Solved: Re: ISE MDM integration with Azure/Intune

AshleyLewis27 · ‎10-06-2016

Hello,

I am trying to get our ISE 2.1 clean install to speak to our Azure/Intune App.

I have followed the following guides with no luck:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01000.html

https://docs.microsoft.com/en-us/intune/deploy-use/restrict-access-to-networks

However I try and work it I get the following error:

Connection to server failed with:

Failed to acquire auth token from Azure AD. There is a problem with the Azure certificates or ISE trust store.
Please try with different settings.

I can see on the firewall the ISE making a 443 connection out when I run the test.

ISE 2.1 has the Baltimore root CA as standard

Has anyone got this working that can be more specific on the "self signed" ISE certificate as there is no information on if it needs to be "Used By" a specific function to work or not.

Also the guides don't seem to indicate exactly what the "Token Audience" should be and the default one cannot be resolved (https://api.manage.microsoft.com) but I am not sure if this matters.

Many thanks for any assistance.

Ash

AshleyLewis27 · ‎11-01-2016

So I got this working in the end:

I did a packet capture and saw that Azure was responding from the following URL:

https://stamp2.login.microsoftonline.com/

This was using a Symantec certificate unlike the pages the documentation states to get the certificates from (Digicert).

The ISE needed the chain to trust it and once I installed this it started working.

Also as Iliass states you need to use the default self signed not create a new one or you get a thumbprint error also.

So the documentation is not ideal but got there in the end.

View solution in original post

MARK BAKER · ‎06-14-2019

Update for others... You do use the PAN certificate for Admin role whether it's CA assigned or self-signed. Documentation is not clear on this. Wildcard certs work as well. Even though I had the CyberTrust root cert in trusted certs, I had to go to the Auto Discovery URL via web browser and get the Microsoft CA cert and add it to trusted certs (Microsoft IT TLS CA 1).

View solution in original post

iliass.eltaghadouini · ‎10-10-2016

Hello Ashley,

I'm having the same issue; did you ever get this fixed ? Hereunder the steps I took:

- exported the default self-signed certificate from ISE (.pem file)

- changed the ".pem" extension to ".cer"

- removed begin and end certificate in the text

- ran the PowerShell script to get thumbprint, value & keyid

- created the Azure Application with permissions for Graph and Intune (documented in the link above)

- downloaded the manifest and updated with cert values

- uploaded the manifest without errors

ISE already contains the Baltimore root certificate, but I get the following error when configuring MDM:

Failed to acquire auth token from Azure AD. Error validating credentials. Client assertion contains an invalid signature. [Reason - The key was not found.,

Thanks a lot for any help.

Iliass

AshleyLewis27 · ‎10-10-2016

Hi Iliass,

No luck yet no.

I am going to set it up again and then raise a case with Microsoft to get the Azure/Intune side of it checked out as I am not convinced I have done everything I need to do there, and at least it will rule it out.

Out of interest what do you use for the "Token Audience" on the ISE, do you leave it as the default "https://api.manage.microsoft.com/" as I cant see that this actually resolves...

Cheers,

Ash

iliass.eltaghadouini · ‎10-11-2016

Hi Ash,

I use the url "https://api.manage.microsoft.com/" as documented in the doc. As you pointed out this doesn't resolve.

I'll do the setup again and if I find something I'll let you know.

Cheers,

Iliass

iliass.eltaghadouini · ‎10-12-2016

Hello Ash,

I finaly managed to get it working, the network admin exported the wrong certificate from ISE. When trying to connect, I received the error:

Failed to acquire auth token from Azure AD. Error validating credentials. Client assertion contains an invalid signature. [Reason - The key was not found., Thumbprint of key used by client: 'AC33728EAE517ECCE7CE49298538F8E66F1C5CAD',
Configured keys: [Key0:Start=09/21/2016, End=09/21/2017, Thumbprint=7DF7384D87FDB62123310C1DAE2A9563
5016513A;]] Check if either ISE certificates not being uploaded or problem with certificates already uploaded to App on Azure AD

In ISE we then checked every certificates thumbprint to match and there we realised we exported the wrong one. After exporting the correct cert and importing into Azure the ISE config went fine. Now I have to add the second ISE server's certificate into the KeyCredentials table as we have a cluster of 2 ISE nodes.

Hope it helps.

Kind regards,

Iliass

AshleyLewis27 · ‎10-13-2016

Thats good to hear :) Im still trying to figure this one out.

Out of interest did you have anything more than I have below in the microsoft portal dashboard quick view:

Active Directory - Microsoft Azure

quick glance

Application type: Web application
Publisher: Company
URL: https://random.url.com

Application Role Assignments

Microsoft Graph

Read directory data

Microsoft Intune API

Get device state and compliance information from Microsoft Intune

OAuth 2.0 Permission Grants

Microsoft Graph

Access user's data anytime

Sign users in

Windows Azure Active Directory

Sign in and read user profile

Thanks,

Ash

tmatzeu12 · ‎11-30-2017

Hello,

Which certificate form ISE did you use?

The documentation mentioned the default self-signed. But I have a dedicated certificate for ADMIN, and i guess i need to use that one. Right?

Should i also give to AZUR the root and sub which validate my certificate?

Thanks.

tmatzeu12 · ‎11-30-2017

Hi,

All the personas were on the same server? Or you are using a large network deployment?

If it is a large deployment, are you using the certificate from your PSNs or PANs?

Thanks.

MARK BAKER · ‎06-06-2019

tmatzeu12,

Did you ever get an answer to your certificate question when using a CA assigned cert for admin? This is not clear in the documentation I have found so far. Docs found so far always say default self-signed certificate. Any help is greatly appreciated.

MARK BAKER · ‎06-14-2019

Update for others... You do use the PAN certificate for Admin role whether it's CA assigned or self-signed. Documentation is not clear on this. Wildcard certs work as well. Even though I had the CyberTrust root cert in trusted certs, I had to go to the Auto Discovery URL via web browser and get the Microsoft CA cert and add it to trusted certs (Microsoft IT TLS CA 1).

AshleyLewis27 · ‎11-01-2016

So I got this working in the end:

I did a packet capture and saw that Azure was responding from the following URL:

https://stamp2.login.microsoftonline.com/

This was using a Symantec certificate unlike the pages the documentation states to get the certificates from (Digicert).

The ISE needed the chain to trust it and once I installed this it started working.

Also as Iliass states you need to use the default self signed not create a new one or you get a thumbprint error also.

So the documentation is not ideal but got there in the end.

MatthewShaw4644 · ‎07-06-2019

I know this thread is old - but we ran into the same issue... two tips that helped us:

1 - I loaded the ISE admin certs from all the nodes that would potentially become a PAN. In our case it was a public cert and root. It was no trouble adding multiples to the Azure manifest file.

2 - We had gotten stuck on the URL being graph.microsoft.net/<tenantID>. The correct one in 2019 is graph.windows.net/<tenantID>. The microsoft support people had this wrong, but a TAC engineer suggested the change and it worked.

antonioaugusto · ‎04-19-2021

HI Ash,

I did all steps to integrate ISE 2.7 with Intune, but I had the same message "MDM Server API error
Connection Failed to the MDM server: There is a problem with the server Certificates or ISE trust store." I exported "Default Self-Signed server certificate (EAP Auth, Admin, Portal, RADIUS DTLS), I set all steps in Intune, but didin´t work. I saw that in Token Audience field, the URL: "https://api.manage.microsoft.com/" is not resolve in DNS, is It right? There is another step that is not present in all tutorial that should be done?

Best Regars!