Previous 1 2 3 4 Next 45 Replies Latest reply: Oct 19, 2012 1:22 PM by Edward Kelley
levellers Level 1 Level 1 (0 points)

Hi,

 

I hope someone can help. I have been given a macbook to 'socilaise' to our Windows / AD domain. My first goal is to get it connected to the corporate WiFi network which is EAP-TLS with certificate-based enrollment.

 

I'm trying to follow this KB article: http://support.apple.com/kb/HT4784 but can't create the .mobileconfig file.

 

I even tried downloading the IPCU and creating a 'blank' configuration profile and editing the contents, every time I make a change to the file it says:

 

'There was an error opening "blahblahblah.mobileconfig" contact your network administrator'.

 

Any ideas??


MacBook Air, Mac OS X (10.7.2)
  • daveBoxElderSD Level 1 Level 1 (0 points)

    I posted this back in November

     

    step 1a create Wirelesscert.mobleconfig with the following changing the defaults to match your needs

    The "Certtemplate key" must match the name of the Cert template on the server.

    You can use the same machine cert template as the PCs. use UUID are done in the next step

    CertServer Key use http or https depending on you cert server config

    Generic config file sortof :

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

     

        <dict>

            <key>PayloadContent</key>

            <array>

                <dict>

                    <key>CertServer</key>

                    <string>https://Server.domain.name/certsrv</string> 

                    <key>CertTemplate</key>

                    <string>Your_Computer_template_name</string>

                    <key>PayloadDisplayName</key>

                    <string>Enter_your_name_fort_the_policy</string>

                    <key>PayloadIdentifier</key>

                    <string>Create_payload_ident</string>

                    <key>PayloadType</key>

                    <string>com.apple.ADCertificate.managed</string>

                    <key>PayloadUUID</key>

                    <string>Change-me-to-a-new-UUID</string>

                    <key>PayloadVersion</key>

                    <integer>1</integer>

                    <key>deleted</key>

                    <false/>

                </dict>

            </array>

            <key>PayloadDescription</key>

            <string>Enter_Description_here</string>

            <key>PayloadDisplayName</key>

            <string>Enter_Display_name</string>

            <key>PayloadIdentifier</key>

            <string>Enter_paylode_name</string>

            <key>PayloadOrganization</key>

            <string>Enter_paylode_orgname</string>

            <key>PayloadRemovalDisallowed</key>

            <false/>

            <key>PayloadType</key>

            <string>SystemConfiguration</string>

            <key>PayloadUUID</key>

            <string>Change-me-to-a-new-UUID</string>

            <key>PayloadVersion</key>

            <integer>1</integer>

        </dict>

        </plist>

     

    Step 1b. Create two UUID on the mac command shell past into the file replace Change-me-to-a-new-UUID with two different UUIDs

    the command is "uuidgen" You must run uuidgen once for each number. Paste the resulting numbers into Wirelesscert.mobleconfig

    This must be done for every computer you install the policy on so that they are Unique to that computer.

     

     

    Do these steps in a local machine admin account  not logged into the domain

     

    step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop  (a known bug should be fixed in a update)  The machine must also have 1G of free disk space.

       a. open Key Chain Access

       b. Click on Keychain Acess in the apple tool bar

       c. Select Preferences

       d. Select the Certificates Tab

       f. Turn off OCSP and CRL   ( this can be turned back on after you get the Cert from ad)

     

     

    Step 3 Connect using safari to you Microsoft AD certificate server and trust the locally self signed Cert

     

    Step 4 copy Cert in key chain from user to system

     

     

    Step 5 open a shell for steps 6 and 7

     

     

    Step 6 type Sudo kinit -k (machinenamelowercase)$    ! the dollarsign is appended to the computer name

     

     

    Step 7 type klist -l   ! verify that a ticket in kerberos is listed under the machine name

     

     

    Step 8  To create at system level profile use the command line to import profile

                /usr/bin/profiles -I -F (location of profile)

     

     

    Step 9  Verify in the Key Chain that you have a system Certificate

     

    In the network wireless click on the Join the ssid  

    Mode is EAP-TLS

    Identity X509 Certificate  (the one just created)

    Username: host/(Your_Macs_Fully_qualified_name)

     

    I hope this helps noww.

