Jump to content


lord_hydrax

Mac Enrollment Issue

Recommended Posts

We have a Root CA which is turned off all the time, then there is an intermediate which issues certificates. So including the Client's authentication cert there would be three certificates total in the chain.

 

I've installed the root and intermediate on the Mac manually which I believe was required. I tried manually importing a client cert (Which I am sure I shouldn't need to do) but that made no difference.

 

Let me know if you need anymore info.

Share this post


Link to post
Share on other sites

Hi lord_hydrax,

 

I am currently experiencing the same issues within my SCCM 2012 SP1 environment. Were you able to resolve your issues at all?

 

I have a support case open with Microsoft regarding this who have remoted in and collected a bunch of logs and double checked on my PKI set-up and SCCM config.

 

Same set-up as you, Offiline root CA with Enterprise issuing CA. All windows clients are happily using PKI.

 

All appears to be text book. I believe they are setting up a LAB to try and re-create and have escalated it to the product team for resolution.

 

I will keep you posted when i receive an answer from them.

 

Regards

 

Matthew

Share this post


Link to post
Share on other sites

Hi All,

Just an Update:

 

I have resolved the issues with my Set-up.

 

I had not correctly set-up CDP and AIA on my Offline Root CA. Hence when trying to enroll the mac it couldn't access the revocation list for the certificates.

One i had published the crl to the correct location in my domain mac enrollment was successful.

 

Hope this helps.

 

Regards

 

Matthew

Share this post


Link to post
Share on other sites

I am having issues as well in my production envrionment.

When we run sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAIN\Username, the Mac reports:

Server connection failed. HTTP Response code is 500 and reason is Internal Server Error

Please help management is down my back and our consultant gave up on it....fail

 

I am also including the log from the MAC the CCMClient.log

 

I cant get the damn macs to enroll, here is my EnrollmentService.log:

 

[7, PID:9300][04/23/2013 10:49:06] :WindowsIdentity is created for domain: pbcc.edu user: munroep-2
[7, PID:9300][04/23/2013 10:49:06] :validated user credentials
[7, PID:9300][04/23/2013 10:49:06] :Handling RequestSecurityToken
[7, PID:9300][04/23/2013 10:49:06] :claim identity name: PBCC_ADMIN1\munroep-2
[7, PID:9300][04/23/2013 10:49:06] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777218
[7, PID:9300][04/23/2013 10:49:06] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:
[7, PID:9300][04/23/2013 10:49:06] :Template: ConfigMgrMacClientCertificate
[7, PID:9300][04/23/2013 10:49:06] :CA: System.Collections.Generic.List`1[system.String]
[7, PID:9300][04/23/2013 10:49:27] :Failed to find which forest the CA SUBCA1.pbcc.edu is in. DMP assignment will skip consider forest data
[7, PID:9300][04/23/2013 10:49:27] :Impersonating caller: PBCC_ADMIN1\munroep-2
[7, PID:9300][04/23/2013 10:49:27] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:9300][04/23/2013 10:49:27] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains count: 2
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Subject name: CN=pbcc-SUBCA1-CA, DC=pbcc, DC=edu
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Issuer Name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains 2 thumprint: D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Subject name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Issuer Name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains 1 thumprint: 5C44A6725714F486F8ED4007924E9CB4785A3114
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Got root CA hash: 5C44A6725714F486F8ED4007924E9CB4785A3114
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Got CA chain hash: D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933
[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CAStoreXML:
<characteristic type="CA">
<characteristic type="System">

