Jamf Nation Community

bentoms · ‎07-31-2012

Hi All,

On 10.7.x i've managed to knock up a profile that meant the clients would request a Machine certificate from our AD Certificate Authority. As per: http://support.apple.com/kb/HT4784

This now links to a new document for 10.8, http://support.apple.com/kb/HT5357.

This new profile is also available in 8.6, I've tried filling out the profile.. but it errors with the message:

The 'Active Directory Certificate' payload could not be installed. The certificate request failed.

If I manually download the profile from the JSS & then run, i'm prompted for a username & password.. none seemingly work.. also the apple document for 10.8 states:

Prompt for credentials: Disregard this option for computer certificates.

However, I do not see the option to disregard the prompts.. has anyone got this working or is it a bug?

bentoms · ‎10-24-2012

Hi All,

The resolution for me was on the CA.

Someone removed the Domain Computers group from the ACL.

Affectively blocking requests for computer Certs.

Once fixed, certs started installing.

View solution in original post

jhbush · ‎08-01-2012

Ben, we're working on the same thing here. Would you mind sharing what you've got and I'll see what we can figure out here to help us both out? The big thing my PKI administrator grumbled about is that what comes down was exportable.

bentoms · ‎08-01-2012

Hi Jason,

Sent you 2 emails.

1 with payloads, other from MacEnterprise List where someone is having a similar issue.

bentoms · ‎08-03-2012

I'm seeing the below on the CA itself, i wonder if a possible MS hotfix has caused this issue as it's affecting more than just us & i tested my config on a known good setup & it failed too.

"The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Machine."

lisacherie · ‎09-14-2012

Any luck getting this to work?
I think I am seeing the same error on AD computer cert request, when testing mountain lion.

lisacherie · ‎09-19-2012

Have a ticket in with Jamf support on this one, any one else seeing this issue, or had luck getting AD certs applied via profiles with mountain lion?

Seeing profiles created by hand successfully requesting AD computer certs, however the one generated by the JSS fails with an error -319.

Interesting that the profile created by the JSS prompts for user credentials even though set to false...

nkalister · ‎09-19-2012

I haven't been able to get apple's request procedure to work in my environment at all, it seems to be some sort of IIS kerberos authentication problem.
i now do the cert request and download with curl and then insert the certificate using plistbuddy into a profile template created on a 10.8 server. THAT works, but it was a decent amount of work to set up.

colonelpanic · ‎10-24-2012

Has anyone made any progress with this using 8.6.2? I am getting the same issue with the profile failing with error -319.

lisacherie · ‎10-24-2012

@colonelpanic are you at jnuc? I was able to get this working eventually.. happy to discuss.

colonelpanic · ‎10-24-2012

Yes I am! Whenever you have time that would be great!

bentoms · ‎10-24-2012

Hi All,

The resolution for me was on the CA.

Someone removed the Domain Computers group from the ACL.

Affectively blocking requests for computer Certs.

Once fixed, certs started installing.

Kumarasinghe · ‎03-12-2013

Hi Lisa, How did you get it working?

Kumarasinghe · ‎03-14-2013

Got it sorted.

Certificate Template name in AD Certificate paylaod should not have spaces.
You may also want to make sure that you have an Kerberos ticket for the Machine:
```
klist -l
```
If not make one:
```
sudo kinit -k computername$
```
(THIS IS A MUST) Missing step was to create a Machine Template with alternative subject name setting is set to “User Principal Name (UPN)” for "Ad Certificate" payload.

Read this for more info;
http://tinyurl.com/bljyoha
Because Profile Manager does not allow the entering of a username at all when selecting TLS at the EAP type, let alone something like %AD_ComputerID%, we chose Apple’s second recommendation and made a new certificate template within Active Directory. We duplicated the already existing “Machine” template and titled the duplicate “Mac_Computer”. See this screenshot of the modified settings for the “Mac_Computer” certificate template. Notice that the subject alternative name setting is set to “User Principal Name (UPN)” to match the requirement outline by Microsoft.

donmontalvo · ‎04-13-2013

@Kumarasinghe wrote:

2. You may also want to make sure that you have an Kerberos ticket for the Machine:
klist -l
If not make one:
sudo kinit -k computername$
You might consider properly attributing stuff you copy/paste from other members' posts. In this case you plagiarised @cfountain's post, including his typo... ;)

external image link

Thanks for the link to the MacEnterprise page. This is something we're going to take a look at, seems like there were attemtps to get this to work in the past, hoping for success this time around, since we need this capability.

Don

--
https://donmontalvo.com

Jamf Nation Community

AD Certificate Configuration Profile: Request Failed