Enrollment Point is not responding to HTTP/HTTPS requests.

[spgsitsupport]

Need to enroll Mac (Mavericks) clients on SCCM 2012 R2 SP1

 

Configured whole environment as per:

 

http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

 

and/or

 

http://blogs.technet.com/b/systemcenterpfe/archive/2014/10/04/step-by-step-guide-to-setting-up-system-center-2012-r2-configuration-manager-to-support-management-and-installation-of-the-configmgr-client-on-mac-osx-computers.aspx

 

 

Reinstalled Enrollment Roles, still only getting:

Component SMS_ENROLL_SERVER on computer sccmserver.local reported:  Enrollment Point Control Manager detected that the Enrollment Point is not responding to HTTP/HTTPS requests.
The http status code and text is 500, Internal Server Error.

Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which Enroll Service is configured to communicate.
Solution: Verify that the designated Web Site is configured to use the same ports which ENROLLSRV is configured to use.

Possible cause: The designated Web Site is disabled in IIS.
Solution: Verify that the designated Web Site is enabled, and functioning properly.

For more information, refer to Microsoft Knowledge Base. (does NOT specify which one!?)

Which obviously results on the client with:

 

System Center Configuration Manager Client for Mac OS X
Version: 5.00.7958.1102
Copyright 2013 Microsoft Corporation


Contacting Server: https://sccmserver.local/EnrollmentServer/DeviceEnrollmentWebService.svc

Using username: **********

SSL Connection failed. HTTP Response code is 500 and reason is Internal Server Error

Unknown Error from server

------------------------------------------------

I can access https://sccmserver.local/EnrollmentServer/DeviceEnrollmentWebService.svc

just fine and get:

This is a Windows© Communication Foundation service.

Metadata publishing for this service is currently disabled.

 

Anybody has any ideas?

 

Seb

[NickolajA]

How did you enroll the SSL certificate? Did you follow the guide on TechNet for creating a certificate template?

 

Have a look at this:

 

Deploying the Web Server Certificate for Site Systems that Run IIS

 

https://technet.microsoft.com/en-us/library/gg682023.aspx?f=255&MSPPError=-2147217396#BKMK_clientdistributionpoint2008_cm2012

 

What SAN (Subject Alternative Names as DNS) did you include?

 

Regards,

[spgsitsupport]

Well, I did follow this (as it seems to be the most current by version):

 

https://technet.microsoft.com/en-us/library/Gg699362.aspx

 

"... the Subject Name OR Subject Alternative Name must contain the Internet fully qualified domain name (FQDN)...."

 

So I have NO SAN, but subject name contains FQDN (of the SCCM server on local network, I do NOT have it on internet)

 

Seb

[NickolajA]

Even though it states and Internet FQDN, you'll have to configure that for the Site System role. You could simply just trick it to believe that it's on the internet by adding e.g. externalEP.yourdomain.com on the Site System role. Whatever you enter, you'll have to configure the certificate to include both the internal and external FQDN's. Let's say that you have your Enrollment Point installed on a server called EP01. In your internal DNS zone, configure the following:

 

internalEP.yourdomain.com --> EP01.yourdomain.com

externalEP.yourdomain.com --> EP01.yourdomain.com

 

Then add both the FQDN's above as SAN's in your certificate.

 

Regards,

[spgsitsupport]

Site System role is configured for the very FQDN already, but I am to change it to "external" address ie. sccm.domain.com

 

"...In your internal DNS zone, configure the following..."

 

Is that as CNAME?

 

sccm.domain.com --> sccmserver.local

 

Done above, issued webserver certificate which has BOTH DNS in SAN

 

sccm.domain.com

sccmserver.local

 

Can access webserver via https:// using both names (of course certificate shows OK)

 

but still get error:

On 23/08/2015 19:25:05, component SMS_ENROLL_SERVER on computer sccmserver.local reported:  Enrollment Point Control Manager detected that the Enrollment Point is not responding to HTTP/HTTPS requests.  The http status code and text is 500, Internal Server Error.

If I try to login to https://sccm.domain.com/EnrolmentService I get

 

Server Error in '/EnrollmentService' Application. Access is denied.

Description: An error occurred while accessing the resources required to serve this request. You might not have permission to view the requested resources.

Error message 401.3: You do not have permission to view this directory or page using the credentials you supplied (access denied due to Access Control Lists). Ask the Web server's administrator to give you access to 'C:\Program Files\SMS_CCM\EnrollmentPoint'.

 

which means that obviously it is listening on this address!

 

I can also access:

 

https://sccm.domain.com/EnrollmentServer/enroll.htm

 

Enterprise Enrollment

To enroll your phone and connect to your company network, select from the following list of supported devices:

Windows Mobile 6.1, 6.5
Nokia Symbian Belle

 

In error log I also have error from System.ServiceModel 4.0.0.0 (attached)

 

WebHost failed to process a request.

WebHost failed to process a request.txt

[NickolajA]

Yes, CNAME.

 

I've seen that error sometimes when some of the Windows Features where not installed. Please run my ConfigMgr Prerequisites Tool 1.4.1 to let it enumerate through the features to see if all the required ones have been installed.

 

Regards,

[spgsitsupport]

Did run it, it added few bits, rebooted the server & I am back at the very same point:

On 24/08/2015 18:03:33, component SMS_ENROLL_SERVER on computer sccmserver.local reported:  Enrollment Point Control Manager detected that the Enrollment Point is 
not responding to HTTP/HTTPS requests.  The http status code and text is 500, Internal Server Error.

Possible cause: Internet Information Services (IIS) isn't configured to listen on the ports over which Enroll Service is configured to communicate. 
Solution: Verify that the designated Web Site is configured to use the same ports which ENROLLSRV is configured to use.

Possible cause: The designated Web Site is disabled in IIS. 
Solution: Verify that the designated Web Site is enabled, and functioning properly.

For more information, refer to Microsoft Knowledge Base.

[spgsitsupport]

OK, so I decided to re-check all my steps.

 

http://blogs.technet.com/b/smartinez/archive/2012/10/19/sys-ctr-2012-configmgr-mobile-device-installation.aspx

 

and specifically:

 

https://technet.microsoft.com/en-us/library/gg699362.aspx

 

Site systems that run Internet Information Services (IIS) and that are configured for HTTPS client connections:

Server authentication

Web Server

Enhanced Key Usage value must contain Server Authentication (1.3.6.1.5.5.7.3.1)

 

AND This certificate must reside in the Personal store in the Computer certificate store.

 

That was my "error". I moved the certificate to Web Hosting store.

Which obviously caused the issue on this one role. Once moved back to Personal store, all is good

 

Works now & can enroll my Mac clients

 

Seb