@jimderlatka I had to change my LDAP mapping to store LDAP property "UserPrincipalName" as the $ROOM variable. Then in the certificate payload, I set subject to CN=$ROOM. This puts the UPN in the certificate subject and allows my NPS/RADIUS to look-up and authenticate the user for wifi connection.
@ocla&&09 Yes, I have the same profile settings in a user-based profile in addition to the device-level profile so that a cert is put into the login and system keychains. This way, if the user has to manually select the wifi network, it doesn't have to prompt to create the identity in the login keychain (manually selecting the network will not use the existing system identity).
@jimderlatka I managed to get it working with Computer cert.
This is what i have for my Certificate Subject Name and SAN "CN=$COMPUTERNAME.domain"
Do you include your Root and Intermediate certs in your Certificate payload? you dont have to do this on the same profile but the certificate chain has to be valid. Other thing is whether you have selected DNS Name as the Subject Alternate Name?
What are you using as the radius? Windows NPS, ClearPass etc? check the error log there?
For anyone having difficulties with the setup of AD CS proxy, please review this YouTube video: ADCS Install. Daniel does a great job of pointing out some common gotchas during the install.
so I've finally got mine to work 100% the way I need it to... I'm using a computer cert that is fully populated with all the details as in our user certs. This deploys properly with adcs. We have our windows 10 computers authenticating using a computer certificate and our Macs with a user certificate....
Any thoughts on how to troubleshoot connectivity to the PKI servers? (Ensuring that the AD CS Connector server can find the certificate templates from AD CS)
Does anyone know if this works with computer certificates and Mac's that are not bound to an AD domain?
I was able to get the AD CS Connector setup and pushed certificates to my laptops and it works fine if they are bound to AD but when I remove them from AD i get an error in NPS "Reason 8 - The specified user account does not exist". I have tried everything i can think of but i cannot seem to get it to work.
yes to computer certificates and yes to not bound to AD Domain.... that being said if I configure the cert with all the details for a user type of cert it works, but when I try to authenticate to my radius as a computer named cert it does not... I have a case with Microsoft open right now that I'm going to get some movement on tomorrow with the tech....
right now I'm authenticating with a Computer/User Certificate Identity for Radius and it is working perfecting.
When i try to make a computer certificate and set the Subject as CN=$USERNAME (username is my email which is the same as my UPN) and the SAN to $COMPUTERNAME.domain.com I get an error in NPS - Reason code 16 "Authentication failed due to a user credentials mismatch. Either the user name provided so not map to an existing user account or the password was incorrect". If i make a computer certificate and use $COMPUTERNAME.domain.com for both the Subject and SAN i get the error code 8 i mentioned above.
take a look at my cert setup.... these fields match my user based certificate...
Thanks for the assistance I was able to get it work but there are a few things i am not sure on.
If you are taking a Computer template and populating it with user attributes ($ROOM in your case) aren't you just making a user certificate since the only difference between a Computer and User template is the default Key Usage ( Extensions). When you populate it with computer details ($COMPUTERNAME.domain.com) you are making a computer cert and you will not be able to authenticate because it is not binded to a domain (as far as i can tell you have to be connected to a domain for a machine certificate to work).
From my testing it seems like OSX does not requires a computer certificate for pre-logon authentication and seems to work fine with a user certificate? On Windows i think it had to be a machine certificate.
I got mine to work with out a Subject Alternate Name which seems to contradict the NPS requirements (https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-manage-cert-requirements) so im not really sure how is working but it is.
Hi Guys,
I've followed these steps which are pretty much identical to this youtube video, https://www.youtube.com/watch?v=oRkpkN1Z3aI. But I am still unable to get this to work. I keep getting "Unable to retrieve ADCS certificate from certificate payload" errors. I've made sure all the information is correct, double checked the ports are open but still can't get this to work. Any suggestions?
Thanks so much
The Server where the ADCS connector is installed I suppose must been registered in public DNS , as Jamf through Internet will reach out for it - or is it something i miss?
has Read the thread but Cannot quite find the answer.