    Read the Original document this is based on at http://support.apple.com/kb/HT4784

    I Am still having problems with some macs not working but this did work on one so I hope it helps

  • levellers Level 1 Level 1 (0 points)

    Thanks for your reply Dave.

     

    Can I create that XML file by hand, or do I need Lion Server profile configuration tool or the IPCU?

     

    Also, it doesn't mention when you apply the .mobileconfig file at the end of step 1?

     

    Really appreciate your help.

  • daveBoxElderSD Level 1 Level 1 (0 points)

    You need to create this by hand neither programs will do it at this time is my understanding.

     

    the reason you don't do it after step one is that you have to do steps 2 to 7 first

     

    in creating the file copy excactly the first 9 lines (the first line you change is

      <string>https://Server.domain.name/certsrv</string>  the Server.domain.name should be changed to the qualified name of your server.

     

    change the name of the template name on the certificate server

     

    <string>Your_Computer_template_name</string>

     

    change name to what you want

    <string>Enter_your_name_fort_the_policy</string>

     

    Changed to  something that identifyed it for what it is but short

    <string>Create_payload_ident</string>

     

    do not change this one

    <string>com.apple.ADCertificate.managed</string>

     

    run command in step one and replace text with uuid

    <string>Change-me-to-a-new-UUID</string>

     

    do the same basic things in the array section

    you must do the uuid in this section

     

     

    step 2 is to make changes in the key manager to prevent the import from locking up (a bug in the os)

     

    the other steps will allow the import process to connect to AD as the machine name  then the import on step 8

     

    Your welcome I hope it works for you levellers.

  • levellers Level 1 Level 1 (0 points)

    Dave,

     

    Thanks again for your help, sorry it's been a while but I only just found time to take a look at this.

     

    Now successfully created the mobileconfig file using your template. Generated UUIDs etc...

     

    I understand from your instructions that I'm supposed to import that .mobileconfig file via command line but for some reason your instructions don't work. So i take a stab at double clicking it instead...

     

    When I double click the mobileconfig file I get: "The 'Active Directory Certificate' payload could not be installed. The client failed to get a Ticket Granting Ticker'.

     

    I take it this is some sort of Kerberos error and has something to do with steps 6 & 7 in your process.

     

    When i type:

     

    'sudo kinit -k t0016443$'

     

    I get the response:

     

    "krb5_get_init_creds: Client (t0016443@T0016443.LOCAL) unknown"

     

    Then I try "klist -l" and get a list of my domain username, nothing mentions the PC name at all.

  • levellers Level 1 Level 1 (0 points)

    My mistake, typo in the command in import the .mobileconfig with terminal. Same error though.

     

    Back to steps 6 and 7...

  • levellers Level 1 Level 1 (0 points)

    Tried one more thing, the machine is already bound to the domain, so for step six I tried...

     

    sudo kinit -k t0016443.transurban.com.au

     

    now it says 'Already tried ENC-TS-info, looping'

     

    Really hoping you can help! So close but so far!

  • daveBoxElderSD Level 1 Level 1 (0 points)

    I have several suggestions

     

     

    1. in addition to the cert authentication in step 3 make sure it is trusted at the root level you can login as a user to and at least on our cert server there is a option to get the trusted root cert

     

    2 there is another bug that requires that the computer have at least 1 gig of free diskspace (just found out about this one)

     

    3. You need to be loggin localy  only before you try to enroll use a local only administrator account with no domain connection. (the perpose of this is so it becomes a system profile in is the the article I refference )

     

    do a klist to verify that you don't have a domain connection yet

     

    then do the name of the computer sudo kinit -k t0016443$

    this setup the permissions to get the cert in the computers name.

    klist to verify that it worked

     

    you can also do  this to get root and stay in it

    sudo su -

    then enter the commands that in 6-8 with out having to type sudo each time if you want then exit to  leave root

     

    4. I was doing a second computer and it was stuck in a endless look it stopped after i reinstalled the cert and worked  but I did one other thing that might have helped I was reading about kerberos errors and file permissions

    it said to go into restore mode and do a file permission repair i did this and did find some errors that were fixed that may help you.

