lord_hydrax Posted March 4, 2013 Report post Posted March 4, 2013 We have a Root CA which is turned off all the time, then there is an intermediate which issues certificates. So including the Client's authentication cert there would be three certificates total in the chain. I've installed the root and intermediate on the Mac manually which I believe was required. I tried manually importing a client cert (Which I am sure I shouldn't need to do) but that made no difference. Let me know if you need anymore info. Quote Share this post Link to post Share on other sites More sharing options...
jdmiller Posted March 4, 2013 Report post Posted March 4, 2013 Do you have any errors or warnings listed in the Enterprise PKI snap-in on your intermediate CA (or any server in the domain for that matter)? Also does your environment pass these checks? Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted March 5, 2013 Report post Posted March 5, 2013 Seems like there are a few errors due to the Root CA being turned off, intermediate seems OK though. I've never used this tool before so its going to take a while to work out if there are any actual problems. Quote Share this post Link to post Share on other sites More sharing options...
woodsieau Posted April 10, 2013 Report post Posted April 10, 2013 Hi lord_hydrax, I am currently experiencing the same issues within my SCCM 2012 SP1 environment. Were you able to resolve your issues at all? I have a support case open with Microsoft regarding this who have remoted in and collected a bunch of logs and double checked on my PKI set-up and SCCM config. Same set-up as you, Offiline root CA with Enterprise issuing CA. All windows clients are happily using PKI. All appears to be text book. I believe they are setting up a LAB to try and re-create and have escalated it to the product team for resolution. I will keep you posted when i receive an answer from them. Regards Matthew Quote Share this post Link to post Share on other sites More sharing options...
woodsieau Posted April 15, 2013 Report post Posted April 15, 2013 Hi All, Just an Update: I have resolved the issues with my Set-up. I had not correctly set-up CDP and AIA on my Offline Root CA. Hence when trying to enroll the mac it couldn't access the revocation list for the certificates. One i had published the crl to the correct location in my domain mac enrollment was successful. Hope this helps. Regards Matthew Quote Share this post Link to post Share on other sites More sharing options...
PaulDASYSADMIN Posted April 23, 2013 Report post Posted April 23, 2013 I am having issues as well in my production envrionment. When we run sudo ./CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u ‘DOMAIN\Username, the Mac reports: Server connection failed. HTTP Response code is 500 and reason is Internal Server Error Please help management is down my back and our consultant gave up on it....fail I am also including the log from the MAC the CCMClient.log I cant get the damn macs to enroll, here is my EnrollmentService.log: [7, PID:9300][04/23/2013 10:49:06] :WindowsIdentity is created for domain: pbcc.edu user: munroep-2[7, PID:9300][04/23/2013 10:49:06] :validated user credentials[7, PID:9300][04/23/2013 10:49:06] :Handling RequestSecurityToken[7, PID:9300][04/23/2013 10:49:06] :claim identity name: PBCC_ADMIN1\munroep-2[7, PID:9300][04/23/2013 10:49:06] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777218[7, PID:9300][04/23/2013 10:49:06] :EnrollmentServiceProfile: GetDBCAs retrieved Template information: [7, PID:9300][04/23/2013 10:49:06] :Template: ConfigMgrMacClientCertificate[7, PID:9300][04/23/2013 10:49:06] :CA: System.Collections.Generic.List`1[system.String][7, PID:9300][04/23/2013 10:49:27] :Failed to find which forest the CA SUBCA1.pbcc.edu is in. DMP assignment will skip consider forest data[7, PID:9300][04/23/2013 10:49:27] :Impersonating caller: PBCC_ADMIN1\munroep-2[7, PID:9300][04/23/2013 10:49:27] :Revert back to self: NT AUTHORITY\NETWORK SERVICE[7, PID:9300][04/23/2013 10:49:27] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains count: 2[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Subject name: CN=pbcc-SUBCA1-CA, DC=pbcc, DC=edu[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Issuer Name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains 