Posted on 06-01-2018 11:46 AM
I have a wifi config profile that works on all my Macs but 2, even if I erase and reinstall the os. When it is installed manually or through self-service it is generating an error "The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.". I have run the debug logs and I am waiting to get access to the CA server to view its cert request logs. Have the Mac bound to the AD and it is connected to the internal network via ethernet when the certs are installed but nothing happens and jamf generates the error above. While I'm waiting for access to the CA server, does anyone have any guesses about why it's not allowing the AD cert to install?
Posted on 06-01-2018 11:48 AM
The computer record might be disabled. There might be an AD attribute that is required but not populated (dNSHostName for example). The computer record might not have permissions to use the cert template.
Since rejoining a computer to an existing AD record won't fix unpopulated attributes and you can rejoin to a disabled record, I'd check those. Did you delete the record and rejoin as part of your troubleshooting?
Posted on 06-01-2018 12:11 PM
@alexjdale Forgive my lack of knowledge but I'm not familiar with computer records. So I did not do that as part of my troubleshooting. Could you elaborate on computer records? How would I delete the record and rejoin?
Posted on 06-01-2018 12:25 PM
You need to learn Active Directory or have someone with permissions do this for you, then. It doesn't sound like you have permissions or training and that's outside the scope of this thread. I don't want to tell you what to do for your particular environment.
Basically, when you join a computer to Active Directory, it either creates a new computer record or joins to an existing one. If there is a problem with that computer record that is causing the CSR to fail, then you'll need to address that at the AD level because reimaging won't solve it. The AD record would still have the same problem unless you deleted it prior to reimaging, which would force the Mac to create a fresh one.
Posted on 06-01-2018 12:40 PM
Posted on 06-03-2018 08:21 AM
@pz205m AD certificate requests require the AD object have permission to request the cert. make sure that the AD object is a member of the required group. That group is defined by the Settings in AD.
Posted on 06-03-2018 08:23 AM
Also, do other computers work when installing the certificate through self service?
Posted on 06-04-2018 05:20 AM
Posted on 06-04-2018 06:19 AM
Make sure the computer names aren't already existing in AD - sometimes that can cause problems. