Microsoft SCEP Challenge Request

eploughe
New Contributor

I have been working on this for days now and still have not been able to make it work correctly. I have built a JAMF profile with payload for SCEP configuration. I have entered the URL, CA Name, Subject and Challenge type (Dynamic-Microsoft CA). I have also entered the correct admin page but when I import the profile to the Mac Device it never makes the challenge request. I see it go through GetCACaps, then GetCACert and finally it tried to make the PKIOperation request but since it never requested a challenge password this fails. I can make the profile work if I use static and manually pull down a challenge password but this isn't a good way to deploy Certificates in an Enterprise environment. I have also opened the .mobileconfig file with a text editor but I don't see the mscep_admin URL defined anywhere. Not sure if anyone has some tips or information that I might have missed that could help me out.

21 REPLIES 21

JPDyson
Valued Contributor

I'm working on this with Entrust as well. I'll be happy to share what I figure out, but on our end, they hadn't implemented the handling of GetCACaps (!!) before we engaged them.

eploughe
New Contributor

Any help would be greatly appreciated.

jyauch
New Contributor III

We had trouble with our configuration as well. Our admin that setup the SCEP server ended up turning off the authentication of the SCEP pages and allowing authenticated users or anonymous.

Essentially if you go to http(s)://server/CertSrv/mscep_admin/ you should get the NDES page with the thumbprint for the CA certificate without being prompted for information. This is not ideal in our environment, but it was the only way we could get it to work.

Note: if you get a error on installing the configuration profiles with SCEP that has an error similar to "NSStatusError -67693", you will need to restart IIS on the SCEP/NDES server. Restarting the app pool will not be sufficient.

eploughe
New Contributor

That is one option that I have thought about if it comes down to it but as you said its not the ideal setup. Should there be an entry for the admin page in the .mobileconfig file? I would think that if you enter that in the JAMF profile that when it writes the file it would have that in there.

dhomco
New Contributor

There is a Microsoft patch to apply to your server that is specific to the GETCACAPs issue.
http://support.microsoft.com/kb/2483564

Also there is a script that you can run to increase the size of the request filter buffer. By default it is 1024. %systemroot%system32inetsrvappcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost

eploughe
New Contributor

The GETCACAP's isn't an issue for me, I can see the Mac device calls out for the GETCACAP just fine with a valid response. The only issue I have right now is the challenge request to the admin page, if I could figure out why the Mac device isn't making that call for the challenge password then this would finally work.

pgulden
New Contributor

What was your outcome eploughe? I'm running into the same issue (challenge request rejected) and setting anonymous access won't be an option in my environment. I have had success when manually applying the thumbprint and password, but like you said I can't deploy that way because of the password timeout.

Any suggestions would be greatly appreciated, thanks!

nixonc85
New Contributor III

I think the reason you are not seeing the mscep_admin setting is because it is actually the JSS that requests the challenge password from the SCEP server and then populates it in the .mobileconfig that it sends to the client, so if you manually download the .mobileconfig it will just have the variable place holder rather than the value, e.g.:

<key>Challenge</key><string>$MSSCEPCHALLENGE</string>

I think you need to either have APNs setup so that Casper can deploy the profile dynamically OR find some way of populating the variable yourself (i'm guessing the mscep_admin page has some sort of api for Casper to be able to use it).

mapurcel
Contributor III

Wondering if anyone came up additional tips on this one? I can request SCEP certificates with a static challenge fine but once set to 'Dynamic-Microsoft CA' it fails with errors like the following:

mdmclient[55034]: ProcessRequestCertSignatureResponse: Cert signature request failed with -909
mdmclient[55034]: Error: Error Domain=NSOSStatusErrorDomain Code=-909 "badReqErr: bad parameter or invalid state for operation"

guidotti
Contributor II

@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.

mapurcel
Contributor III

@guidotti thanks for the tip, I brought it to the attention of our rep but the alternative JAR file is for environments running on Windows with Java 7, whereas we are on Linux with Java 6 so the search for a solution continues..

guidotti
Contributor II

@mapurcel this stopped working in our environment as well.
Did they come up with a solution for you?

Ours is a 909 error because it is sending the credentials of the Windows server instead of our non-person ID to try to log into the admin console.

mostlikelee
Contributor

broke for us recently due to expired NDES certs on the server resulting in 909 on the client.

mapurcel
Contributor III

@guidotti they have not come up with a solution yet but I've also been on an extended vacation so haven't had the chance to pursue this. Will let you know if we get resolution.

prbsparx
Contributor II

Were you able to find a solution to this?

tim_arnold
New Contributor II

@mapurcel Did you ever get the SCEP Certificate to authenticate with Dynamic-Microsoft CA Challenge Type?

I'm running into the exact same error, -909, when I try Dynamic-Microsoft CA Challenge Type. But it works fine with a static challenge type.

mapurcel
Contributor III

@tim.arnold unfortunately I did not ever get it to work, so stuck using static for now.

abrahamT
New Contributor III

@guidotti when you said:

@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.

What exactly did JAMF provide to you? I have contacted them and they do not have any information regarding a special JAR file for the MS SCEP request stuff.

guidotti
Contributor II

That's interesting, because it took the better part of a year to get ours working.
There is definitely a different JAR file to use for non-java 6, as of the last version of the JSS.
We use Java 8.
It slightly changes the behavior of the scraper.

abrahamT
New Contributor III

@guidotti Are you able to provide the ticket used to discuss this with JAMF so we can reference it with our TAM as well?

guidotti
Contributor II

Here is what was at the top of all of our emails:
[ ref:_00D80cOw4._500C0mPo5q:ref ]

I don't have any other designation.
Nick Anderson was the employee who spearheaded the case.

I hope that helps.