2 thumprint: D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Subject name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Issuer Name: CN=pbcc-ROOTCA1-CA, DC=pbcc, DC=edu[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CA Chains 1 thumprint: 5C44A6725714F486F8ED4007924E9CB4785A3114[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Got root CA hash: 5C44A6725714F486F8ED4007924E9CB4785A3114[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: Got CA chain hash: D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933[7, PID:9300][04/23/2013 10:49:42] :ConfigManager: CAStoreXML: <characteristic type="CA"> <characteristic type="System"> <characteristic type="D7E9B1CDCE8B2429F9D09A7563D88C4478C3E933"> <parm name="EncodedCertificate" value="MIIF5DCCBMygAwIBAgIKYSG6KgACAAAAHTANBgkqhkiG9w0BAQUFADBFMRMwEQYKCZImiZPyLGQBGRYDZWR1MRQwEgYKCZImiZPyLGQBGRYEcGJjYzEYMBYGA1UEAxMPcGJjYy1ST09UQ0ExLUNBMB4XDTEzMDMxNDE1MzgyMloXDTE3MDMxNDE1NDgyMlowRDETMBEGCgmSJomT8ixkARkWA2VkdTEUMBIGCgmSJomT8ixkARkWBHBiY2MxFzAVBgNVBAMTDnBiY2MtU1VCQ0ExLUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0pdtSRoF9gl2W4FI99IkDL/r4iMgn2xdcRnPLZPcVQIArFzcHpP6BmVzCH+hxoBpjBaGx+YyadUFL/tsPeI295iLDeTsTuor46DoAYbtXk3E8zJGlRwibcOo5A5eC/iQBnTb3t2Q7hASgGlvPAQN8vp7WuZIse5Lol2q4Cbg1GVmlU7ugJc7O7uzY9RVd5/OsIycVrojZxim9M6ajqj//4bhCyWxN8ihvXcyMyOVKbp3V3CN1GnBXygVKhd0tr11wP9yWvr1xHJWwQafmXf2POmiH8akggqESZPuhMkwfL+vrkP6n9djqEr/QFqhJ6At1z4sV/1KVKi2e4g777BzeQIDAQABo4IC1TCCAtEwEgYJKwYBBAGCNxUBBAUCAwIAAjAjBgkrBgEEAYI3FQIEFgQUN99ovbYOYKfVCb9N2iRHT7xIegEwHQYDVR0OBBYEFDdSWeI4OoePmd3fXHUmVFcaiqbRMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFK9fFvC8gPR/PAgv/ggQ6xKThP4FMIIBCQYDVR0fBIIBADCB/TCB+qCB96CB9IY4aHR0cDovL3d3dy5wYWxtYmVhY2hzdGF0ZS5lZHUvQ1JML3BiY2MtUk9PVENBMS1DQSgyKS5jcmyGgbdsZGFwOi8vL0NOPXBiY2MtUk9PVENBMS1DQSgyKSxDTj1ST09UQ0ExLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPVBCQ0MsREM9RURVLD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwggEOBggrBgEFBQcBAQSCAQAwgf0wTAYIKwYBBQUHMAKGQGh0dHA6Ly93d3cucGFsbWJlYWNoc3RhdGUuZWR1L0NSTC9ST09UQ0EyX3BiY2MtUk9PVENBMS1DQSgyKS5jcnQwgawGCCsGAQUFBzAChoGfbGRhcDovLy9DTj1wYmNjLVJPT1RDQTEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9UEJDQyxEQz1FRFUsP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA0GCSqGSIb3DQEBBQUAA4IBAQAhZkA8Fd4g5pgr/4xiPY6dbtOVXBl5brveV/GggXsUACVK6WACCy2Mc4UXYQlVXE4EZw5py7/l8DI2j3BPBXjuM65UI+HQYazDuW5yjXybH/IgYYAgbSfypcDyfdeCHaXobiyuG2M4zUDrRSUAra4ILg/wzLBVhhoBF4i/SKD47sMSiIXCCnTjmtqQpQWlkruoOlLBe6KxoTeWFiJjPUPv9o38T+2Y4EBqC4ROEVPI1znrvpSKozy1iZ/l9PX/sCCIdcrnfS+qgY2WmoCynb/3zh9RL9p3F7OPqF8ybVWl2Qwh1BAFEoxc5/lbGSJPQuPYnFSnJEWDcDqqJoKHJseZ" /> </characteristic> </characteristic> </characteristic>[7, PID:9300][04/23/2013 10:49:42] :Impersonating caller: PBCC_ADMIN1\munroep-2[7, PID:9300][04/23/2013 10:49:42] :Revert back to self: NT AUTHORITY\NETWORK SERVICE[7, PID:9300][04/23/2013 10:49:42] :FaultCode is: MessageFormat and reason is: ArgumentException: Value cannot be null.Parameter name: name I am also including the log from the MAC the CCMClient.log <![LOG[ System Center Configuration Manager Client for Mac OS X CCMClient Daemon Version: 5.00.7804.1202 Copyright Microsoft Corporation ]LOG]!><time="11:12:09.293+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="OMADMClient.mm:45"> <![LOG[RunClient]LOG]!><time="11:12:09.397+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="CCMClientProcessor.mm:225"> <![LOG[CFLocalServer: Starting up (pid: 59). ]LOG]!><time="11:12:09.397+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="CCMClientProcessor.mm:125"> <![LOG[Failed to Fetch last Install message. Nothing to cleanup]LOG]!><time="11:12:09.431+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="InstallServiceThread.mm:44"> <![LOG[RunThread() ]LOG]!><time="11:12:09.433+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMServiceThread.mm:254"> <![LOG[PreferencesService RunThread()]LOG]!><time="11:12:09.433+004" date="04-23-2013" component="Default" context="" type="1" thread="2957115392" file="PreferencesThread.mm:42"> <![LOG[No Preferences found for Key - 'SwJobCleanupInterval', Domain - 'com.microsoft.ccmclient'.]LOG]!><time="11:12:09.437+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="OSXUtilities.mm:456"> <![LOG[No Preferences found for Key - 'MP', Domain - 'com.microsoft.ccmclient'.]