1 2 3 Previous Next 42 Replies Latest reply: Jan 3, 2013 9:18 PM by Simon So Go to original post
  • 30. Re: iPhone & certificate enrollment OTA via SCEP
    mikael janers Level 1 Level 1 (0 points)
    It works in my setup with win2008 and NDES.

    One important thing to change is the maximum query string length in IIS. The iPhone SCEP GET request is longer than the default maxium in IIS 7. I changed it to 4096 and then everything works
  • 31. Re: iPhone & certificate enrollment OTA via SCEP
    emmanuel.aquino Level 1 Level 1 (0 points)
    I managed to set up a test environment and it's working fine now using OS 3.1.X, however whenever I try to use OS4 I get an error "A network error has occurred. The network connection was lost", has anybody tested the enrollment process using OS4?

    Thanks in advance...
  • 32. Re: iPhone & certificate enrollment OTA via SCEP
    CW1828 Level 1 Level 1 (0 points)
    I'm seeing the same exact behavior. When looking at the network traffic, it appears that OS4 isn't even attempting to send out a packet to enroll the certificate. If you look at the phone log, you'll see quite of error logging that seems to originate with the line:

    "unknown lockdownd[18] <Error>: (0x403000) handle_connection: Could not receive internal message #3 from profiled. Killing connection"

    Anyone have any luck with this or have a possible workaround?
  • 33. Re: iPhone & certificate enrollment OTA via SCEP
    nulp Level 1 Level 1 (0 points)
    Hi, we were having the same problem, in our case it was caused by the GetCACaps operation that is not supported on Microsoft and that, apparently, iOS4 requires and answer from the CA/SCEP server and if no answer is received it fails with the "Network connection lost." error.

    We posted all the info in our company's blog:
    http://www.ipointsystems.com/blog/?p=183

    Hope this helps you!
  • 34. Re: iPhone & certificate enrollment OTA via SCEP
    si.pki Level 1 Level 1 (0 points)
    Hey Matt.

    I am evaluating MobileIron now, and I cannot seem to get a client authentication certificate to my iPad. I can get a device-based certificate just fine, but that certificate type is not what works for us. What is the certificate type you are using? How are you using it? Do you use it as an authentication mechanism? Or are you using something else to authenticate instead of the certificate?

    If you don't feel comfortable disclosing your information on this forum, please feel free to email me or look me up. I work for KLA-Tencor.

    Thanks,
  • 35. Re: iPhone & certificate enrollment OTA via SCEP
    pik10 Level 1 Level 1 (0 points)
    I get this error:
    Pofile Failed to Install
    The SCEP server configuration is not supported

    I use cisco ca in my setup. Any ideas?
  • 36. Re: iPhone & certificate enrollment OTA via SCEP
    Matholl Level 1 Level 1 (0 points)

    Hello All,

     

    For begenning, I 've read your post but I have difficulties understanding if the use of SCEP is mandatory in my case.

     

    I'm trying to use the OTA mobileconfig to retrive the UDID of users, I made a mobileconfig and I manage to install it ont iDevice and after installing, it call my PHP script back but with no datas (in the GET, POST, Files variables) do I need to use SCEP to have datas in this answer ?

     

    I made a test with a custom mobileconfig script calling back the "http://whatismyudid.com/device/enroll" and the datas appears so i think my mobileconfig file is working fine.

     

    Thanks

     

    Regards

  • 37. Re: iPhone & certificate enrollment OTA via SCEP
    ralfredom Level 1 Level 1 (0 points)

    Hi pik10,

     

    Were you able to fixed the issue with the Cisco CA?

    I am assuming you have configured Cisco IOS PKI on a router, is this correct?

     

    Thanks

  • 38. Re: iPhone & certificate enrollment OTA via SCEP
    prichardson Level 1 Level 1 (0 points)

    Useful article on the Microsoft TechNet Blogs site about iPads / iPhones and talking to a Windows 2008 CA/NDES Server with SCEP.

     

    http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issu ance.aspx

     

    Cheers

    Phil

  • 39. Re: iPhone & certificate enrollment OTA via SCEP
    Simon So Level 1 Level 1 (0 points)

    Hi all,

     

    Do you happen to know how to specify my configuration profile to bypass the GetCACaps?

     

                                    <key>SubjectAltName</key>

                                    <dict>

                                            <key>dNSName</key>

                                            <string>scepsrv.myorg.com</string>

                                    </dict>

     

                                    <key>GetCACaps</key>

                                    <dict>

                                         <array>

                                             <string>DES3</string>

                                             <string>SHA-1</string>

                                         </array>

                                    </dict>

     

     

    SubjectAltName has no problem. 

     

    GetCACaps doesn't seem to work - my iphone 5 thought the profile is invalid.

     

    But the doc seems to imply (without examples) that it is possible.

     

    http://developer.apple.com/library/ios/#featuredarticles/iPhoneConfigurationProf ileRef/Introduction/Introduction.html

     

    I am using Windows 2008 sp2 NDES.  No patch for GetCACaps.  Hence I have to work around by specifying the CACapability.

     

    Much appreciated!

  • 40. Re: iPhone & certificate enrollment OTA via SCEP
    prichardson Level 1 Level 1 (0 points)

    Any chance of using Windows 2008 R2?

     

    Only as there is a GetCACaps hotfix for it - http://support.microsoft.com/kb/2483564

  • 41. Re: iPhone & certificate enrollment OTA via SCEP
    Simon So Level 1 Level 1 (0 points)

    Thanks Mr. Richardson!  Unfortunately we only had windows 2008 sp2 installation + SCEP.

     

    Getting everything set up on a totally different platform is a huge endeavor.

     

    Maybe I have to resort to Windows 2008 R2 after all.

  • 42. Re: iPhone & certificate enrollment OTA via SCEP
    Simon So Level 1 Level 1 (0 points)

    Finally solved my own problem.

     

    I am using Windows 2008 sp2 NDES, which does not have GetCACaps hot fix like Windows 2008 R2.

     

    What I did: proxy all SCEP operations. 

     

    In case of GetCACaps, just hardcode the reply DES3 and SHA-1, such that iPhone does not choke on Windows NDES's blank response.

     

    Everything else (GetCACert and PKIOperation), just proxy the call to Windows 2008 unchanged and set the appropriate Content-Type per spec.

     

    It was quite a journey, but well worth it.

     

    Also, all the advice on the web about the NDES setup is crucial, especially when you change the settings in and bounce one instance (e.g. Domain Controller), you have to bounce the other NDES server too.  I come to know when things didn't work.  Then I debugged the Event Logs in NDES.

     

    My advice to others: jscep helps one to understand what's going on behind the scene, but it may not be practical for actual production-grade deployment.  Need to take SCEP admin maintenance into consideration.

1 2 3 Previous Next