     

     

    happy to try and help not a problem with how long it took you to try thing again thats what happen in IT. Share what you find as you work on it too

     

    ps I have a mac mini acting as a server and I cant get the kinit to work I think it  is trying to talk to the kerberos on the local machine so I can test a bash script for installing the ms config

     

    I just created a bash script to generate the ms config  and it seems to work I did this because every computer needs a unique UUID  in both places in the file 

     

    Message was edited by: daveBoxElderSD

  • levellers Level 1 Level 1 (0 points)

    Thanks again Dave, here are the results from my attempts this morning... aquirng the machine TGT seems to be the problem.

     

    1) went to https://ca.domain.com.au/certsrv in safari, and ticked 'show certificate' at the prompt, then chose 'always trust' for all 3 certs down to ROOT level.

    The three certs are:
    'Company Name' Root CA
    'Company Name' Root CA 1
    certsrv.domainname.com.au

     

    2) opened keychain mgr and copied the three certs (including the root one) to the system keychain.

     

    3) There is several GB of free space

     

    4) I created a non-domain logon (the mac is still bound to the domain, but I am now logged in locally with admin privs)

     

    5) klist returns: krb5_cc_get_principal: No credentials file found

     

    6) when I type sudo klist -k t0016443$ it returns: krb5_get_init_creds: Client (t0016443$@T0016443.LOCAL) unknown

     

    It's almost like there isn't a computer account, or it's looking in the wrong place for it.

     

    I also tried adding @domain.com.au to the end of the computer name and then it came back with the 'Already tried ENC-TS-info, looping' so that's obviously not right either.

     

    Any ideas?

     

    Thanks again for your help!

  • levellers Level 1 Level 1 (0 points)

    Dave, do you think this might be the way the mac is looking up t0016443$? Maybe something to do with the 'search policy' in the directory utility?

     

    Surely it knows where to find it's own machine account?

  • daveBoxElderSD Level 1 Level 1 (0 points)

    I have one doing the same thing it has server loaded and it is I think tring to talk to the local LDAP directory in stead of Active directory see the .local in that message you quoted.

     

    I looked at kinit and it has a -S option (man page) but I don't know how to envoke it and tell it what server to talk to

    for the active directory setup when you join the domain under users there is a option to specify the server you talk to. You might want to set that to one of you domain controllers and see if it helps.

  • daveBoxElderSD Level 1 Level 1 (0 points)

    I got it fixed on the Mac mini this morning by changing the search order

    goto

    System Preferences

    Users & Groups

    unlock

    select login options

    Edit Network account server

    Highlight Ad

    Click on Open Directory Utility

    click on Search policy

    search should be Custom path

    Move AD tobe above the LDAP3

    Apply

     

    This solve my kinit problem not getting an account

    I hope this helps

  • Edward Kelley Level 1 Level 1 (10 points)

    I was able to get EAP-TLS RADIUS authentication working for the system/loginwindow using machine certificates from an Active Directory Certificate Services store by creating a .mobileconfig file that contained additional payloads. The support article referenced above mentions that a machine certificate can be generated at the time that the profile payload is installed, but does not go into additional detail on what else is necessary to create a profile that can be imported onto a Mac running Lion to allow system/loginwindow RADIUS authentication.