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OSXUtilities.mm:456"> <![LOG[Error: No Server selected for MP connection. Perhaps the client is not enrolled correctly . ]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="3" thread="2956050432" file="OMADMServiceThread.mm:116"> <![LOG[OMA : Sending Notification to UI : <CCMClientNotification><Sender>Service</Sender><Name></Name><Id></Id><Type>CCM_OMA</Type><State>Error</State><Data>-2147467259</Data><Description></Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:12:09.442+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMService.mm:271"> <![LOG[CCMClient - Broadcasting Msg to UI : <CCMClientNotification><Sender>Service</Sender><Name></Name><Id></Id><Type>CCM_OMA</Type><State>Error</State><Data>-2147467259</Data><Description></Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:12:09.443+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="NotificationProcessor.mm:65"> <![LOG[002386C0: Listen ]LOG]!><time="11:14:31.594+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:645"> <![LOG[ClientGotSpace: Client 002386C0 lifted write-side flow control. ]LOG]!><time="11:14:31.594+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:557"> <![LOG[002386C0: Client Sent : "<CCMClientNotification><Sender>Agent</Sender><Name>munroep-2</Name><Id>1772840664</Id><Type>CCM_User</Type><State>Initiate</State><Data>UserLogin</Data><Description>1743903037</Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>" ]LOG]!><time="11:14:31.660+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="SocketServer.mm:748"> <![LOG[CCMClient - ProcessUIMessage. Msg : <CCMClientNotification><Sender>Agent</Sender><Name>munroep-2</Name><Id>1772840664</Id><Type>CCM_User</Type><State>Initiate</State><Data>UserLogin</Data><Description>1743903037</Description><RebootRequired></RebootRequired><Time></Time></CCMClientNotification>]LOG]!><time="11:14:31.660+004" date="04-23-2013" component="Default" context="" type="1" thread="2894170664" file="NotificationProcessor.mm:31"> <![LOG[OMADMService - ProcessNotification() ]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2956050432" file="OMADMServiceThread.mm:315"> <![LOG[PreferencesService - ProcessNotification() ]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2957115392" file="PreferencesThread.mm:63"> <![LOG[Failed to Fetch last Install message. Nothing to send back to user agent]LOG]!><time="11:14:31.661+004" date="04-23-2013" component="Default" context="" type="1" thread="2954985472" file="InstallServiceThread.mm:225"> Quote Share this post Link to post Share on other sites More sharing options...
lord_hydrax Posted May 1, 2013 Report post Posted May 1, 2013 FYI I am still experiencing this issue in my company. I haven't had the time to work on it in a while, but Microsoft advised manually importing the certificate and referncing it during the installation. It would go something like this: 1. Import a Client Auth Certificate and give it a Subject Name that is exactly the same as the MAC Machine Name. (So choose the option to prompt for subject name) 2. Install the client using the following command sudo ./ccmsetup -MP <management point Internet FQDN> -SubjectName <certificate subject value> And you have to make sure "Allow all applications to access this item" is selection for the certificate imported in the MACs Keychain. Hopefully I can try this soon and I'll post back in here with how it goes. Quote Share this post Link to post Share on other sites More sharing options...
PaulDASYSADMIN Posted May 2, 2013 Report post Posted May 2, 2013 I resolved my issue. It turned out to be the firewall blocking smb traffic from the MP and the subCA. Quote Share this post Link to post Share on other sites More sharing options...
j1745 Posted May 2, 2013 Report post Posted May 2, 2013 Paul, can you post details about the firewall changes you had to make? My IT department here is segmented such that I don't have direct access to the firewall on the CA, so I want to send them a ticket with instructions. Thanks. Quote Share this post Link to post Share on other sites More sharing options...
PaulDASYSADMIN Posted May 2, 2013 Report post Posted May 2, 2013 Post your log bro. Quote Share this post Link to post Share on other sites More sharing options...
