Currently Being ModeratedMay 1, 2010 12:53 PM (in response to hamiljockey)It works in my setup with win2008 and NDES.
One important thing to change is the maximum query string length in IIS. The iPhone SCEP GET request is longer than the default maxium in IIS 7. I changed it to 4096 and then everything worksmacbook, Mac OS X (10.6.3)
Currently Being ModeratedJul 17, 2010 1:24 PM (in response to mikael janers)I managed to set up a test environment and it's working fine now using OS 3.1.X, however whenever I try to use OS4 I get an error "A network error has occurred. The network connection was lost", has anybody tested the enrollment process using OS4?
Thanks in advance...
Currently Being ModeratedJul 17, 2010 9:28 PM (in response to emmanuel.aquino)I'm seeing the same exact behavior. When looking at the network traffic, it appears that OS4 isn't even attempting to send out a packet to enroll the certificate. If you look at the phone log, you'll see quite of error logging that seems to originate with the line:
"unknown lockdownd <Error>: (0x403000) handle_connection: Could not receive internal message #3 from profiled. Killing connection"
Anyone have any luck with this or have a possible workaround?iOS 4
Currently Being ModeratedAug 2, 2010 10:29 AM (in response to CW1828)Hi, we were having the same problem, in our case it was caused by the GetCACaps operation that is not supported on Microsoft and that, apparently, iOS4 requires and answer from the CA/SCEP server and if no answer is received it fails with the "Network connection lost." error.
We posted all the info in our company's blog:
Hope this helps you!iMac 21", iOS 4
Currently Being ModeratedAug 5, 2010 10:12 AM (in response to who.mobile)Hey Matt.
I am evaluating MobileIron now, and I cannot seem to get a client authentication certificate to my iPad. I can get a device-based certificate just fine, but that certificate type is not what works for us. What is the certificate type you are using? How are you using it? Do you use it as an authentication mechanism? Or are you using something else to authenticate instead of the certificate?
If you don't feel comfortable disclosing your information on this forum, please feel free to email me or look me up. I work for KLA-Tencor.
Thanks,iPad, iOS 4, MobileIron
Currently Being ModeratedMay 31, 2011 2:37 AM (in response to pik10)
For begenning, I 've read your post but I have difficulties understanding if the use of SCEP is mandatory in my case.
I'm trying to use the OTA mobileconfig to retrive the UDID of users, I made a mobileconfig and I manage to install it ont iDevice and after installing, it call my PHP script back but with no datas (in the GET, POST, Files variables) do I need to use SCEP to have datas in this answer ?
I made a test with a custom mobileconfig script calling back the "http://whatismyudid.com/device/enroll" and the datas appears so i think my mobileconfig file is working fine.
Currently Being ModeratedSep 15, 2011 5:02 PM (in response to froowstie)
Useful article on the Microsoft TechNet Blogs site about iPads / iPhones and talking to a Windows 2008 CA/NDES Server with SCEP.
Currently Being ModeratedJan 2, 2013 10:29 AM (in response to froowstie)
Do you happen to know how to specify my configuration profile to bypass the GetCACaps?
SubjectAltName has no problem.
GetCACaps doesn't seem to work - my iphone 5 thought the profile is invalid.
But the doc seems to imply (without examples) that it is possible.
I am using Windows 2008 sp2 NDES. No patch for GetCACaps. Hence I have to work around by specifying the CACapability.
Currently Being ModeratedJan 2, 2013 2:36 PM (in response to prichardson)
Thanks Mr. Richardson! Unfortunately we only had windows 2008 sp2 installation + SCEP.
Getting everything set up on a totally different platform is a huge endeavor.
Maybe I have to resort to Windows 2008 R2 after all.
Currently Being ModeratedJan 3, 2013 9:18 PM (in response to Simon So)
Finally solved my own problem.
I am using Windows 2008 sp2 NDES, which does not have GetCACaps hot fix like Windows 2008 R2.
What I did: proxy all SCEP operations.
In case of GetCACaps, just hardcode the reply DES3 and SHA-1, such that iPhone does not choke on Windows NDES's blank response.
Everything else (GetCACert and PKIOperation), just proxy the call to Windows 2008 unchanged and set the appropriate Content-Type per spec.
It was quite a journey, but well worth it.
Also, all the advice on the web about the NDES setup is crucial, especially when you change the settings in and bounce one instance (e.g. Domain Controller), you have to bounce the other NDES server too. I come to know when things didn't work. Then I debugged the Event Logs in NDES.
My advice to others: jscep helps one to understand what's going on behind the scene, but it may not be practical for actual production-grade deployment. Need to take SCEP admin maintenance into consideration.