Unable to Decrypt Profile? ADCS Connector

New Contributor

Building a Jamf Cloud instance. Jamf 11.1.3

Test machines is Sonoma 14.2. The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'

(disregard the AD bind error. FWIW that's temporary because I'll be using Connect)

The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'.


Honored Contributor III

Assuming your device is domain bound, which is required for issuing ADCS certs to Macs. Is the machine certificate being deployed by a Certificate Configuration profile and in you keychain?

New Contributor III

Just a point of clarification: you mean the ADCS server itself needs to be bound--not the Jamf-managed Mac endpoints, correct? Because isn't that the whole point of ADCS--to be able to deliver certs to unbound, but managed, devices?

New Contributor III

@miyonfaga - happy to help on this one, I've recently also had issues with ADCS Connector not working, and that was an error I got during the troubleshooting.

I do now have this working, so if this is still an issue for you, happy to help further.


Worth looking at the inetpub logs on the ADCS connector server - do you have an response code?

Logs are at C:\inetpub\logs\LogFiles\W3SVC2


This article was quite useful, but only got me so far:


New Contributor

@statusBrew I'm getting 403 in the IIS logs at that path - any ideas? Everything is setup per that blog.. 

403 is a slightly different error that I was getting.

I got 401, meaning unauthorised, but 403 means forbidden, suggesting there might be a connection issue between JamfCloud and your ADCS connector.




The link above might be helpful, as it does specifically mention 403 errors and how to further diagnose what it is.


QQ - is your ADCS connector sat behind a LB of some kind?

It could be that if it is, the LB is intercepting the conneciton and breaking the MTLS auth - the traffic needs to be allowed through without any inspection or altering of the connection in anyway, else the MTLS breaks. (As per my understanding, I'm not a network engineer so very basic understanding!)

Weird.. ok, i'll check that - No, its just a single server, no LB involved at all.

Contributor II

Following this thread as I had a functioning ADCS that has now started to show an Unable to Decrypt Profile error when deploying profiles with 403s in the log.

We think that Jamf Cloud cannot talk to the ADCS connector any more is there a good way to confirm this?

Do you see 403 errors in the logs on your ADCS server?
If you do, then it could suggest that Jamf Cloud can connect to the ADCS Connector server, else how would it know to attempt to retrieve a cert, and then get an error back?


My previous link above is a good troubleshooting page from TTG talking about various errors, including 403 errors. Did you have a go at any of those steps? Where did you get a failure/get stuck?

New Contributor II

We are also having problems. We have asked our network team to setup a NAT rule in the firewall to allow the Jamf Pro IP addresses to be allowed on our ADCS server but still getting 'Unable to decrypt' error after they made the change.

C:\inetpub\logs\LogFiles\W3SVC2 gives the following:

2024-03-20 18:44:10 ::1 GET / - 443 - ::1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/ 403 14 0 2574

Is the NAT rule set to inspect the traffic, or pass through with no interception?

New Contributor III

Following this thread as well, we just started seeing this error too. 

New Contributor

Also seeing this error as of April 26