lord_hydrax Posted February 1, 2013 Report post Posted February 1, 2013 Hello, Having some trouble enrolling my first Mac device with SCCM 2012 SP1. I have installed the client and am trying to use the CMEnroll Tool with no success. Command I am using is this: CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u "domain\username" and on the client I recieve the error:Server connection failed. http response code is 500 and reason is internal server error. On the server in the EnrollmentServer.log I recieve this error: [6, PID:5748][02/01/2013 13:48:35] :WindowsIdentity is created for domain: domain user: username[6, PID:5748][02/01/2013 13:48:35] :validated user credentials[6, PID:5748][02/01/2013 13:48:35] :Handling RequestSecurityToken[6, PID:5748][02/01/2013 13:48:35] :claim identity name: domain\username[6, PID:5748][02/01/2013 13:48:35] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777220[6, PID:5748][02/01/2013 13:48:35] :EnrollmentServiceProfile: GetDBCAs retrieved Template information: [6, PID:5748][02/01/2013 13:48:35] :Template: ConfigMgrMacClientCertificate [6, PID:5748][02/01/2013 13:48:35] :CA: System.Collections.Generic.List`1[system.String] [6, PID:5748][02/01/2013 13:48:35] :The CA server.domain is in forest cac.local[6, PID:5748][02/01/2013 13:48:35] :Impersonating caller: domain\username[6, PID:5748][02/01/2013 13:48:35] :Revert back to self: NT AUTHORITY\NETWORK SERVICE[6, PID:5748][02/01/2013 13:48:35] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS[6, PID:5748][02/01/2013 13:48:50] :ConfigManager: CA Chains count: 2[6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;[6,PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error:RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;[6,PID:5748][02/01/2013 13:48:50]:Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException:RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknownerror.; at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert) atMicrosoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfileprofile, WindowsIdentity requester) atMicrosoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32enrollmentProfileId, EnrollmentRecordType type, String template,WindowsIdentity requester) atMicrosoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenTyperequest, WindowsIdentity caller, ActionEnum action) at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest) at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)[6, PID:5748][02/01/2013 13:48:50] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed Any ideas? Quote Share this post Link to post Share on other sites More sharing options...
Oneone Posted February 1, 2013 Report post Posted February 1, 2013 What version of OSX are you trying to deploy the client to? Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted February 4, 2013 Report post Posted February 4, 2013 That would be 10.6. Quote Share this post Link to post Share on other sites More sharing options...
Skyhawk12 Posted February 15, 2013 Report post Posted February 15, 2013 I found the Solution to this issue. You need a separate certificate just for macs and assign that certificate under Client settings/Enrollment/set profile/ http://technet.microsoft.com/en-us/library/gg682023.aspx Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted February 17, 2013 Report post Posted February 17, 2013 Yes the guides I followed are here:http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/I completed this and am stuck at step five of James Bannan's guide. Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted February 18, 2013 Report post Posted February 18, 2013 Found a page on turning CRL checking on for the Mac:http://securityskeptic.typepad.com/the-security-skeptic/2011/04/mac-users-listen-up-enable-certificate-checking.html Didn't help but seemed like something I needed to do. Quote Share this post Link to post Share on other sites More sharing options...
Skyhawk12 Posted February 19, 2013 Report post Posted February 19, 2013 What part of Step five are you stuck on? need a little more detail. Quote Share this post Link to post Share on other sites More sharing options...
Skyhawk12 Posted February 19, 2013 Report post Posted February 19, 2013 When you created the mac certificate did you add the user name your using to enroll the mac? Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted February 20, 2013 Report post Posted February 20, 2013 Oh I could've been clearer there, I mean step five of the section Mac Client Installation and Enrollment. 5. Next, navigate to the Tools folder in Terminal where the CMEnroll utility is, and enter the following: “sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAIN\Username’” where DOMAIN\Username is an account which is authorised to enrol the Mac certificate; So I run that and get the errors I posted to begin with. In answer to your other question, yes I include an account in the command, which is apart of a security group which has enrol permissions on the certificate template. Quote Share this post Link to post Share on other sites More sharing options...
jdmiller Posted March 4, 2013 Report post Posted March 4, 2013 Can you describe more about how your PKI environment is set up? It sounds like the problem may be with the your issuing CA. Quote Share this post Link to post Share on other sites More sharing options...