<characteristic type="D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933">
<parm name="EncodedCertificate" value="MIIF5DCCBMygAwIBAgIKYSG6KgACAAAAHTANBgkqhkiG9w0BAQUFADBFMRMwEQYKCZImiZPyLGQBGRYDZWR1MRQwEgYKCZImiZPyLGQBGRYEcGJjYzEYMBYGA1UEAxMPcGJjYy1ST09UQ0ExLUNBMB4XDTEzMDMxNDE1MzgyMloXDTE3MDMxNDE1NDgyMlowRDETMBEGCgmSJomT8ixkARkWA2VkdTEUMBIGCgmSJomT8ixkARkWBHBiY2MxFzAVBgNVBAMTDnBiY2MtU1VCQ0ExLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0pdtSRoF9gl2W4FI99IkDL/r4iMgn2xdcRnPLZPcVQIArFzcHpP6BmVzCH+hxoBpjBaGx+YyadUFL/tsPeI295iLDeTsTuor46DoAYbtXk3E8zJGlRwibcOo5A5eC/iQBnTb3t2Q7hASgGlvPAQN8vp7WuZIse5Lol2q4Cbg1GVmlU7ugJc7O7uzY9RVd5/OsIycVrojZxim9M6ajqj//4bhCyWxN8ihvXcyMyOVKbp3V3CN1GnBXygVKhd0tr11wP9yWvr1xHJWwQafmXf2POmiH8akggqESZPuhMkwfL+vrkP6n9djqEr/QFqhJ6At1z4sV/1KVKi2e4g777BzeQIDAQABo4IC1TCCAtEwEgYJKwYBBAGCNxUBBAUCAwIAAjAjBgkrBgEEAYI3FQIEFgQUN99ovbYOYKfVCb9N2iRHT7xIegEwHQYDVR0OBBYEFDdSWeI4OoePmd3fXHUmVFcaiqbRMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFK9fFvC8gPR/PAgv/ggQ6xKThP4FMIIBCQYDVR0fBIIBADCB/TCB+qCB96CB9IY4aHR0cDovL3d3dy5wYWxtYmVhY2hzdGF0ZS5lZHUvQ1JML3BiY2MtUk9PVENBMS1DQSgyKS5jcmyGgbdsZGFwOi8vL0NOPXBiY2MtUk9PVENBMS1DQSgyKSxDTj1ST09UQ0ExLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPVBCQ0MsREM9RURVLD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwggEOBggrBgEFBQcBAQSCAQAwgf0wTAYIKwYBBQUHMAKGQGh0dHA6Ly93d3cucGFsbWJlYWNoc3RhdGUuZWR1L0NSTC9ST09UQ0EyX3BiY2MtUk9PVENBMS1DQSgyKS5jcnQwgawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj1wYmNjLVJPT1RDQTEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9UEJDQyxEQz1FRFUsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUAA4IBAQAhZkA8Fd4g5pgr/4xiPY6dbtOVXBl5brveV/GggXsUACVK6WACCy2Mc4UXYQlVXE4EZw5py7/l8DI2j3BPBXjuM65UI+HQYazDuW5yjXybH/IgYYAgbSfypcDyfdeCHaXobiyuG2M4zUDrRSUAra4ILg/wzLBVhhoBF4i/SKD47sMSiIXCCnTjmtqQpQWlkruoOlLBe6KxoTeWFiJjPUPv9o38T+2Y4EBqC4ROEVPI1znrvpSKozy1iZ/l9PX/sCCIdcrnfS+qgY2WmoCynb/3zh9RL9p3F7OPqF8ybVWl2Qwh1BAFEoxc5/lbGSJPQuPYnFSnJEWDcDqqJoKHJseZ" />
</characteristic>

</characteristic>
</characteristic>
[7, PID:9300][04/23/2013 10:49:42] :Impersonating caller: PBCC_ADMIN1\munroep-2
[7, PID:9300][04/23/2013 10:49:42] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[7, PID:9300][04/23/2013 10:49:42] :FaultCode is: MessageFormat and reason is: ArgumentException: Value cannot be null.
Parameter name: name

 

I am also including the log from the MAC the CCMClient.log

 

<![LOG[

System Center Configuration Manager Client for Mac OS X

CCMClient Daemon

Version: 5.00.7804.1202

Copyright Microsoft Corporation

 

]LOG]!><time="11:12:09.293+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="OMADMClient.mm:45">

<![LOG[RunClient]LOG]!><time="11:12:09.397+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="CCMClientProcessor.mm:225">

<![LOG[CFLocalServer: Starting up (pid: 59).