     

    After some experimentation, I was able to get this working using three additional payloads: one payload for the WiFi access point (com.apple.wifi.managed), and two additional payloads that allow us to specify trust for our self-signed root CA's signing certificate. The additional certificate is probably not necessary, but could help in a situation where an intermediate CA signs the certs. A basic framework for the WiFi managed payload can be created using iPhone Configuration Utility. I created the two certificate payloads using iPCU, and then pasted those payload dictionaries into the .mobileconfig payloads array (without modifying the payload).

     

    I'll paste an example of what a working configuration looks like (I could not find any good resources documenting this setup):

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

         <key>PayloadContent</key>

         <array>

              <dict>

                   <key>CertServer</key>

                   <string>http://dc1.ad.example.com/certsrv</string>

                   <key>CertTemplate</key>

                   <string>Machine</string>

                   <key>PromptForCredentials</key>

                   <false/>

                   <key>ADCertServerCertificateIDReplySearchString</key>

                   <string></string>

                   <key>PayloadDisplayName</key>

                   <string>WiFi Config</string>

                   <key>PayloadIdentifier</key>

                   <string>com.example.profile.wifi.ADCertificate.config</string>

                   <key>PayloadType</key>

                   <string>com.apple.ADCertificate.managed</string>

                   <key>PayloadUUID</key>

                   <string>5A1088D2-95B7-4A3E-8B17-A667405C73F8</string>

                   <key>PayloadVersion</key>

                   <integer>1</integer>

                   <key>deleted</key>

                   <false/>

              </dict>

              <dict>

                   <key>AutoJoin</key>

                   <true/>

                   <key>EAPClientConfiguration</key>

                   <dict>

                        <key>AcceptEAPTypes</key>

                        <array>

                             <integer>13</integer>

                        </array>

                        <key>EAPFASTProvisionPAC</key>

                        <false/>

                        <key>EAPFASTProvisionPACAnonymously</key>

                        <false/>

                        <key>EAPFASTUsePAC</key>

                        <false/>

                        <key>UserName</key>

                        <string>host/computer_name.ad.example.com</string>

                        <key>PayloadCertificateAnchorUUID</key>

                        <array>

                             <string>CD1BE015-1D42-4402-AB02-71B283806BE9</string>

                             <string>49D8C78A-4E0E-408B-B4ED-DD200B068D09</string>

                        </array>

                   </dict>

                   <key>EncryptionType</key>

                   <string>WPA</string>

                   <key>HIDDEN_NETWORK</key>

                   <false/>

                   <key>PayloadDescription</key>

                   <string>Configures wireless connectivity settings.</string>

                   <key>PayloadDisplayName</key>

                   <string>WiFi Config</string>

                   <key>PayloadIdentifier</key>

                   <string>com.example.profile.wifi.config</string>

                   <key>PayloadOrganization</key>

                   <string>Example, Inc.</string>

                   <key>SetupModes</key>

                   <array>

                        <string>System</string>

                        <string>Loginwindow</string>

                   </array>

                   <key>PayloadScope</key>

                   <string>System</string>

                   <key>PayloadType</key>

                   <string>com.apple.wifi.managed</string>

                   <key>PayloadUUID</key>

                   <string>752F1A6C-673A-4026-BFBB-814172B1DB7A</string>

                   <key>PayloadVersion</key>

                   <integer>1</integer>

                   <key>ProxyType</key>

                   <string>None</string>

                   <key>SSID_STR</key>

                   <string>Test</string>

              </dict>

              <dict>

                   <key>PayloadCertificateFileName</key>

                   <string>Certificate.cer</string>

                   <key>PayloadContent</key>

                   <data>

                   CERTIFICATE_DATA

                   </data>

                   <key>PayloadDescription</key>

                   <string>Provides device authentication (certificate or identity).</string>

