.mobileconfig and ADCertificatePayloadPlugin

Question

Level 1

0 points

.mobileconfig and ADCertificatePayloadPlugin

Hi,

I hope someone can help. I have been given a macbook to 'socilaise' to our Windows / AD domain. My first goal is to get it connected to the corporate WiFi network which is EAP-TLS with certificate-based enrollment.

I'm trying to follow this KB article: http://support.apple.com/kb/HT4784 but can't create the .mobileconfig file.

I even tried downloading the IPCU and creating a 'blank' configuration profile and editing the contents, every time I make a change to the file it says:

'There was an error opening "blahblahblah.mobileconfig" contact your network administrator'.

Any ideas??

MacBook Air, Mac OS X (10.7.2)

Posted on Jan 24, 2012 9:49 PM

Reply

Answer 1

Feb 2, 2012 12:02 PM in response to levellers

I posted this back in November

step 1a create Wirelesscert.mobleconfig with the following changing the defaults to match your needs

The "Certtemplate key" must match the name of the Cert template on the server.

You can use the same machine cert template as the PCs. use UUID are done in the next step

CertServer Key use http or https depending on you cert server config

Generic config file sortof :

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>CertServer</key>

<string>https://Server.domain.name/certsrv</string>

<key>CertTemplate</key>

<string>Your_Computer_template_name</string>

<key>PayloadDisplayName</key>

<string>Enter_your_name_fort_the_policy</string>

<key>PayloadIdentifier</key>

<string>Create_payload_ident</string>

<key>PayloadType</key>

<string>com.apple.ADCertificate.managed</string>

<key>PayloadUUID</key>

<string>Change-me-to-a-new-UUID</string>

<key>PayloadVersion</key>

<key>deleted</key>

</dict>

</array>

<key>PayloadDescription</key>

<string>Enter_Description_here</string>

<key>PayloadDisplayName</key>

<string>Enter_Display_name</string>

<key>PayloadIdentifier</key>

<string>Enter_paylode_name</string>

<key>PayloadOrganization</key>

<string>Enter_paylode_orgname</string>

<key>PayloadRemovalDisallowed</key>

<key>PayloadType</key>

<string>SystemConfiguration</string>

<key>PayloadUUID</key>

<string>Change-me-to-a-new-UUID</string>

<key>PayloadVersion</key>

</dict>

</plist>

Step 1b. Create two UUID on the mac command shell past into the file replace Change-me-to-a-new-UUID with two different UUIDs

the command is "uuidgen" You must run uuidgen once for each number. Paste the resulting numbers into Wirelesscert.mobleconfig

This must be done for every computer you install the policy on so that they are Unique to that computer.

Do these steps in a local machine admin account not logged into the domain

step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop (a known bug should be fixed in a update) The machine must also have 1G of free disk space.

a. open Key Chain Access

b. Click on Keychain Acess in the apple tool bar

c. Select Preferences

d. Select the Certificates Tab

f. Turn off OCSP and CRL ( this can be turned back on after you get the Cert from ad)

Step 3 Connect using safari to you Microsoft AD certificate server and trust the locally self signed Cert

Step 4 copy Cert in key chain from user to system

Step 5 open a shell for steps 6 and 7

Step 6 type Sudo kinit -k (machinenamelowercase)$ ! the dollarsign is appended to the computer name

Step 7 type klist -l ! verify that a ticket in kerberos is listed under the machine name

Step 8 To create at system level profile use the command line to import profile

/usr/bin/profiles -I -F (location of profile)

Step 9 Verify in the Key Chain that you have a system Certificate

In the network wireless click on the Join the ssid

Mode is EAP-TLS

Identity X509 Certificate (the one just created)

Username: host/(Your_Macs_Fully_qualified_name)

I hope this helps noww.

Read the Original document this is based on at http://support.apple.com/kb/HT4784

I Am still having problems with some macs not working but this did work on one so I hope it helps

Reply

Answer 2

levellers Author

Level 1

0 points

Feb 2, 2012 5:01 PM in response to daveBoxElderSD

Thanks for your reply Dave.