]LOG]!><time="11:12:09.397+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="CCMClientProcessor.mm:125">

<![LOG[Failed to Fetch last Install message. Nothing to cleanup]LOG]!><time="11:12:09.431+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="InstallServiceThread.mm:44">

<![LOG[RunThread() ]LOG]!><time="11:12:09.433+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMServiceThread.mm:254">

<![LOG[PreferencesService RunThread()]LOG]!><time="11:12:09.433+004" date="04-23-2013" component="Default" context="" type="1" thread="2957115392" file="PreferencesThread.mm:42">

<![LOG[No Preferences found for Key - 'SwJobCleanupInterval', Domain - 'com.microsoft.ccmclient'.]LOG]!><time="11:12:09.437+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="OSXUtilities.mm:456">

<![LOG[No Preferences found for Key - 'MP', Domain - 'com.microsoft.ccmclient'.]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OSXUtilities.mm:456">

<![LOG[Error: No Server selected for MP connection. Perhaps the client is not enrolled correctly .

]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="3" thread="2956050432" file="OMADMServiceThread.mm:116">

<![LOG[OMA : Sending Notification to UI : <CCMClientNotification><Sender>Service</Sender><Name></Name><Id></Id><Type>CCM_OMA</Type><State>Error</State><Data>-2147467259</Data><Description></Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMService.mm:271">

<![LOG[CCMClient - Broadcasting Msg to UI : <CCMClientNotification><Sender>Service</Sender><Name></Name><Id></Id><Type>CCM_OMA</Type><State>Error</State><Data>-2147467259</Data><Description></Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:12:09.443+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="NotificationProcessor.mm:65">

<![LOG[002386C0: Listen

]LOG]!><time="11:14:31.594+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:645">

<![LOG[ClientGotSpace: Client 002386C0 lifted write-side flow control.

]LOG]!><time="11:14:31.594+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:557">

<![LOG[002386C0: Client Sent : "<CCMClientNotification><Sender>Agent</Sender><Name>munroep-2</Name><Id>1772840664</Id><Type>CCM_User</Type><State>Initiate</State><Data>UserLogin</Data><Description>1743903037</Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>"

]LOG]!><time="11:14:31.660+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:748">

<![LOG[CCMClient - ProcessUIMessage. Msg : <CCMClientNotification><Sender>Agent</Sender><Name>munroep-2</Name><Id>1772840664</Id><Type>CCM_User</Type><State>Initiate</State><Data>UserLogin</Data><Description>1743903037</Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:14:31.660+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="NotificationProcessor.mm:31">

<![LOG[OMADMService - ProcessNotification() ]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMServiceThread.mm:315">

<![LOG[PreferencesService - ProcessNotification() ]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2957115392" file="PreferencesThread.mm:63">

<![LOG[Failed to Fetch last Install message. Nothing to send back to user agent]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="InstallServiceThread.mm:225">

Share this post


Link to post
Share on other sites

FYI I am still experiencing this issue in my company.

 

I haven't had the time to work on it in a while, but Microsoft advised manually importing the certificate and referncing it during the installation.

 

It would go something like this:

 

1. Import a Client Auth Certificate and give it a Subject Name that is exactly the same as the MAC Machine Name. (So choose the option to prompt for subject name)

2. Install the client using the following command sudo ./ccmsetup -MP <management point Internet FQDN> -SubjectName <certificate subject value>

 

And you have to make sure "Allow all applications to access this item" is selection for the certificate imported in the MACs Keychain.

 

Hopefully I can try this soon and I'll post back in here with how it goes.

Share this post


Link to post
Share on other sites

Paul, can you post details about the firewall changes you had to make? My IT department here is segmented such that I don't have direct access to the firewall on the CA, so I want to send them a ticket with instructions. Thanks.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.