Microsoft SCEP Challenge Request

I'm working on this with Entrust as well. I'll be happy to share what I figure out, but on our end, they hadn't implemented the handling of GetCACaps (!!) before we engaged them.

Any help would be greatly appreciated.

We had trouble with our configuration as well. Our admin that setup the SCEP server ended up turning off the authentication of the SCEP pages and allowing authenticated users or anonymous.

Essentially if you go to http(s)://server/CertSrv/mscep_admin/ you should get the NDES page with the thumbprint for the CA certificate without being prompted for information. This is not ideal in our environment, but it was the only way we could get it to work.

Note: if you get a error on installing the configuration profiles with SCEP that has an error similar to "NSStatusError -67693", you will need to restart IIS on the SCEP/NDES server. Restarting the app pool will not be sufficient.

That is one option that I have thought about if it comes down to it but as you said its not the ideal setup. Should there be an entry for the admin page in the .mobileconfig file? I would think that if you enter that in the JAMF profile that when it writes the file it would have that in there.

There is a Microsoft patch to apply to your server that is specific to the GETCACAPs issue.
http://support.microsoft.com/kb/2483564

Also there is a script that you can run to increase the size of the request filter buffer. By default it is 1024. %systemroot%system32inetsrvappcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost

The GETCACAP's isn't an issue for me, I can see the Mac device calls out for the GETCACAP just fine with a valid response. The only issue I have right now is the challenge request to the admin page, if I could figure out why the Mac device isn't making that call for the challenge password then this would finally work.

What was your outcome eploughe? I'm running into the same issue (challenge request rejected) and setting anonymous access won't be an option in my environment. I have had success when manually applying the thumbprint and password, but like you said I can't deploy that way because of the password timeout.

Any suggestions would be greatly appreciated, thanks!

I think the reason you are not seeing the mscep_admin setting is because it is actually the JSS that requests the challenge password from the SCEP server and then populates it in the .mobileconfig that it sends to the client, so if you manually download the .mobileconfig it will just have the variable place holder rather than the value, e.g.:

<key>Challenge</key><string>$MSSCEPCHALLENGE</string>

I think you need to either have APNs setup so that Casper can deploy the profile dynamically OR find some way of populating the variable yourself (i'm guessing the mscep_admin page has some sort of api for Casper to be able to use it).

Wondering if anyone came up additional tips on this one? I can request SCEP certificates with a static challenge fine but once set to 'Dynamic-Microsoft CA' it fails with errors like the following:

mdmclient[55034]: ProcessRequestCertSignatureResponse: Cert signature request failed with -909
mdmclient[55034]: Error: Error Domain=NSOSStatusErrorDomain Code=-909 "badReqErr: bad parameter or invalid state for operation"

@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.

@guidotti thanks for the tip, I brought it to the attention of our rep but the alternative JAR file is for environments running on Windows with Java 7, whereas we are on Linux with Java 6 so the search for a solution continues..

@mapurcel this stopped working in our environment as well.
Did they come up with a solution for you?

Ours is a 909 error because it is sending the credentials of the Windows server instead of our non-person ID to try to log into the admin console.

broke for us recently due to expired NDES certs on the server resulting in 909 on the client.

@guidotti they have not come up with a solution yet but I've also been on an extended vacation so haven't had the chance to pursue this. Will let you know if we get resolution.

Were you able to find a solution to this?

@mapurcel Did you ever get the SCEP Certificate to authenticate with Dynamic-Microsoft CA Challenge Type?

I'm running into the exact same error, -909, when I try Dynamic-Microsoft CA Challenge Type. But it works fine with a static challenge type.

@tim.arnold unfortunately I did not ever get it to work, so stuck using static for now.

@guidotti when you said:

@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.

What exactly did JAMF provide to you? I have contacted them and they do not have any information regarding a special JAR file for the MS SCEP request stuff.

That's interesting, because it took the better part of a year to get ours working.
There is definitely a different JAR file to use for non-java 6, as of the last version of the JSS.
We use Java 8.
It slightly changes the behavior of the scraper.

@guidotti Are you able to provide the ticket used to discuss this with JAMF so we can reference it with our TAM as well?

Here is what was at the top of all of our emails:
[ ref:_00D80cOw4._500C0mPo5q:ref ]

I don't have any other designation.
Nick Anderson was the employee who spearheaded the case.

I hope that helps.