Posted on 02-01-2024 09:36 PM
Building a Jamf Cloud instance. Jamf 11.1.3
Test machines is Sonoma 14.2. The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'
(disregard the AD bind error. FWIW that's temporary because I'll be using Connect)
The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'.
Posted on 02-02-2024 06:09 AM
Assuming your device is domain bound, which is required for issuing ADCS certs to Macs. Is the machine certificate being deployed by a Certificate Configuration profile and in you keychain?
Posted on 07-12-2024 01:34 PM
Just a point of clarification: you mean the ADCS server itself needs to be bound--not the Jamf-managed Mac endpoints, correct? Because isn't that the whole point of ADCS--to be able to deliver certs to unbound, but managed, devices?
Posted on 09-30-2024 04:53 AM
Correct. Most environments that would use an ADCS Server would be binding the Windows server the ADCS Connector is running on.
The ADCS connector builds itself with a PowerShell script, one of the functions of that script makes a local admin account to do the things on the host server. Considering this is within a domain environment, there are likely controls to prevent this kind of behavior as it is very insecure. Jamf should really have a popup where you enter service account credentials, and it builds the connector around that account. The admin account is for things like accessing the certificate templates and the keystore as well as some directories on the device, and if the account does not have the correct permissions, you will receive all kinds of issues like you are seeing right now.
Posted on 02-19-2024 02:48 AM
@miyonfaga - happy to help on this one, I've recently also had issues with ADCS Connector not working, and that was an error I got during the troubleshooting.
I do now have this working, so if this is still an issue for you, happy to help further.
Worth looking at the inetpub logs on the ADCS connector server - do you have an response code?
Logs are at C:\inetpub\logs\LogFiles\W3SVC2
This article was quite useful, but only got me so far:
Posted on 02-22-2024 11:15 AM
@statusBrew I'm getting 403 in the IIS logs at that path - any ideas? Everything is setup per that blog..
Posted on 02-23-2024 02:48 AM
403 is a slightly different error that I was getting.
I got 401, meaning unauthorised, but 403 means forbidden, suggesting there might be a connection issue between JamfCloud and your ADCS connector.
The link above might be helpful, as it does specifically mention 403 errors and how to further diagnose what it is.
QQ - is your ADCS connector sat behind a LB of some kind?
It could be that if it is, the LB is intercepting the conneciton and breaking the MTLS auth - the traffic needs to be allowed through without any inspection or altering of the connection in anyway, else the MTLS breaks. (As per my understanding, I'm not a network engineer so very basic understanding!)
Posted on 02-26-2024 06:58 AM
Weird.. ok, i'll check that - No, its just a single server, no LB involved at all.
Posted on 03-14-2024 02:50 AM
Following this thread as I had a functioning ADCS that has now started to show an Unable to Decrypt Profile error when deploying profiles with 403s in the log.
We think that Jamf Cloud cannot talk to the ADCS connector any more is there a good way to confirm this?
Posted on 03-19-2024 02:18 AM
Do you see 403 errors in the logs on your ADCS server?
If you do, then it could suggest that Jamf Cloud can connect to the ADCS Connector server, else how would it know to attempt to retrieve a cert, and then get an error back?
My previous link above is a good troubleshooting page from TTG talking about various errors, including 403 errors. Did you have a go at any of those steps? Where did you get a failure/get stuck?
Posted on 03-20-2024 11:56 AM
We are also having problems. We have asked our network team to setup a NAT rule in the firewall to allow the Jamf Pro IP addresses to be allowed on our ADCS server but still getting 'Unable to decrypt' error after they made the change.
C:\inetpub\logs\LogFiles\W3SVC2 gives the following:
2024-03-20 18:44:10 ::1 GET / - 443 - ::1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/ 403 14 0 2574
Posted on 04-03-2024 02:00 AM
Is the NAT rule set to inspect the traffic, or pass through with no interception?
Posted on 05-01-2024 12:35 PM
Following this thread as well, we just started seeing this error too.
Posted on 05-02-2024 05:47 AM
Also seeing this error as of April 26
Posted on 08-23-2024 01:17 PM
Seeing something similar, did things get better for some of you?
Posted on 09-28-2024 09:39 AM
If you are using Jamf Pro 11.9 and ADCS Connector, please read at https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.9.0/page/Important_Notices.html
" Integrations with Active Directory Certificate Services (AD CS) now require Jamf AD CS Connector 1.1.0.
Jamf AD CS Connector 1.1.0 requires .NET Framework 4.8 or later. "
Then take a look at https://www.rocketman.tech/post/update-your-jamf-ad-cs-connector and https://learn.jamf.com/en-US/bundle/technical-paper-integrating-ad-cs-current/page/Upgrading_the_Jam... on how to update.
3 weeks ago
We had the rather niche 403 16 error due to some certs being erroneously placed in the root trust store. What's weird is that while at present I can request certs whilst on prem, or VPNed in, requests fail when hitting our layer 4 proxy, but curiously openssl when run against this proxy seems to receive a cert, but errors with line indicating some sort of layer 3 error.