Casper Imaging error "Unable to create the invitation"

mhasman
Valued Contributor

As we got JSS updated to 9.73, Casper Imaging stopped working. After choosing the Configuration and providing my JSS account credentials I get the error message:
"Unable to create the invitation. Check to make sure you have permission to create an invitation"
I have administrator-privilege account with everything checked on JSS User Accounts & Groups side.

Please help. Thanks!

0eef012188d54237ac62c273e50f3a91

1 ACCEPTED SOLUTION

mhasman
Valued Contributor

Garrett Schmidt brings the idea: "Close down Casper Imaging completely and then re-open it while holding down the Option key. This will let us refresh the credentials for Imaging"
After that Casper Imaging is working in Target Mode as well.
Thanks, Garrett! Thanks, Darrin, Brian!

View solution in original post

53 REPLIES 53

dpertschi
Valued Contributor

Check the privileges for the account you're logging in with. In JSS Objects, I think you need Create privs for Policies.

bkramps
New Contributor III

@mhasman I had the same issue when I was imaging a machine that already existed in the JSS. I don't believe I got that error on a machine that was not in JSS. Like you, my ID has full admin privileges.

As a test, I turned off the setting "Restrict re-enrollment to authorized users only" in Global Management --> User-Initiated Enrollment. Even though, as an admin, this restriction should not apply to you, I have not had the error repeat on me.

Give that step a try and see if it helps.

mhasman
Valued Contributor

@dpertschi Yes, as Administrator I have full privileges, and everything is checked in JSS Objects

@bkramps I checked, mac is not in the JSS. Checked with another mac which is 100% not in the JSS - the same error message...
Checked Global Management --> User-Initiated Enrollment, "Restrict re-enrollment to authorized users only" is off. Turned it on, tested, turned it off, tested - the same issue...

Thanks for helping! I wonder if there is anything else I may try to play with...

bkramps
New Contributor III

@mhasman It looks from your screenshot that you are doing Netboot Imaging. Do you get the same error if you do Target Mode Imaging? I don't think I got the error doing TMI? Try a TMI and see if it repeats.

What tool, if any, did you use to create the NetInstall? I had previously been using Casper NetInstall Creator but stopped using it after going to 9.73 since I had so many issues. I created my own NetInstall but the AutoCasperNBI tool works well. If you used Casper NetInstall Creator, I would try making a NetInstall with AutoCasperNBI as a test.

It is possible that switching to my own NBI fixed my issue and not turning off the setting I mentioned in my last post. I did both at the same time.

mhasman
Valued Contributor

@bkramps Sorry, I forgot to mention that issue comes from Target Mode Imaging. Yes, I got 10.10.5 NetBoot image built via AutoPkgr and AutoCasperNBI yesterday, but did not have a chance to try the imaging process yet.

mhasman
Valued Contributor

Garrett Schmidt brings the idea: "Close down Casper Imaging completely and then re-open it while holding down the Option key. This will let us refresh the credentials for Imaging"
After that Casper Imaging is working in Target Mode as well.
Thanks, Garrett! Thanks, Darrin, Brian!

themacdweeb
Contributor

@mhasman Your solution doesn't work for us if we're netbooting the device in question. Full admin rights on Casper? No problem. Partial admin rights? Not so good. Despite granting full rights to Capser Imaging for one of our tech bench staff (who does not have full admin rights) he gets the same "Needs an invitation) error even after we option-launch Casper Imaging.

Our 10.10.4 netboot image was built -- like you -- with AutoCasperNBI.

5Y54DMIN
Contributor

Was any one able to figure this out the above didn't work.

bentoms
Honored Contributor III
Honored Contributor III

@pgh I thought this was an issue with having full rights to computer objects but what @themacdweeb said has me doubting myself.

@themacdweeb Did the tech have full rights to computer objects within the JSS?

5Y54DMIN
Contributor

@bentoms Thanks for the reply

@themacdweeb Where you able to figure it out?

The tech has Create Read Update. However delete is not checked. for computer objects. (Should i check it?)The user was able to image and then one day was not able to. The tech was in a group and he was the only one that was having the issue i took him out of the group and gave him custom privileges. The user is the following LDAP User, Full Access, Custom.

We also deleted and added the account back and added him back to the group however no success and like i said other users in that group are not having the issue just him.

