AD Certificate Profiles not applying correctly on first login

Valued Contributor

I'm seeing a problem with AD User Certificate Profiles not being applied correctly when logging
in with an AD Account for the first time.
The profile gets installed, but shows a few errors and the user doesn't actually receive his cert.
external image link
external image link
On subsequent logins, the system will think the profile is installed already and won't try to get a cert again.
To fix this, the profile has to be removed, on the next login the cert will be pushed down normally
once the mobile account exists.
Anyone else seeing this?


New Contributor II

I would fire a wireshark capture, to already know if the profile really talks to your certificate server...and understand where the process is stuck.

See error 25306 in the Apple code :

/* Keychain Manager error codes */ errKCNoSuchClass = -25306

While this error is still cryptic, I hope this will help you to focus on a specific topic (here the keychain). Maybe there is simply a kind of keychain problem, and nothing related to the AD profile.

As you also said "... for the first time." : maybe that is because the OSX profile tries to get the cert and copy it to user's keychain, that doesn't exist yet because being created because of first logon? (pure speculation...)