So if mac are not Bound to ad and Got AD certificate from ADCS How Will the machine Authenticate if the machine does not exist in AD.
Hey KRIECCO,
From my testing if you are using a computer certificate and it is not bound to AD you cannot use Microsoft NPS unless you take each certificate and then bind it to a user (way too much work). The solutions I have come up with is to either use a User Certificate which will work since the users still exist in AD or use a different radius server. I tested Cisco ISE and it has options that allow you to validate the cert and not the computer object in AD and I believe HP Clearpass has a similar option. I could not get freeradius to work with eap-tls so no idea there.
Hello All,
Running into issues with SSL on this configuration. My connector isn't behind a load balance but I get 403 errors if SSL is enabled on the ADCS Proxy. Once I disable SSL all is well with the cosmos...
Any ideas? This has my laptop looking like a frisbee right now.
Hey gforsyth,
Are they 403.16 errors?
Hello All,
I'm getting 403.7 Forbidden errors when I try to go to https://my.JAMFadcsconnector.com/adcsproxy.
If I look at the JAMF server logs I see "Certificate request ID 39 has failed. (Unable to build an ADCS Connector client.)" and then a bit further down as part of that "Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorException: Problem negotiating API version.
at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.isClientVersionSupported(AdcsConnectorClientImpl.java:44)
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificateRequestProcessor.getAdcsConnectorClient(AdcsCertificateRequestProcessor.java:161)
... 6 more
Caused by: org.springframework.web.client.HttpClientErrorException: 403 Forbidden"
Any ideas? I'm not able to get certs to push out, when I look at the Device's Management commands I see "Unable to retrieve ADCS certificate for profile payload."
Make sure in the IIS settings you set https / SSL to “Ignore”
We had 403 errors and changing those settings to Ignore fixed it.
@ooshnoo Thanks! I changed it to ignore and unchecked the box for "Require SSL" and that fixed it. I was able to successfully push out a cert using a profile.
Does anyone know why that had to be turned off? I understand that it was what caused the error but shouldn't that work/need to be on if the install script sets that all up? Is there any disadvantage to having SSL off?
By unchecking 'Require SSL' i believe you are disabling certificate based authentication which means anyone and any device can now access the IIS website. The reason you uploaded those certs to the JAMF server was so it was the only server that could access the website so i don't believe you want to do that.
In my case i was getting 403.16 which was caused by having both my Intermediate and Root Certificates in the 'Trusted Root Certification Authority' folder instead of their respective folders Trusted Root and Trusted Intermediate. This can be found by using the following powershell command on the server with the ADCDS connector installed.
Get-Childitem cert:LocalMachine
oot -Recurse | Where-Object {$.Issuer -ne $.Subject} | Format-List *
More information can be found here: https://support.microsoft.com/en-us/help/942061/error-message-when-you-visit-a-web-site-that-is-hosted-on-iis-7-0-http
@KMerendaTFMC Did you ever get this problem resolved? I'm seeing the exact same error message.
"[WARN ] [ina-exec-43] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob"
In the management commands view of the device, I see "Unable to retrieve ADCS certificate for profile payload."
It's driving me bonkers :(
@KMerendaTFMC I am also receiving this error ([WARN ] [ina-exec-43] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob") and the Unable to retrieve.....
I am not receiving any Network or Communication errors.
We are cloud based install using a public dns name for our ADCS server which sits behind a F5 in the DMZ. i have done so much reading and researching. Most articles point back to Daniels YouTube Video or a combination of a few peoples write ups.
Any advice from yourself or anyone would be great.
Cheers
a
Good day all!
We seem to have this working as we want, except we're getting a prompt for admin credentials to trust the root and intermediate certs. Once trusted, everything works as intended. Is anyone else running into this? Know what we might be missing?
We are delivering both the root and intermediate certs via config profile.
As always, any and all help is appreciated.