Josh_Smith
Contributor III

@erin.miska This KB article could use an update, "add hardware" doesn't appear to exist anymore: Imaging Computer Permission Requirements

From trial and error I wound up with these settings for techs to image (TDM and NetBoot) and use Casper Remote successfully with limited rights.....please note these are likely not exactly what are required, but they are working for me on 9.63:

JSS Objects
Computer Enrollment Invitations -CRUD (Create, Read, Update, Delete)
Computers - CRUD
Enrollment Profiles - CRUD
Policies - CR (I think Create was needed to use Casper Remote to push software...this really needs to be a separate permission)
Users - CR (I think this was for imaging too....not sure)
Some other settings - Read only to share information, I don't think any were required for functionality.

JSS Settings
All - Read only

JSS Actions
Eveything except change password and send emails to users

Recon -access to both
Add Computers Remotely
Create QuickAdd Packages (this was necessary for something....probably imaging? I don't actually want them creating quick add packages)

Casper Admin - none

Casper Remote - All

Casper Imaging - just not autorun data

5Y54DMIN
Contributor

@themacdweeb

@Josh.Smith

@bentoms

OK the only thing that was not check was computer -> delete permissions, and JSS settings had to mark read.

I will have him try it and report back the status.

chris_hansen
Contributor

Maybe try changing the password?
We've seen a password with special characters cause this for a full admin, changed password and hey presto. The characters were not that special, either. It only manifested during imaging, same error.

mhasman
Valued Contributor

Here is what I did to get for issue fixed (JSS 9.81):

  1. Boot up mac with Casper Imaging external drive

  2. Re-enroll with JSS

  3. Reboot

5Y54DMIN
Contributor

Explain how to re-enroll with jss?

Thanks

themacdweeb
Contributor

we don't, as a general rule, provide edit or delete capabilities to ANY L1 or L2 helpdesk staff, so our solution looked differently than yours but i think you nailed it. we edited:

JSS Objects, JSS Settings, JSS Actions to allow more create/read rights and now our staff IS able to log into via netbooted image and run casper imaging on the local device.

note: we didn't give ANY recon rights.

thank you for the suggestions, everyone and, especially, @Josh.Smith

anickless
Contributor II

So if anyone hit this in 10.3 Support says there is a error in JSS that special characters makes this error show. If you change the account password to just numbers and letters than the issue goes away.

Eigger
Contributor III

We just encountered this like minutes ago. PI is PI-005660. This means also Jamf Admin LDAP users/groups with a period or any special characters on their UN/PW will not work. So you need to create a special user for Casper/JamfPro Imaging. But this affects JamfPro Imaging only. LDAP accounts still work on JamfPro Admin.

jclements
New Contributor III

Thank you, @Eigger. Changing my user password fixed the problem for me.

ben_mcneil
New Contributor II

yep super simple un and pw fixed this. JAMF 10.3.0
no bueno.....

jeremygray
New Contributor

Yep. @Eigger 's fix worked for me as well:
Created a new local admin with no special characters in the password. Recon made the package.
Thanks!

PhillyPhoto
Contributor III

What's even worse, I have special characters in my LDAP account (password policy requirement), and not only does it fail to image, it locks my LDAP account out as well!

I'll be making an enrollment-only account now.

doylema
New Contributor III

Changing my LDAP password fixed the issue here. I'm going to to have to create an enrollment only account.

bmarks
Contributor II

Unfortunately, changing passwords doesn't work in an environment like mine that enforces a minimum complexity for the passwords our provisioning technicians use. In my experience in the past, sometimes these issues can be triggered by new features that are added in an upgrade but not enabled by default, but that doesn't appear to be the case here either. Or, I can't find a smoking gun if there is one.

Eigger
Contributor III

@bmarks So you have no permission yourself in your JamfPro to create a "Local User" non LDAP, with simple UN like Admin and simple Password like 4dm1n with Imaging and Enrollment only permission that your Provisioning Technicians can share?

bmarks
Contributor II

@Eigger Correct, in our environment, our security team won't allow us to create a shared account with shared credentials.

brunerd
Contributor

Bumping this thread to add that I'm in the same boat... +1 for unsolved. I too discovered this issue last week in testing a v10 upgrade:
In my environment techs make API calls via script with their credentials. Valid passwords may contain "special characters" and Unicode. Most usually do since the techs are located globally and their international keyboards make this quite easy and valid! I cannot (and should not) control valid password character ranges...

