j1745 Posted May 3, 2013 Report post Posted May 3, 2013 Here's my EnrollmentService.log: [3, PID:7248][05/02/2013 16:13:45] :EnrollmentService application start ... [7, PID:7248][05/02/2013 16:13:47] :WindowsIdentity is created for domain: [Domain] user: [user] [7, PID:7248][05/02/2013 16:13:47] :validated user credentials [7, PID:7248][05/02/2013 16:13:47] :Handling RequestSecurityToken [7, PID:7248][05/02/2013 16:13:47] :claim identity name: [Domain\User] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777217 [7, PID:7248][05/02/2013 16:13:47] :EnrollmentServiceProfile: GetDBCAs retrieved Template information: [7, PID:7248][05/02/2013 16:13:47] :Template: CM12ClientCert [7, PID:7248][05/02/2013 16:13:47] :CA: System.Collections.Generic.List`1[system.String] [7, PID:7248][05/02/2013 16:13:47] :The CA [CA] is in forest [Domain] [7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [user] [7, PID:7248][05/02/2013 16:13:47] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains count: 1 [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Subject name: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Issuer Name: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains 1 thumprint: [...] [7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Got root CA hash: [...] [7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [Domain\User] [7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: Start [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: Start, Result: Succeed [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: AuthenticationApproved [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: CertNotInADAccount [7, PID:7248][05/02/2013 16:13:48] :Impersonating caller: [Domain\User] [7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE [7, PID:7248][05/02/2013 16:13:48] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE [7, PID:7248][05/02/2013 16:13:48] :CALayer: SubmitRequest CA: [CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2 [7, PID:7248][05/02/2013 16:13:48] :Only one CA is specified in profile. Failed to enroll with the specified CA: [CA] [7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed [7, PID:7248][05/02/2013 16:13:48] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest) at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute() at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action) at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest) at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest) [7, PID:7248][05/02/2013 16:13:48] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert 1 Quote Share this post Link to post Share on other sites More sharing options...
PaulDASYSADMIN Posted May 3, 2013 Report post Posted May 3, 2013 Hey Jay can you also post the log from the mac osx, also can give me a little background of your environment such has pki, sccm, and firewalls. Template: CM12ClientCert is that template use to enroll macs... make sure the account you are using has access to enroll. Quote Share this post Link to post Share on other sites More sharing options...
jwiswell Posted May 31, 2013 Report post Posted May 31, 2013 Something else I ran into during enrollment is my system didn't prompt for the user Password (As TechNet indicates it should). It just passes the SUDO password to the enrollment server. This causes an error 500 if the SUDO password for the Mac doesn't match the domain password of the user account being used for enrollment. Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted May 31, 2013 Report post Posted May 31, 2013 Even with the -u switch? That's very odd... Quote Share this post Link to post Share on other sites More sharing options...
BondSC Posted June 19, 2013 Report post Posted June 19, 2013 I have a similar issue to this. Have any of you looked for failed requests on the Certificate Authority? My EnrollmentService log entries look the same as those already listed, including: "Errormessage: Denied by Policy Module 2 ErrorCode: 2" "Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed But when I go to the Certificate Authority I can find more detail, when I open the Certificate Authority mmc and look under "Failed Requests" I can see the request that came from the Mac and the Request Status Code says: "The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)"So I know what the problem is, but I'm still unsure about how to fix it. The Mac I'm using is joined to my domain and the computer account in Active Directory has "DNS name" specified with the correct FQDN for the Mac. I can right click the failed request and use the All Tasks menu to select the View Attributes/Extensions... option to see the details of the request. Unlike the Windows workstation requests it does not contain: Tag=cdc Value=[FQDN of a domain controller] Tag=rmd Value=[FQDN of the requesting computer] Tag=ccm Value=[FQDN of the requesting computer] I believe the answer may be to take some sort of action that would result in at least one of these attributes being submitted with the certificate request. Quote Share this post Link to post Share on other sites More sharing options...
nicoleallen5 Posted November 3, 2016 Report post Posted November 3, 2016 I know this is an old thread, but I cam across this issue this week. What resolved my Issue was modifying the default client settings. Site Configuration->Client Settings->go to the properties of default settings-> Enrollment-> configure the user settings (Allow users to enroll mobile devices and Mac computers=yes) and set the profile Now my client is communicating properly. 1 Quote Share this post Link to post Share on other sites More sharing options...