                   <key>PayloadDisplayName</key>

                   <string>AD-DC1-CA</string>

                   <key>PayloadIdentifier</key>

                   <string>com.example.profile.wifi.credential.ca</string>

                   <key>PayloadOrganization</key>

                   <string>Example, Inc.</string>

                   <key>PayloadType</key>

                   <string>com.apple.security.root</string>

                   <key>PayloadUUID</key>

                   <string>CD1BE015-1D42-4402-AB02-71B283806BE9</string>

                   <key>PayloadVersion</key>

                   <integer>1</integer>

              </dict>

              <dict>

                   <key>PayloadCertificateFileName</key>

                   <string>dc1.AD.EXAMPLE.COM.cer</string>

                   <key>PayloadContent</key>

                   <data>

                   CERTIFICATE_DATA

                   </data>

                   <key>PayloadDescription</key>

                   <string>Provides device authentication (certificate or identity).</string>

                   <key>PayloadDisplayName</key>

                   <string>dc1.AD.EXAMPLE.COM</string>

                   <key>PayloadIdentifier</key>

                   <string>com.example.profile.wifi.credential.dc1</string>

                   <key>PayloadOrganization</key>

                   <string>Example, Inc.</string>

                   <key>PayloadType</key>

                   <string>com.apple.security.pkcs1</string>

                   <key>PayloadUUID</key>

                   <string>49D8C78A-4E0E-408B-B4ED-DD200B068D09</string>

                   <key>PayloadVersion</key>

                   <integer>1</integer>

              </dict>

         </array>

         <key>PayloadDescription</key>

         <string>Example Wi-Fi profile configuration.</string>

         <key>PayloadDisplayName</key>

         <string>Example Wi-Fi</string>

         <key>PayloadIdentifier</key>

         <string>com.example.profile.wifi</string>

         <key>PayloadOrganization</key>

         <string>Example, Inc.</string>

         <key>PayloadRemovalDisallowed</key>

         <false/>

         <key>PayloadType</key>

         <string>SystemConfiguration</string>

         <key>PayloadUUID</key>

         <string>9AEFDD4A-B8BD-4CB7-AE22-964B9457D31D</string>

         <key>PayloadVersion</key>

         <integer>1</integer>

    </dict>

    </plist>

     

    Some of the more important points:

     

    1.) This setup uses EAP-TLS (type 13) with machine certificates only - user certs could be used in similar payloads

    2.) The EAPClientConfiguration "UserName" string is passed to the RADIUS server for authentication. This string must be specified as host/computer_account.example.com (where computer_account is the "Computer Account" name in AD, and "example.com" is the AD domain/forest). This hostname may also be how the computer is determining which certificate to use from the keychain (but I have not confirmed).

    3.) The PayloadCertificateAnchorUUID key in the EAPClientConfiguration dict should specify the UUIDs of the certificate payloads in this .mobileconfig file that should be trusted

    4.) SetupModes and PayloadScope in the com.apple.wifi.managed payload is probably important, but I have not been able to test exhaustively.

    5.) "CERTIFICATE_DATA" will actually be a large string of data - I've removed it for brevity.

     

    To deploy this to a number of Macs, we created a template .mobileconfig file using an arbitrary string for the EAPClientConfiguration UserName ("TEMP_COMPUTER_NAME"). This template gets filled in using a shell script that checks the AD configuration using `dsconfigad -show`. After getting the computer account and domain/forest info, the shell script populates the username in the template .mobileconfig file. Finally, the script then kinits, imports the profile, and cleans up the .mobileconfig that was generated from the template. The computer should join the wireless network automatically after importing the system profile, and should remain connected even after users logout.

     

    Hope this helps.

  • daveBoxElderSD Level 1 Level 1 (0 points)

    I am glad you  figured it out that was the one part I was stuck on how to do  I also created a shell script to generate the moblie config and install now I can add the changes to make it work at a system level

    The bug that requires turning off the cert authentication seem to have been fixed and is no longer required

     

    Thanks for sharing

  • Frost21 Level 1 Level 1 (0 points)

    Wow!  Haven't tried any of this yet, but this is more than enough to get started.  Dave, mind if I get a copy of the script you created for this? 

Previous 1 2 3 4 Next