Question

Jamf AD CS Connector

Forum|Forum|3 years ago
May 24, 2022
3 replies
65 views

+4

braillle
Contributor

I've installed the connector according to Jamf documentation on a server running Windows server 2016 and different one running 2022. I have found multiple posts on the Jamf forum regarding setting up a service account as the identity on the ADCSproxy. I created a service account, switched the identity, I added the same service account to the IISUSR group on the machine, and to the local admins. Port 443 is open on the device, port 443 is open on our network.

When I try to test the site from within the IIS Manager, I get an error: ERROR_CONNECTION_RESET. Certificate invalid, site not secure.

Any ideas?

+24

mm2270
Legendary Contributor
Forum|Forum|3 years ago
May 24, 2022

I can't say for sure if this is your issue, but I can tell you from some (painful) first hand experience, that ADCS Connector, or more specifically, IIS, is VERY particular about the certificates that are in the Root Certification Authority directory in the cert store. Any certs in there have to be self signed, meaning the Issued to and Issued by values must match. If you think about it, that Root Cert store contains the certs that act as authority for other intermediate certificates, so it makes sense that they must have self trust and not be dependent on another issuer.

So I guess what I'm saying is, your error is indicating a certificate trust issue. I would take a look at the certs in that Root Certification Authority and see if any of them are not self signed.

There's a Powershell command you can run as well that will help you determine if any certs in that location are at fault. I'll dig it up and post it here. It's been posted on some other threads here as well if you search around on ADCS.

Edit: In case you wanted to test out the cert issue, here is the PS command you can run

Get-Childitem cert:\\LocalMachine\\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\\computer_filtered.txt"

The output file should be blank. If anything appears in it, it means it's a non Self-Signed cert and should be dealt with.

Like

B

+4

braillle
Author
Contributor
Forum|Forum|3 years ago
May 24, 2022

I can't say for sure if this is your issue, but I can tell you from some (painful) first hand experience, that ADCS Connector, or more specifically, IIS, is VERY particular about the certificates that are in the Root Certification Authority directory in the cert store. Any certs in there have to be self signed, meaning the Issued to and Issued by values must match. If you think about it, that Root Cert store contains the certs that act as authority for other intermediate certificates, so it makes sense that they must have self trust and not be dependent on another issuer.

So I guess what I'm saying is, your error is indicating a certificate trust issue. I would take a look at the certs in that Root Certification Authority and see if any of them are not self signed.

There's a Powershell command you can run as well that will help you determine if any certs in that location are at fault. I'll dig it up and post it here. It's been posted on some other threads here as well if you search around on ADCS.

Edit: In case you wanted to test out the cert issue, here is the PS command you can run

Get-Childitem cert:\\LocalMachine\\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\\computer_filtered.txt"

The output file should be blank. If anything appears in it, it means it's a non Self-Signed cert and should be dealt with.

Thanks for the reply! output file was blank. I have Jamf support looking at it too. I'm completely lost. I've added a service account, given permissions to the site, the network and security opened every port up for a short time, and nothing. It's like the ADCSproxy site doesn't exist.