Posted on 08-31-2017 09:44 AM
We already have a Config Profile that pulls Computer Certificates from AD for use in 802.1x. That works great under the current setup. I just learned that our developers have a server they login to that works best with an AD User certificate for authentication. So I decided to build a separate Config Profile that is only there to pull a User Cert. I'm having difficulty getting this to work. Here's what I have:
General- "AD User Certificate" Description: a basic description Category: "Required Updates" Distribution Method: I've tried both but currently it is "Make Available in Self Service" Allow Removal: I've tried both, but currently it is on Yes Level: Computer Level (since we aren't using user logins for Self Service) It's all assigned by Computer.
AD Certificate- Description: a simple description
Certificate Server: our cert server in FQDN format (the same as what we're using for Computer certs)
Certificate Authority: the proper CA name (the same as what we're using for Computer certs)
Cert Template: The proper template as provided by our CA admin
Cert Expiration notification: 30 days
Prompt for credentials: NO (but i've tried YES and it never prompts)
username and password: empty (the same as what we're using for Computer certs)
Allow access to all apps: YES
Allow export from keychain: NO
I've scoped to my Mac as a test with no limitations or exclusions.
I have basic Self Service info for testing purposes.
When I install from Self Service, I get an error "There was a problem installing AD User Certificate. Contact your administrator" There are no errors in /var/log/jamf.log In the system.log I only see
--> Config Profile AD User Certificate failed with: Error Domain=JAMFSoftware/SelfService Code=20 "Quit and re-open Self Service to try again." UserInfo={NSLocalizedDescription=Quit and re-open Self Service to try again.}
I verified in System Preferences > Profiles that it is not installed. And I checked the various levels of the keychain and it's not there either.
What am I missing to get User Certs installed?
Posted on 09-01-2017 04:53 AM
I think I figured it out. The combination that made it work was to set on the General tab Distribution Method: Automatically and at the User Level.
And on the AD Certificate tab, do NOT prompt for credentials. Everything else can stay as I set it.
Posted on 05-18-2018 02:08 PM
Hi @AVmcclint,
I am just starting to play around with distributing MS User certs, and am wondering if your macs are bond or unbound?
Thanks,
-tep
Posted on 05-19-2018 06:49 AM
Our Macs are all bound to AD.
Posted on 12-17-2020 11:06 AM
Im messing with this also today and your tip to uncheck prompt worked for me, the question I have tho is we have a USER certificate thats going to expire on Jan 8th, and im wondering how keychain will handle it when it sees the old one that will expire and the new one that just got pushed, will it use the one that works ? or will it cause a conflict with them both being in keychain under the login keychain? any idea? @AVmcclint