Posted on 09-19-2013 09:29 AM
I have been working on this for days now and still have not been able to make it work correctly. I have built a JAMF profile with payload for SCEP configuration. I have entered the URL, CA Name, Subject and Challenge type (Dynamic-Microsoft CA). I have also entered the correct admin page but when I import the profile to the Mac Device it never makes the challenge request. I see it go through GetCACaps, then GetCACert and finally it tried to make the PKIOperation request but since it never requested a challenge password this fails. I can make the profile work if I use static and manually pull down a challenge password but this isn't a good way to deploy Certificates in an Enterprise environment. I have also opened the .mobileconfig file with a text editor but I don't see the mscep_admin URL defined anywhere. Not sure if anyone has some tips or information that I might have missed that could help me out.
Posted on 09-19-2013 09:58 AM
I'm working on this with Entrust as well. I'll be happy to share what I figure out, but on our end, they hadn't implemented the handling of GetCACaps (!!) before we engaged them.
Posted on 09-19-2013 10:28 AM
Any help would be greatly appreciated.
Posted on 09-19-2013 11:00 AM
We had trouble with our configuration as well. Our admin that setup the SCEP server ended up turning off the authentication of the SCEP pages and allowing authenticated users or anonymous.
Essentially if you go to http(s)://server/CertSrv/mscep_admin/ you should get the NDES page with the thumbprint for the CA certificate without being prompted for information. This is not ideal in our environment, but it was the only way we could get it to work.
Note: if you get a error on installing the configuration profiles with SCEP that has an error similar to "NSStatusError -67693", you will need to restart IIS on the SCEP/NDES server. Restarting the app pool will not be sufficient.
Posted on 09-19-2013 11:09 AM
That is one option that I have thought about if it comes down to it but as you said its not the ideal setup. Should there be an entry for the admin page in the .mobileconfig file? I would think that if you enter that in the JAMF profile that when it writes the file it would have that in there.
Posted on 09-20-2013 12:06 PM
There is a Microsoft patch to apply to your server that is specific to the GETCACAPs issue.
http://support.microsoft.com/kb/2483564
Also there is a script that you can run to increase the size of the request filter buffer. By default it is 1024. %systemroot%system32inetsrvappcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"8192" /commit:apphost
Posted on 09-23-2013 10:12 AM
The GETCACAP's isn't an issue for me, I can see the Mac device calls out for the GETCACAP just fine with a valid response. The only issue I have right now is the challenge request to the admin page, if I could figure out why the Mac device isn't making that call for the challenge password then this would finally work.
Posted on 07-19-2014 11:16 AM
What was your outcome eploughe? I'm running into the same issue (challenge request rejected) and setting anonymous access won't be an option in my environment. I have had success when manually applying the thumbprint and password, but like you said I can't deploy that way because of the password timeout.
Any suggestions would be greatly appreciated, thanks!
Posted on 07-28-2014 03:42 AM
I think the reason you are not seeing the mscep_admin setting is because it is actually the JSS that requests the challenge password from the SCEP server and then populates it in the .mobileconfig that it sends to the client, so if you manually download the .mobileconfig it will just have the variable place holder rather than the value, e.g.:
<key>Challenge</key><string>$MSSCEPCHALLENGE</string>
I think you need to either have APNs setup so that Casper can deploy the profile dynamically OR find some way of populating the variable yourself (i'm guessing the mscep_admin page has some sort of api for Casper to be able to use it).
Posted on 11-11-2015 10:38 AM
Wondering if anyone came up additional tips on this one? I can request SCEP certificates with a static challenge fine but once set to 'Dynamic-Microsoft CA' it fails with errors like the following:
mdmclient[55034]: ProcessRequestCertSignatureResponse: Cert signature request failed with -909
mdmclient[55034]: Error: Error Domain=NSOSStatusErrorDomain Code=-909 "badReqErr: bad parameter or invalid state for operation"
Posted on 11-24-2015 10:05 AM
@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.
Posted on 12-04-2015 09:15 AM
@guidotti thanks for the tip, I brought it to the attention of our rep but the alternative JAR file is for environments running on Windows with Java 7, whereas we are on Linux with Java 6 so the search for a solution continues..
Posted on 02-02-2016 10:39 AM
@mapurcel this stopped working in our environment as well.
Did they come up with a solution for you?
Ours is a 909 error because it is sending the credentials of the Windows server instead of our non-person ID to try to log into the admin console.
Posted on 02-03-2016 12:19 PM
broke for us recently due to expired NDES certs on the server resulting in 909 on the client.
Posted on 02-22-2016 04:02 PM
@guidotti they have not come up with a solution yet but I've also been on an extended vacation so haven't had the chance to pursue this. Will let you know if we get resolution.
Posted on 06-30-2016 09:47 AM
Were you able to find a solution to this?
Posted on 07-21-2016 10:23 AM
@mapurcel Did you ever get the SCEP Certificate to authenticate with Dynamic-Microsoft CA Challenge Type?
I'm running into the exact same error, -909, when I try Dynamic-Microsoft CA Challenge Type. But it works fine with a static challenge type.
Posted on 07-21-2016 10:27 AM
@tim.arnold unfortunately I did not ever get it to work, so stuck using static for now.
Posted on 12-20-2016 08:53 AM
@guidotti when you said:
@mapurcel contact JAMF support. In certain configurations, they provide a different JAR file for the MS SCEP request stuff. They provided that to me to replace in the webroot of the Tomcat server lib folder, and it solved the 909 errors.
What exactly did JAMF provide to you? I have contacted them and they do not have any information regarding a special JAR file for the MS SCEP request stuff.
Posted on 12-20-2016 10:30 AM
That's interesting, because it took the better part of a year to get ours working.
There is definitely a different JAR file to use for non-java 6, as of the last version of the JSS.
We use Java 8.
It slightly changes the behavior of the scraper.
Posted on 12-29-2016 10:22 AM
@guidotti Are you able to provide the ticket used to discuss this with JAMF so we can reference it with our TAM as well?
Posted on 12-29-2016 10:28 AM
Here is what was at the top of all of our emails:
[ ref:_00D80cOw4._500C0mPo5q:ref ]
I don't have any other designation.
Nick Anderson was the employee who spearheaded the case.
I hope that helps.