Jump to content


lord_hydrax

Mac Enrollment Issue

Recommended Posts

Here's my EnrollmentService.log:


[3, PID:7248][05/02/2013 16:13:45] :EnrollmentService application start ...

[7, PID:7248][05/02/2013 16:13:47] :WindowsIdentity is created for domain: [Domain] user: [user]

[7, PID:7248][05/02/2013 16:13:47] :validated user credentials

[7, PID:7248][05/02/2013 16:13:47] :Handling RequestSecurityToken

[7, PID:7248][05/02/2013 16:13:47] :claim identity name: [Domain\User]

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777217

[7, PID:7248][05/02/2013 16:13:47] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:

[7, PID:7248][05/02/2013 16:13:47] :Template: CM12ClientCert

[7, PID:7248][05/02/2013 16:13:47] :CA: System.Collections.Generic.List`1[system.String]

[7, PID:7248][05/02/2013 16:13:47] :The CA [CA] is in forest [Domain]

[7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [user]

[7, PID:7248][05/02/2013 16:13:47] :Revert back to self: NT AUTHORITY\NETWORK SERVICE

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains count: 1

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Subject name: [...]

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Issuer Name: [...]

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: CA Chains 1 thumprint: [...]

[7, PID:7248][05/02/2013 16:13:47] :ConfigManager: Got root CA hash: [...]

[7, PID:7248][05/02/2013 16:13:47] :Impersonating caller: [Domain\User]

[7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: Start

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: Start, Result: Succeed

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: AuthenticationApproved

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: exiting state: AuthenticationApproved, Result: Failover

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: entering State: CertNotInADAccount

[7, PID:7248][05/02/2013 16:13:48] :Impersonating caller: [Domain\User]

[7, PID:7248][05/02/2013 16:13:48] :Revert back to self: NT AUTHORITY\NETWORK SERVICE

[7, PID:7248][05/02/2013 16:13:48] :CALayer: Sending CA failure status - ENROLLSRVMSG_CA_FAILURE

[7, PID:7248][05/02/2013 16:13:48] :CALayer: SubmitRequest CA: [CA] Errormessage: Denied by Policy Module 2 ErrorCode: 2

[7, PID:7248][05/02/2013 16:13:48] :Only one CA is specified in profile. Failed to enroll with the specified CA: [CA]

[7, PID:7248][05/02/2013 16:13:48] :EnrollmentRequestController: Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed

[7, PID:7248][05/02/2013 16:13:48] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: Submitting cert request and issuing cert failed

at Microsoft.ConfigurationManagement.Enrollment.CALayer.SubmitRequest(EnrollmentRequestState enrollRequest)

at Microsoft.ConfigurationManagement.Enrollment.EnrollmentRequestController.Execute()

at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)

at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)

at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)

[7, PID:7248][05/02/2013 16:13:48] :FaultCode is: CertificateRequest and reason is: Failed certificate operations FailedToIssueCert

  • Like 1

Share this post


Link to post
Share on other sites

 

 

Hey Jay can you also post the log from the mac osx, also can give me a little background of your environment such has pki, sccm, and firewalls. Template: CM12ClientCert is that template use to enroll macs... make sure the account you are using has access to enroll.

Share this post


Link to post
Share on other sites

Something else I ran into during enrollment is my system didn't prompt for the user Password (As TechNet indicates it should). It just passes the SUDO password to the enrollment server. This causes an error 500 if the SUDO password for the Mac doesn't match the domain password of the user account being used for enrollment.

Share this post


Link to post
Share on other sites

I have a similar issue to this.

 

Have any of you looked for failed requests on the Certificate Authority?

 

My EnrollmentService log entries look the same as those already listed, including:

  • "Errormessage: Denied by Policy Module 2 ErrorCode: 2"
  • "Enrollment exception Error Code:FailedToIssueCert Message: Submitting cert request and issuing cert failed

But when I go to the Certificate Authority I can find more detail, when I open the Certificate Authority mmc and look under "Failed Requests" I can see the request that came from the Mac and the Request Status Code says:

  • "The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377)"

So I know what the problem is, but I'm still unsure about how to fix it.

 

The Mac I'm using is joined to my domain and the computer account in Active Directory has "DNS name" specified with the correct FQDN for the Mac.

 

I can right click the failed request and use the All Tasks menu to select the View Attributes/Extensions... option to see the details of the request. Unlike the Windows workstation requests it does not contain:

  • Tag=cdc Value=[FQDN of a domain controller]
  • Tag=rmd Value=[FQDN of the requesting computer]
  • Tag=ccm Value=[FQDN of the requesting computer]

I believe the answer may be to take some sort of action that would result in at least one of these attributes being submitted with the certificate request.

Share this post


Link to post
Share on other sites

I know this is an old thread, but I cam across this issue this week. What resolved my Issue was modifying the default client settings.

 

Site Configuration->Client Settings->go to the properties of default settings-> Enrollment-> configure the user settings (Allow users to enroll mobile devices and Mac computers=yes) and set the profile

 

Now my client is communicating properly.

 

 

 

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.