Unable to generate SCEP Certificate from the NDES server (80935)

Version Identified

ACC version 19.12 and above

Overview

Quirks mode in dot net framework ensures compatibility when the existing framework is updated on a machine using quirks mode, which means an application that was developed and deployed against .NET Framework 4, will continue to work on 4.5. This is solved by the quirks mode to be "on" by default in applications developed on dot net.

With the upgrade to ACC 19.12 or with the new installation of ACC 19.12 or above quirks mode is turned off and thereby switching over to .NET framework 4.8, which changed the default encryption algorithm to AES. This function is used to send the pkcs7 packet containing the certificate signing request from ACC to the CA via the NDES servers. If the NDES server is not running on the AES algorithm then the SCEP certificate will fail to generate.

Symptoms

When a SCEP certificate is pushed to the device through credential payload or SCEP payload it fails to deliver to the device and gives us the below error message in console event data:

Scep response Status: Failure; FailureInfo: BadMessageCheck

If your SCEP request is configured to go through ACC then you will see the following error in verbose ACC logs else you will the below error in verbose console logs.

Debug AirWatch.CloudConnector.CertificateService.CertificateService.EnrollCertificate EnrollCertificate result: Request failed. ActivityId: c33af189-21ec-48c0-ac38-43bd2a15ae76, ErrorMessage: Scep response Status: Failure; FailureInfo: BadMessageCheck.

On the NDES Server, if you check the windows event viewer at the same timestamp you should see the below error message:

The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0xc0000225).

When the app executes on the newer Framework with the quirks mode on, it will mimic some behaviors from the older framework to ensure compatibility. This also means keeping quirky, buggy, undesirable behaviors or even old encryption algorithms such as in this case. Hence, Quirks mode was turned off on ACC in 19.12.
This entailed an update in the encryption algorithm used by the class used in System.Security.Cryptography.Pkcs.dll assembly for creating PKCS7 packets. This seems to have caused the packet to be unrecognized in the NDES server if AES algorithm being used, causing certificate generation to fail.

If ACC is on 19.12 or above and if NDES server is not using AES algorithm then SCEP certificate will fail to generate on NDES server as a result profiles with this SCEP certificate will fail to deliver to the device.

This is a standard algorithm which is enforced due to security concerns. If you are running into this issue you need to switch over to AES algorithm on the NDES server. Please contact Microsoft support for configuration/settings/support related questions for AES encryption with NDES.