AD CS integration with Jamf Pro

khey
Contributor

Hi all,

Can I please confirm that by integrating my AD CA to Jamf Pro, does it mean that i can push AD Cert to computers via Config Profile eventhough the computer doesnt have connection to the domain?

We are about to deploy .1x WiFi Profile to use AD cert for EAP-TLS and do have a concern with computers that are not on the network to receive the AD machine Cert.

Thanks

Update
Just to sum it up for other people's reference.

On your Certificate Authority
1. Right click Certificate Template - Manage Template
2. Select Workstation Authentication and Right Click - Duplicate Template
3. Type in the Template Display Name and Template Name
4. Click Security tab - Add Proxy Server computer and set Read, Enroll and Autoenroll permissions (as advised by Jamf)
5. Click Subject Name - Click "Supply in the request" option
6. Close Certificate Template Console - Right Click Certificate Template - New - Certificate Template to Issue - Select your Certificate Template

On your Jamf Config Profile
1. Add Certificate Payload
2. Give it a name, and set your Certificate Subject to "CN=$COMPUTERNAME.my.domain"
3. As a particular application in my environment requires Subject Alternative Name - i set it to DNS name with a value of "CN=$COMPUTERNAME.my.domain"
4. Template Name - as the one you created with the process above.
5. Depending on your CA structure, dont forget to add your intermediate and root certificate payloads so the certificate chain is valid.

51 REPLIES 51

KRIECCO
Contributor

has Read the thread but Cannot quite find the answer.
So if mac are not Bound to ad and Got AD certificate from ADCS How Will the machine Authenticate if the machine does not exist in AD.

vpt
New Contributor II

Hey KRIECCO,

From my testing if you are using a computer certificate and it is not bound to AD you cannot use Microsoft NPS unless you take each certificate and then bind it to a user (way too much work). The solutions I have come up with is to either use a User Certificate which will work since the users still exist in AD or use a different radius server. I tested Cisco ISE and it has options that allow you to validate the cert and not the computer object in AD and I believe HP Clearpass has a similar option. I could not get freeradius to work with eap-tls so no idea there.

gforsyth
New Contributor III

Hello All,

Running into issues with SSL on this configuration. My connector isn't behind a load balance but I get 403 errors if SSL is enabled on the ADCS Proxy. Once I disable SSL all is well with the cosmos...

Any ideas? This has my laptop looking like a frisbee right now.

vpt
New Contributor II

Hey gforsyth,

Are they 403.16 errors?

MacKobus
New Contributor II

Hello All,

I'm getting 403.7 Forbidden errors when I try to go to https://my.JAMFadcsconnector.com/adcsproxy.
If I look at the JAMF server logs I see "Certificate request ID 39 has failed. (Unable to build an ADCS Connector client.)" and then a bit further down as part of that "Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorException: Problem negotiating API version. at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.isClientVersionSupported(AdcsConnectorClientImpl.java:44) at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificateRequestProcessor.getAdcsConnectorClient(AdcsCertificateRequestProcessor.java:161) ... 6 more
Caused by: org.springframework.web.client.HttpClientErrorException: 403 Forbidden"

Any ideas? I'm not able to get certs to push out, when I look at the Device's Management commands I see "Unable to retrieve ADCS certificate for profile payload."

ooshnoo
Valued Contributor

Make sure in the IIS settings you set https / SSL to “Ignore”

We had 403 errors and changing those settings to Ignore fixed it.

MacKobus
New Contributor II

@ooshnoo Thanks! I changed it to ignore and unchecked the box for "Require SSL" and that fixed it. I was able to successfully push out a cert using a profile.

Does anyone know why that had to be turned off? I understand that it was what caused the error but shouldn't that work/need to be on if the install script sets that all up? Is there any disadvantage to having SSL off?

vpt
New Contributor II

By unchecking 'Require SSL' i believe you are disabling certificate based authentication which means anyone and any device can now access the IIS website. The reason you uploaded those certs to the JAMF server was so it was the only server that could access the website so i don't believe you want to do that.

In my case i was getting 403.16 which was caused by having both my Intermediate and Root Certificates in the 'Trusted Root Certification Authority' folder instead of their respective folders Trusted Root and Trusted Intermediate. This can be found by using the following powershell command on the server with the ADCDS connector installed.

Get-Childitem cert:LocalMachine oot -Recurse | Where-Object {$.Issuer -ne $.Subject} | Format-List *

More information can be found here: https://support.microsoft.com/en-us/help/942061/error-message-when-you-visit-a-web-site-that-is-hosted-on-iis-7-0-http

kburns
New Contributor III

@KMerendaTFMC Did you ever get this problem resolved? I'm seeing the exact same error message.

"[WARN ] [ina-exec-43] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob"
In the management commands view of the device, I see "Unable to retrieve ADCS certificate for profile payload."

It's driving me bonkers :(

pueo
Contributor II

@KMerendaTFMC I am also receiving this error ([WARN ] [ina-exec-43] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob") and the Unable to retrieve..... I am not receiving any Network or Communication errors. We are cloud based install using a public dns name for our ADCS server which sits behind a F5 in the DMZ. i have done so much reading and researching. Most articles point back to Daniels YouTube Video or a combination of a few peoples write ups.

Any advice from yourself or anyone would be great.

Cheers
a

tuinte
Contributor III

Good day all!

We seem to have this working as we want, except we're getting a prompt for admin credentials to trust the root and intermediate certs. Once trusted, everything works as intended. Is anyone else running into this? Know what we might be missing?

We are delivering both the root and intermediate certs via config profile.

As always, any and all help is appreciated.

christopher_bec
New Contributor

Just finished setting up a new AD CS environment last Friday and integrated Jamf's AD CS Connector. Had to troubleshoot some communication issues with the Connector. Lots of good content in here to help with the whole process and wanted to contribute one piece that may help others.

My main issue was getting Jamf to connect to the Connector, I kept getting "Unable to retrieve ADCS certificate from certificate payload" when testing certificate config profiles. As suggested by TravellingTechGuy's blog I looked through the JAMFSoftwareServer.log file and found:

Certificate request ID 05 has failed. (Unable to build an ADCS Connector client.)
.
.
.
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://jamfpro-adcs.my.org/api/v1/version": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I also looked at C:inetpublogsLogFilesW3SVC2 on the Connector server and found 403 errors from my master JamfPro Tomcat server.

Both of those led me to think there was a certificate trust error. The AD CS Connector requires clients to have a certificate to communicate with it (remember the two certificates you upload to the JamfPro interface). There's the client-cert for the JamfPro Tomcat server to use, and a CA from the AD CS Connector server (adcs-proxy-ca). My master JamfPro Tomcat server did not trust the adcs-proxy-ca certificate so it would not authenticate against it. I run RHEL on all of my JamfPro servers so I am guessing this might by why my server did not trust the adcs-proxy-ca cert after uploading it through the web GUI? Potentially a Windows Server based Jamf environment would not have this issue.

To resolve, I copied the adcs-proxy-ca certificate to my JamfPro Tomcat server (/etc/pki/ca-trust/source/anchors/ is a system directory RHEL uses for certs, so you can copy the adcs-proxy-ca cert here if you want the OS to trust it as well) and added it to the Java cacerts file, followed by a restart of Tomcat.

keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias adcs-proxy-ca -file /etc/pki/ca-trust/source/anchors/adcs-proxy-ca.cer