Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: RoartanAppl
RoartanAppl Author
User level: Level 1
0 points

ADCS certificate enrollment error with RPC

I'm attempting to enroll in a computer certificate that works for a windows clients (W7), but not for the Apple (OS 10.9.4) clients. I've been using the following document, with no success (http://support.apple.com/kb/HT5357). The enrollment is being attempted from a mobileconfig generated from an OS X server. The payload is limited to only ADCertificatePayload to limit how much to troubleshoot. We are also limiting the enrollment to a single Issuing CA to limit where to look for communication. I greatly appreciate any assistance you can provide.




This is the ManagedClient.log from /Library/Logs:

+||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||

Sep 3 13:44:20[562:1]:+|||||||||||||| Calling installPayload on plugin: ADCertificatePayloadPlugin ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

Sep 3 13:44:20[562:1]:+|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload

Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin scheme overrides HTML to use RPC; scheme = (null)

Sep 3 13:44:20[562:1]:+ADCertificatePayloadPlugin using RPC = YES

Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.boundADInformationWithError dict =

{

computerID = AppleWorkID;

domainName = "FQDN.com";

name = domainname;

subject = "/CN=AppleWorkID.FQDN.com";

}

Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.credentialsForDomain domainname = domainname; username = AppleWorkID$

Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer credentials username = AppleWorkID$

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer gss_aapl_initial_cred status = 0

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer running as euid = 0

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer ca_name = IssuingCA

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer servername = IssuingCA.FQDN.com

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer cert_template = AppleWorkstation

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer csr length = 624

Sep 3 13:44:21[562:1]:+Using RPC authn_level: 6

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer partial_string_binding = ncacn_ip_tcp:IssuingCA.FQDN.com[]

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer using principal name: host/IssuingCA.FQDN.com

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer dwFlags is ff

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer Calling CertServerRequest...

Sep 3 13:44:21[562:1]:+GetCertificateFromCAServer CertServerRequest return pdwRequestId = 0

Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest exception name :

Sep 3 13:44:21[562:1]:+:::::::::::::::: GetCertificateFromCAServer ERROR: CertServerRequest -2147024809

Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.getCertificateFromServer server returned cert = FAILED

Sep 3 13:44:21[562:1]:+**************** AD certificate getCertificateFromServer failed

Sep 3 13:44:21[562:1]:+:::::::::::::::: ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = -319

Sep 3 13:44:21[562:1]:+ADCertificatePayloadPlugin.pdp_pluginInstallPayload returning = fail

Sep 3 13:44:21[562:1]:+**************** Error: Error Domain=ConfigProfilePluginDomain Code=-319 "The 'Active Directory Certificate' payload could not be installed. The certificate request failed." UserInfo=0x7fbd4157b540 {NSLocalizedDescription=The 'Active Directory Certificate' payload could not be installed. The certificate request failed.} from: InstallPayload in ADCertificatePayloadPlugin





The template, 'AppleWorkstation' template seems to have all the settings set correctly, but I'll go through them all.

General: Both display name and template name = "AppleWorkstation"

Compatability-> CA: Windows Server 2008 R2

Compatability->Certificate recipient: Windows 7 / Server 2008r2

Request Handling->Purpose:Signature and Encryption

Cryptography->Algorthim name:RSA

Cryptography->Minimum key size:2048

Cryptography->Request hash:SHA256

Security: Both the windows and mac domain computer objects have (read,enroll, autoenroll).

Subject Name->Build from this Active Directory information: Subject name format: common name

Subject Name: Only UPN is checked


The schema version of the template is 3 and the version of the template is 100.43


Both computers are joined to the Active Directory 2008 r2 domain. Certificate services exist within the site on their own dedicated servers. The CA's are as follows: 1x 2012r2 for offline root and 2 x Issuing CA's.

iMac, OS X Mavericks (10.9.4)

Posted on Sep 3, 2014 1:24 PM

Reply

There are no replies.

ADCS certificate enrollment error with RPC

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up