- Jamf Nation Community
- Products
- Jamf Pro
- ACDS error - unable to decrypt profile
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ACDS error - unable to decrypt profile
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
We've been using an ACDS for several years to push certs to our devices now but in the last couple of weeks we're getting an error: "unable to decrypt profile".
I can see the the ADCS server is receiving the request from Jamf Pro, the CA is creating the cert and we're getting a 200 response back on IIS when I look at the ADCS server but the ceritificate isn't added under the devices -> certificates and it fails to push out saying failed to decrypt profile.
The Jamf server logs show the below:
2024-09-23 19:33:01,274 [ERROR] [Pki-Pool-31] [ertificatePayloadInjector] - Failed to get pending PKI payload certificate
com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Request has failed with status INTERNAL_ERROR. Initiate another request in the future.
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.retrieveCertificate(AdcsCertificatePayloadInjector.java:151) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getPendingCertificateFor(AdcsCertificatePayloadInjector.java:97) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getCertificateFor(AdcsCertificatePayloadInjector.java:75) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.getPkiPayloadCertificate(PKICertificateInjectorService.java:279) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.issueAndBindCertificate(PKICertificateInjectorService.java:253) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.lambda$issueCertificate$6(PKICertificateInjectorService.java:223) ~[classes/:?]
at org.springframework.security.concurrent.DelegatingSecurityContextRunnable(DelegatingSecurityContextRunnable.java:94) ~[spring-security-core-6.3.0.jar:6.3.0]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-6.1.9.jar:6.1.9]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) ~[?:?]
at java.base/java.util.concurrent.FutureTask(FutureTask.java:317) ~[?:?]
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask(ScheduledThreadPoolExecutor.java:304) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutorWorker(ThreadPoolExecutor.java:1144) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker(ThreadPoolExecutor.java:642) ~[?:?]
at java.base/java.lang.Thread(Thread.java:1583) [?:?]
Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: INTERNAL_ERROR: System.NullReferenceException - Object reference not set to an instance of an object.
at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.retrieveCertificate(AdcsConnectorClientImpl.java:146) ~[adcs-connector-client-11.9.1-t1726060704.jar:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.retrieveCertificate(AdcsCertificatePayloadInjector.java:146) ~[classes/:?]
... 13 more
2024-09-23 19:33:01,274 [ERROR] [Pki-Pool-31] [ertificateInjectorService] - Certificate issuer returned no certificate for command 7a90ba97-7968-4c4a-b7bc-efa557680997 and payload A69C6131-40C2-4804-B46B-5E1CA15F169E
Has anyone seen this before?
Thanks.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monday
It’s been a long while since I used the ADCS connector, but I’m wanting to say this error for me environment involved the local account that was created when the ADCS connector is installed not having the correct permissions. Ideally this account is replaced with a SVC account, but for whatever reason Jamf uses a local account. Take this info with a grain of salt.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tuesday
If you're on Jamf Pro 11.9 or later, I'd recommend checking the version of the AD CS Connector installed as v1.0 is no longer supported and you'll have to upgrade to v1.1
Ref: https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-current/page/Important_Notices.html
Integrations with Active Directory Certificate Services (AD CS) now require Jamf AD CS Connector 1.1.0.
Note:
Jamf AD CS Connector 1.1.0 requires .NET Framework 4.8 or later.
To determine which version of Jamf AD CS Connector you have installed, run the following command in PowerShell:
Select-String -Path "C:\inetpub\wwwroot\adcsproxy\api-swagger.json" -Pattern "Revoke"If you have version 1.1.0 installed, the JSON file will return results related to "Revoke". If you have version 1.0.0 installed, the JSON file will not return any results related to "Revoke".
For upgrading instructions, see Upgrading the Jamf AD CS Connector in the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
Hello - it was indeed this, thank you.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wednesday
We had this recently, double check the Certificate Authority settings in PKI certificates, we had set the CA Name incorrectly.
