Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: mloraditch
mloraditch Author
User level: Level 1
0 points

Certificate Request Failing from AD

I am trying to request a machine certificate from my AD based Certificate Server to use for 802.1x authentication. My requests keep failing with the following non descriptive errors:


Oct 15 11:05:06[2159]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :

Oct 15 11:05:06[2159]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809

Oct 15 11:05:06[2159]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED

Oct 15 11:05:06[2159]:+**************** AD certificate getCertificateFromServer failed

Oct 15 11:05:06[2159]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319

Oct 15 11:05:06[2159]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail

Oct 15 11:05:06[2159]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7ffd0bc27210 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin


Unfortunately this is not telling me what the problem is. I dont see any failed requests on my server. Are there further debugs I can enable? Or does someone know more about the error codes provided? Google didn't seem to know anything.

OS X Mountain Lion (10.8.5)

Posted on Oct 15, 2013 8:20 AM

Reply
2 replies
User profile for user: DH_MC
DH_MC
User level: Level 1
0 points

Feb 24, 2015 5:50 PM in response to mloraditch

That error code maps to "One or more arguments are invalid." If you have been trying variations of your settings to try to make them work, then you may have entered something incorrectly.

Though Apple's documentation doesn't mention it (How to request a certificate from a Microsoft Certificate Authority using DCE/RPC and the Active Directory Certificate p…), I did discover that if you are talking to a 2012 or 2012R2 server, you will need to downgrade the security slightly to allow 10.8 clients to do RPC certificate requests. 10.9 and 10.10 clients seem to cope with the encrypted RPC requirement without issue.

Microsoft has documentation on downgrading the certificate service RPC security for XP compatibility. It seems that 10.8 also needs this.

https://technet.microsoft.com/en-us/library/dn473011.aspx#BKMK_Security

Reply

Certificate Request Failing from AD

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up