The Certificate Connector for Microsoft Intune throws the error message "ArgumentException: String cannot be of zero length" during configuration.

Assume the following scenario:

  • An NDES server has been set up for use with Microsoft Intune.
  • The configuration of the Intune Certificate Connector cannot be completed because the following error message is thrown:
Error in Microsoft Intune Certificate Connector configuration. No changes were made to feature or proxy settings.
Unexpected error: System.ArgumentException: The string cannot have a length of 0 (zero).
Parameter name: name
  for System.Security.Principal.NTAccount.ctor(String name)

Cause and solution

The error appears at the end of the Certificate Connector installation and occurs only if the "SCEP" option was selected during configuration.

Tests have shown that Intune for NDES not is usable with the IIS application pool identity, but absolutely requires a domain account for the "SCEP" IIS application pool identity.

Fits this, that Group Managed Service Accounts (gMSA) are also not supported:

While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration.

The solution is therefore the Configuring NDES to use a domain account.

Related links:

External sources

One thought on “Der Certificate Connector für Microsoft Intune wirft bei der Konfiguration die Fehlermeldung „ArgumentException: String cannot be of zero length“”

Comments are closed.