Can I create that XML file by hand, or do I need Lion Server profile configuration tool or the IPCU?

Also, it doesn't mention when you apply the .mobileconfig file at the end of step 1?

Really appreciate your help.

Reply

Answer 3

Feb 2, 2012 8:10 PM in response to levellers

You need to create this by hand neither programs will do it at this time is my understanding.

the reason you don't do it after step one is that you have to do steps 2 to 7 first

in creating the file copy excactly the first 9 lines (the first line you change is

<string>https://Server.domain.name/certsrv</string> the Server.domain.name should be changed to the qualified name of your server.

change the name of the template name on the certificate server

<string>Your_Computer_template_name</string>

change name to what you want

<string>Enter_your_name_fort_the_policy</string>

Changed to something that identifyed it for what it is but short

<string>Create_payload_ident</string>

do not change this one

<string>com.apple.ADCertificate.managed</string>

run command in step one and replace text with uuid

<string>Change-me-to-a-new-UUID</string>

do the same basic things in the array section

you must do the uuid in this section

step 2 is to make changes in the key manager to prevent the import from locking up (a bug in the os)

the other steps will allow the import process to connect to AD as the machine name then the import on step 8

Your welcome I hope it works for you levellers.

Reply

Answer 4

levellers Author

Level 1

0 points

Feb 15, 2012 4:38 PM in response to daveBoxElderSD

Dave,

Thanks again for your help, sorry it's been a while but I only just found time to take a look at this.

Now successfully created the mobileconfig file using your template. Generated UUIDs etc...

I understand from your instructions that I'm supposed to import that .mobileconfig file via command line but for some reason your instructions don't work. So i take a stab at double clicking it instead...

When I double click the mobileconfig file I get: "The 'Active Directory Certificate' payload could not be installed. The client failed to get a Ticket Granting Ticker'.

I take it this is some sort of Kerberos error and has something to do with steps 6 & 7 in your process.

When i type:

'sudo kinit -k t0016443$'

I get the response:

"krb5_get_init_creds: Client (t0016443@T0016443.LOCAL) unknown"

Then I try "klist -l" and get a list of my domain username, nothing mentions the PC name at all.

Reply

Answer 5

levellers Author

Level 1

0 points

Feb 15, 2012 4:40 PM in response to levellers

My mistake, typo in the command in import the .mobileconfig with terminal. Same error though.

Back to steps 6 and 7...

Reply

Answer 6

levellers Author

Level 1

0 points

Feb 15, 2012 5:10 PM in response to levellers

Tried one more thing, the machine is already bound to the domain, so for step six I tried...

sudo kinit -k t0016443.transurban.com.au

now it says 'Already tried ENC-TS-info, looping'

Really hoping you can help! So close but so far!

Reply

Answer 7

Feb 16, 2012 12:04 AM in response to levellers

I have several suggestions

1. in addition to the cert authentication in step 3 make sure it is trusted at the root level you can login as a user to and at least on our cert server there is a option to get the trusted root cert

2 there is another bug that requires that the computer have at least 1 gig of free diskspace (just found out about this one)

3. You need to be loggin localy only before you try to enroll use a local only administrator account with no domain connection. (the perpose of this is so it becomes a system profile in is the the article I refference )

do a klist to verify that you don't have a domain connection yet

then do the name of the computer sudo kinit -k t0016443$

this setup the permissions to get the cert in the computers name.

klist to verify that it worked

you can also do this to get root and stay in it

sudo su -

then enter the commands that in 6-8 with out having to type sudo each time if you want then exit to leave root

4. I was doing a second computer and it was stuck in a endless look it stopped after i reinstalled the cert and worked but I did one other thing that might have helped I was reading about kerberos errors and file permissions

it said to go into restore mode and do a file permission repair i did this and did find some errors that were fixed that may help you.

happy to try and help not a problem with how long it took you to try thing again thats what happen in IT. Share what you find as you work on it too 🙂

ps I have a mac mini acting as a server and I cant get the kinit to work I think it is trying to talk to the kerberos on the local machine so I can test a bash script for installing the ms config

I just created a bash script to generate the ms config and it seems to work I did this because every computer needs a unique UUID in both places in the file

Message was edited by: daveBoxElderSD

Reply

Answer 8

levellers Author

Level 1

0 points

Feb 16, 2012 1:42 PM in response to daveBoxElderSD

Thanks again Dave, here are the results from my attempts this morning... aquirng the machine TGT seems to be the problem.