Unicode (multi-byte characters) and punctuation have always needed to be URI Escaped (see my reply for some pointers) for them to work with the v9 API but this is no longer working in v10.

The web console for Jamf Pro web and the auth screens of the Apps work in accepting non-alphanumeric characters, but anything in those apps that leverage the API are affected. Besides the invitation creation of this thread, in the Recon app if you attempt to create a QuickAdd with an account that contains a Unicode character it will fail.

Fun troubleshooting fact: if you run Wireshark/packet capture on your JSS and connect over http (port 9006) you can grab the API calls and compare the Authorization: Basic headers. Recon v9 and v10 QuickAdd creation creates the same headers when Unicode is used, so the breakdown is not encoding or the App but the API character decoding/handling.

My Product issue is: PI-005738 up 78 since April 3rd... hmm.., Looking forward to 10.13.2 and this being fixed. Jamf: have a bug-a-thon this weekend before the weather gets too nice, it'll make for a better summer! :]

agerson
New Contributor III

We are seeing this as well. Since updating to 10.3 I think...

chrismiller
New Contributor

This issue has just been introduced for us since upgrading from v10.1.1 to v10.3.1.
Tested on a Jamf local admin account. When imaging I get the message "Unable to create an invitation"

AndreasRumpl
New Contributor III

We also experience this issue with JAMF 10.3.1 - hope that it is solved soon.

Did someone already issue a ticket to JAMF regarding this issue in 10.3.1?

agerson
New Contributor III

JAMF says "Currently there is a known product issue (PI-005660). That is if a password contains special characters we are not able to log in to Jamf Imaging. Currently, the only workaround is to create an account with only numbers and letters. This will allow you to log in and image machines. This product is considered critical and we are working on a resolution, but we still are not aware of an ETA when it will be fixed. "

mkalayaboon
New Contributor II

Thanks @agerson... this was doing my head in. Guess we'll just stick to no complexity and local accounts until the next update.

thomas_moser
New Contributor III

It worked for us.
Local account with admin rights and 4 letter pw got it done. Jamf Pro 10.3.1

Other threads with the same issue:
https://www.jamf.com/jamf-nation/discussions/8133/anyone-seen-unable-to-create-an-invitation
https://www.jamf.com/jamf-nation/discussions/27794/unable-to-create-invitation#responseChild165045

epomelow
New Contributor III

JAMF confirmed this in a support ticket as well. I just tried again, turns out the username can't have special characters either. For a work-around, create a group with custom (or enrollment if you don't use imaging) and assign the following permissions to enroll and image.

Enrollment: Computer enrollment invitations CRUD
mobile device enrollment invitations CRUD
Computers CR
Mobile Devices CR
Users CRU
Allow User to Enroll - Checked
Enroll Computers and Mobile Devices - Checked
Add Computers Remotely - Checked

Imaging:
Customize a Configuration - Checked
Use Jamf Imaging - Checked
Use PreStage Imaging and Autorun Imaging - Checked

ssookram
New Contributor

Confirmed I had to remove special characters for my imaging to work.
Can we have this patched please, thank you..lol

sepiemoini
Contributor III
Contributor III

Ugh, receiving this as well since upgrading from 10.2.2 to 10.3.1. +1 for the PI-005660 issue here as well. Thanks for publishing the permission sets, @epomelow!

noahb5
New Contributor II

I had this too, with JSS 10.3.0.

I spent 2 hours rebuilding the Netboot server.. and it was because I had a hyphen in my password.

The issue was my password! No special characters allowed.

dan_gregson
New Contributor II

Anyone know if there is a fix for this yet?

dstranathan
Valued Contributor II

WOW - Just discovered this issue for the first time (had Jamf for 2 years). Running JSS 10.3.1. Never saw this bug before.

I just wasted an entire day troubleshooting this with my dektop support team. It was a freaking ! character in my password! I was hung-up thinking it was a DEP error bcause of the word "invitaion" in the error string.

This is a sloppy bug. No excuse for this. Ouch!

Fixed in 10.4?