ACDS error - unable to decrypt profile

macd909
New Contributor

We've been using an ACDS for several years to push certs to our devices now but in the last couple of weeks we're getting an error: "unable to decrypt profile".

I can see the the ADCS server is receiving the request from Jamf Pro, the CA is creating the cert and we're getting a 200 response back on IIS when I look at the ADCS server but the ceritificate isn't added under the devices -> certificates and it fails to push out saying failed to decrypt profile.

The Jamf server logs show the below:

2024-09-23 19:33:01,274 [ERROR] [Pki-Pool-31] [ertificatePayloadInjector] - Failed to get pending PKI payload certificate
com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Request has failed with status INTERNAL_ERROR. Initiate another request in the future.
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.retrieveCertificate(AdcsCertificatePayloadInjector.java:151) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getPendingCertificateFor(AdcsCertificatePayloadInjector.java:97) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getCertificateFor(AdcsCertificatePayloadInjector.java:75) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.getPkiPayloadCertificate(PKICertificateInjectorService.java:279) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.issueAndBindCertificate(PKICertificateInjectorService.java:253) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.lambda$issueCertificate$6(PKICertificateInjectorService.java:223) ~[classes/:?]
at org.springframework.security.concurrent.DelegatingSecurityContextRunnable(DelegatingSecurityContextRunnable.java:94) ~[spring-security-core-6.3.0.jar:6.3.0]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-6.1.9.jar:6.1.9]
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:572) ~[?:?]
at java.base/java.util.concurrent.FutureTask(FutureTask.java:317) ~[?:?]
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask(ScheduledThreadPoolExecutor.java:304) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutorWorker(ThreadPoolExecutor.java:1144) ~[?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker(ThreadPoolExecutor.java:642) ~[?:?]
at java.base/java.lang.Thread(Thread.java:1583) [?:?]
Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: INTERNAL_ERROR: System.NullReferenceException - Object reference not set to an instance of an object.
at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.retrieveCertificate(AdcsConnectorClientImpl.java:146) ~[adcs-connector-client-11.9.1-t1726060704.jar:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.retrieveCertificate(AdcsCertificatePayloadInjector.java:146) ~[classes/:?]
... 13 more
2024-09-23 19:33:01,274 [ERROR] [Pki-Pool-31] [ertificateInjectorService] - Certificate issuer returned no certificate for command 7a90ba97-7968-4c4a-b7bc-efa557680997 and payload A69C6131-40C2-4804-B46B-5E1CA15F169E

 

Has anyone seen this before?

 

Thanks.

 

5 REPLIES 5

AJPinto
Honored Contributor III

It’s been a long while since I used the ADCS connector, but I’m wanting to say this error for me environment involved the local account that was created when the ADCS connector is installed not having the correct permissions. Ideally this account is replaced with a SVC account, but for whatever reason Jamf uses a local account. Take this info with a grain of salt.

matteo_bolognin
New Contributor III
New Contributor III

If you're on Jamf Pro 11.9 or later, I'd recommend checking the version of the AD CS Connector installed as v1.0 is no longer supported and you'll have to upgrade to v1.1
Ref: https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-current/page/Important_Notices.html

Integrations with Active Directory Certificate Services (AD CS) now require Jamf AD CS Connector 1.1.0.

Note:

Jamf AD CS Connector 1.1.0 requires .NET Framework 4.8 or later.

To determine which version of Jamf AD CS Connector you have installed, run the following command in PowerShell:
Select-String -Path "C:\inetpub\wwwroot\adcsproxy\api-swagger.json" -Pattern "Revoke"

If you have version 1.1.0 installed, the JSON file will return results related to "Revoke". If you have version 1.0.0 installed, the JSON file will not return any results related to "Revoke".

For upgrading instructions, see Upgrading the Jamf AD CS Connector in the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

Hello - it was indeed this, thank you.

angryant
New Contributor III

We had this recently, double check the Certificate Authority settings in PKI certificates, we had set the CA Name incorrectly.

misveri
New Contributor II

If you are using Jamf Pro 11.9 and ADCS Connector, please read at https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.9.0/page/Important_Notices.html

 

" Integrations with Active Directory Certificate Services (AD CS) now require Jamf AD CS Connector 1.1.0.
Jamf AD CS Connector 1.1.0 requires .NET Framework 4.8 or later. "

Then take a look at https://www.rocketman.tech/post/update-your-jamf-ad-cs-connector and https://learn.jamf.com/en-US/bundle/technical-paper-integrating-ad-cs-current/page/Upgrading_the_Jam... on how to update.