ADCS certificate enrollment error with RPC
I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients. I've been using the following document, with no success (http://support.apple.com/kb/HT5357). The enrollment is being attempted from a mobileconfig generated from an OS X server. The payload is limited to only ADCertificatePayload to limit how much to troubleshoot. We are also limiting the enrollment to a single Issuing CA to limit where to look for communication. I greatly appreciate any assistance you can provide.
This is the ManagedClient.log from /Library/Logs:
+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)
Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =
{
computerID = AppleWorkID;
domainName = "FQDN.com";
name = domainname;
subject = "/CN=AppleWorkID.FQDN.com";
}
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624
Sep 3 13:44:21[562:1]:+Using RPC authn_level: 6
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name: host/IssuingCA.FQDN.com
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...
Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :
Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED
Sep 3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed
Sep 3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319
Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail
Sep 3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin
The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.
General: Both display name and template name = "AppleWorkstation"
Compatability-> CA: Windows Server 2008 R2
Compatability->Certificate recipient: Windows 7 / Server 2008r2
Request Handling->Purpose:Signature and Encryption
Cryptography->Algorthim name:RSA
Cryptography->Minimum key size:2048
Cryptography->Request hash:SHA256
Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).
Subject Name->Build from this Active Directory information: Subject name format: common name
Subject Name: Only UPN is checked
The schema version of the template is 3 and the version of the template is 100.43
Both computers are joined to the Active Directory 2008 r2 domain. Certificate services exist within the site on their own dedicated servers. The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's.
iMac, OS X Mavericks (10.9.4)