1) went to https://ca.domain.com.au/certsrv in safari, and ticked 'show certificate' at the prompt, then chose 'always trust' for all 3 certs down to ROOT level.

The three certs are:
'Company Name' Root CA
'Company Name' Root CA 1
certsrv.domainname.com.au

2) opened keychain mgr and copied the three certs (including the root one) to the system keychain.

3) There is several GB of free space

4) I created a non-domain logon (the mac is still bound to the domain, but I am now logged in locally with admin privs)

5) klist returns: krb5_cc_get_principal: No credentials file found

6) when I type sudo klist -k t0016443$ it returns: krb5_get_init_creds: Client (t0016443$@T0016443.LOCAL) unknown

It's almost like there isn't a computer account, or it's looking in the wrong place for it.

I also tried adding @domain.com.au to the end of the computer name and then it came back with the 'Already tried ENC-TS-info, looping' so that's obviously not right either.

Any ideas?

Thanks again for your help!

Reply

Answer 9

levellers Author

Level 1

0 points

Feb 16, 2012 1:47 PM in response to levellers

Dave, do you think this might be the way the mac is looking up t0016443$? Maybe something to do with the 'search policy' in the directory utility?

Surely it knows where to find it's own machine account?

Reply

Answer 10

Feb 17, 2012 7:26 AM in response to levellers

I have one doing the same thing it has server loaded and it is I think tring to talk to the local LDAP directory in stead of Active directory see the .local in that message you quoted.

I looked at kinit and it has a -S option (man page) but I don't know how to envoke it and tell it what server to talk to

for the active directory setup when you join the domain under users there is a option to specify the server you talk to. You might want to set that to one of you domain controllers and see if it helps.

Reply

Answer 11

Feb 21, 2012 10:28 AM in response to levellers

I got it fixed on the Mac mini this morning by changing the search order

goto

System Preferences

Users & Groups

unlock

select login options

Edit Network account server

Highlight Ad

Click on Open Directory Utility

click on Search policy

search should be Custom path

Move AD tobe above the LDAP3

Apply

This solve my kinit problem not getting an account

I hope this helps

Reply

Answer 12

May 17, 2012 5:43 PM in response to levellers

I was able to get EAP-TLS RADIUS authentication working for the system/loginwindow using machine certificates from an Active Directory Certificate Services store by creating a .mobileconfig file that contained additional payloads. The support article referenced above mentions that a machine certificate can be generated at the time that the profile payload is installed, but does not go into additional detail on what else is necessary to create a profile that can be imported onto a Mac running Lion to allow system/loginwindow RADIUS authentication.

After some experimentation, I was able to get this working using three additional payloads: one payload for the WiFi access point (com.apple.wifi.managed), and two additional payloads that allow us to specify trust for our self-signed root CA's signing certificate. The additional certificate is probably not necessary, but could help in a situation where an intermediate CA signs the certs. A basic framework for the WiFi managed payload can be created using iPhone Configuration Utility. I created the two certificate payloads using iPCU, and then pasted those payload dictionaries into the .mobileconfig payloads array (without modifying the payload).

