JAMF AD CS Connector Error "Failed to inject certificates into the profile"

5Y54DMIN
Contributor

We recently setup JAMF AD CS connector. 

We can see in the IIS logs that we are getting the below 200 return code so we know JAMF pro is talking to it.

 

 

2022-11-02 13:13:31 <Interanl_IP> POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 52.39.2.203 Java-SDK - 200 0 0 1162

 

 

And 52.39.2.203 is an IP that belongs to JAMF.

It will fail in the GUI with the error:

 

 

Failed to inject certificates into the profile

 

 

In the JAMF pro logs each time an attempt is made we see the below....

 

 

2022-11-01 16:33:08,650 [WARN ] [lina-exec-8] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:08,902 [WARN ] [lina-exec-8] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,194 [WARN ] [ina-exec-42] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,205 [WARN ] [ina-exec-42] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,577 [WARN ] [ina-exec-47] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,614 [WARN ] [ina-exec-47] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:18,528 [WARN ] [ina-exec-65] [HTMLResponse             ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:19,362 [WARN ] [ina-exec-47] [HTMLResponse             ] - CSRF risk found. Denying request.
2022-11-01 16:33:25,705 [WARN ] [ina-exec-68] [HTMLResponse             ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:28,462 [WARN ] [ina-exec-30] [HTMLResponse             ] - CSRF risk found. Denying request.
2022-11-01 16:34:08,923 [WARN ] [lina-exec-7] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:08,957 [WARN ] [lina-exec-7] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,581 [WARN ] [lina-exec-6] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,608 [WARN ] [lina-exec-6] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,406 [WARN ] [ina-exec-36] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,407 [WARN ] [ina-exec-36] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,749 [WARN ] [ina-exec-67] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,781 [WARN ] [ina-exec-67] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:39:52,486 [ERROR] [-Pki-Pool-4] [ertificatePayloadInjector] - Problem requesting certificate from ADCS
com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Problem requesting certificate from ADCS
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:136) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getCertificateFor(AdcsCertificatePayloadInjector.java:73) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.getPkiPayloadCertificate(PKICertificateInjectorService.java:279) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.issueAndBindCertificate(PKICertificateInjectorService.java:253) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.lambda$issueCertificate$6(PKICertificateInjectorService.java:223) ~[classes/:?]
	at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:82) ~[spring-security-core-5.7.2.jar:5.7.2]
	at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.3.21.jar:5.3.21]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:834) ~[?:?]
Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: INTERNAL_ERROR: System.ArgumentException - CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
	at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.requestCertificate(AdcsConnectorClientImpl.java:128) ~[adcs-connector-client-10.42.0-t1665776579.jar:?]
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:134) ~[classes/:?]
	... 12 more

 

 

In researching 0x80070057 we know it means "Check CA name in the PKI Certificates settings in Jamf Pro." From https://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.40.0/Analyzing_Errors_in_the_JA...

 

And we have tried both the Root CA and integumentary.

The Root one stays shutdown while the integumentary is online. in the CA Name Name of the certificate authority, settings we have tried both and still get the same error.

 

Thoughts?

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1 REPLY 1

brandonpeek
New Contributor III

Could be this error is common enough that sharing this experience may not solve your issue.  We saw this recently when our Identity team migrated their PKI infrastructure from AWS to Azure and their load balancers were not configured correctly.  To be more specific, the configurations on the load balancers didn't match and once this was addressed the issue resolved itself.

 

EDIT: We saw this once before the instance I described above and the issue was with the PKI certificate template hosted on the PKI server.  I don't recall the exact issue the Identity team discovered with their template but this may also be worth a look.