023 11:46:57] Found 11 extensions. [30/11/2023 11:46:57] Found SAN extension at index 4. [30/11/2023 11:46:57] Executing principal search from UPN. [30/11/2023 11:46:57] No matching alternative name found in SAN extension. [30/11/2023 11:46:57] Alternative name not found in SAN extension. Skipping. [30/11/2023 11:46:57] Enforcing SID extension policy. Requested action: PassThrough
It should look for a dns name ... Certificate request comes from Intune SCEP and is configured as a Device certificate request (as it always worked and still works for other things).
Any information about that?
thank you.