I'll paste an example of what a working configuration looks like (I could not find any good resources documenting this setup):

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>CertServer</key>

<string>http://dc1.ad.example.com/certsrv</string>

<key>CertTemplate</key>

<string>Machine</string>

<key>PromptForCredentials</key>

<key>ADCertServerCertificateIDReplySearchString</key>

<key>PayloadDisplayName</key>

<string>WiFi Config</string>

<key>PayloadIdentifier</key>

<string>com.example.profile.wifi.ADCertificate.config</string>

<key>PayloadType</key>

<string>com.apple.ADCertificate.managed</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

<key>deleted</key>

</dict>

<dict>

<key>AutoJoin</key>

<true/>

<key>EAPClientConfiguration</key>

<dict>

<key>AcceptEAPTypes</key>

<array>

</array>

<key>EAPFASTProvisionPAC</key>

<key>EAPFASTProvisionPACAnonymously</key>

<key>EAPFASTUsePAC</key>

<key>UserName</key>

<string>host/computer_name.ad.example.com</string>

<key>PayloadCertificateAnchorUUID</key>

<array>

<string>CD1BE015-1D42-4402-AB02-71B283806BE9</string>

<string>49D8C78A-4E0E-408B-B4ED-DD200B068D09</string>

</array>

</dict>

<key>EncryptionType</key>

<key>HIDDEN_NETWORK</key>

<key>PayloadDescription</key>

<string>Configures wireless connectivity settings.</string>

<key>PayloadDisplayName</key>

<string>WiFi Config</string>

<key>PayloadIdentifier</key>

<string>com.example.profile.wifi.config</string>

<key>PayloadOrganization</key>

<string>Example, Inc.</string>

<key>SetupModes</key>

<array>

<string>System</string>

<string>Loginwindow</string>

</array>

<key>PayloadScope</key>

<string>System</string>

<key>PayloadType</key>

<string>com.apple.wifi.managed</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

<key>ProxyType</key>

</dict>

<dict>

<key>PayloadCertificateFileName</key>

<string>Certificate.cer</string>

<key>PayloadContent</key>

<data>

CERTIFICATE_DATA

</data>

<key>PayloadDescription</key>

<string>Provides device authentication (certificate or identity).</string>

<key>PayloadDisplayName</key>

<key>PayloadIdentifier</key>

<string>com.example.profile.wifi.credential.ca</string>

<key>PayloadOrganization</key>

<string>Example, Inc.</string>

<key>PayloadType</key>

<string>com.apple.security.root</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

</dict>

<dict>

<key>PayloadCertificateFileName</key>

<string>dc1.AD.EXAMPLE.COM.cer</string>

<key>PayloadContent</key>

<data>

CERTIFICATE_DATA

</data>

<key>PayloadDescription</key>

<string>Provides device authentication (certificate or identity).</string>

<key>PayloadDisplayName</key>

<string>dc1.AD.EXAMPLE.COM</string>

<key>PayloadIdentifier</key>

<string>com.example.profile.wifi.credential.dc1</string>

<key>PayloadOrganization</key>

<string>Example, Inc.</string>

<key>PayloadType</key>

<string>com.apple.security.pkcs1</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

</dict>

</array>

<key>PayloadDescription</key>

<string>Example Wi-Fi profile configuration.</string>

<key>PayloadDisplayName</key>

<string>Example Wi-Fi</string>

<key>PayloadIdentifier</key>

<string>com.example.profile.wifi</string>

<key>PayloadOrganization</key>

<string>Example, Inc.</string>

<key>PayloadRemovalDisallowed</key>

<key>PayloadType</key>

<string>SystemConfiguration</string>

<key>PayloadUUID</key>

<string>9AEFDD4A-B8BD-4CB7-AE22-964B9457D31D</string>

<key>PayloadVersion</key>

</dict>

</plist>

Some of the more important points:

1.) This setup uses EAP-TLS (type 13) with machine certificates only - user certs could be used in similar payloads

2.) The EAPClientConfiguration "UserName" string is passed to the RADIUS server for authentication. This string must be specified as host/computer_account.example.com (where computer_account is the "Computer Account" name in AD, and "example.com" is the AD domain/forest). This hostname may also be how the computer is determining which certificate to use from the keychain (but I have not confirmed).

3.) The PayloadCertificateAnchorUUID key in the EAPClientConfiguration dict should specify the UUIDs of the certificate payloads in this .mobileconfig file that should be trusted

4.) SetupModes and PayloadScope in the com.apple.wifi.managed payload is probably important, but I have not been able to test exhaustively.

5.) "CERTIFICATE_DATA" will actually be a large string of data - I've removed it for brevity.

To deploy this to a number of Macs, we created a template .mobileconfig file using an arbitrary string for the EAPClientConfiguration UserName ("TEMP_COMPUTER_NAME"). This template gets filled in using a shell script that checks the AD configuration using `dsconfigad -show`. After getting the computer account and domain/forest info, the shell script populates the username in the template .mobileconfig file. Finally, the script then kinits, imports the profile, and cleans up the .mobileconfig that was generated from the template. The computer should join the wireless network automatically after importing the system profile, and should remain connected even after users logout.

Hope this helps.

Reply

Answer 13

May 18, 2012 8:45 AM in response to Edward Kelley

I am glad you figured it out that was the one part I was stuck on how to do I also created a shell script to generate the moblie config and install now I can add the changes to make it work at a system level

The bug that requires turning off the cert authentication seem to have been fixed and is no longer required

Thanks for sharing

Reply

Answer 14

Frost21

Level 1

0 points

Jun 12, 2012 1:22 PM in response to daveBoxElderSD

Wow! Haven't tried any of this yet, but this is more than enough to get started. Dave, mind if I get a copy of the script you created for this?

Reply

Answer 15

Jun 12, 2012 4:39 PM in response to Frost21

Below is a shell script that will parse the current AD forest/computer name, and then customize the .mobileconfig template file (EAP "UserName") with those credentials. The system uses those credentials (machine forest/computer_name) to authenticate to the Kerberos TGT (domain controller?), obtain the machine certificate, and import the customized profile. The script performs minimal error checking.

You will need to change the EAP-TLS "UserName" string in the "template" .mobileconfig above ("host/computer_name.ad.example.com") to "TEMPORARY_HOST_PLACEHOLDER" so that the script can replace that placeholder with the actual host string.

#!/bin/bash

# some variables

MOBILECONFIG_TEMPLATE="WiFi.mobileconfig"

MOBILECONFIG_TEMPLATE_PATH="`dirname $0`/$MOBILECONFIG_TEMPLATE"

MOBILECONFIG_PATH="/tmp/$MOBILECONFIG_TEMPLATE"

if [ -e "$MOBILECONFIG_TEMPLATE_PATH" ]; then

# customize the .mobileconfig file with the current machine's AD name and forest as the EAP UserName value

FOREST=`dsconfigad -show | grep "Active Directory Forest" | sed 's/.*=.//'`

COMPUTER_ACCOUNT=`dsconfigad -show | grep "Computer Account" | sed 's/.*=.//' | sed 's/\\$//'`

COMPUTER_ACCOUNT_CLEAN=`echo "$COMPUTER_ACCOUNT" | sed 's/\\$//'`

UNIQUE_HOST_IDENTIFIER="host/$COMPUTER_ACCOUNT_CLEAN.$FOREST"

cat "$MOBILECONFIG_TEMPLATE_PATH" | sed -e "s/TEMPORARY_HOST_PLACEHOLDER/$UNIQUE_HOST_IDENTIFIER/" > "$MOBILECONFIG_PATH"

# get a Kerberos TGT using the computer account

echo "Obtaining Kerberos TGT for $COMPUTER_ACCOUNT..."

sudo kinit -k "$COMPUTER_ACCOUNT"

# install the mobileconfig profile

echo "Installing $MOBILECONFIG_PATH..."

sudo /usr/bin/profiles -I -F $MOBILECONFIG_PATH

# cleanup

echo "Cleaning up..."

rm "$MOBILECONFIG_PATH"

sudo kdestroy

else

echo "Error: .mobileconfig template does not exist: $MOBILECONFIG_TEMPLATE_PATH"

fi

Reply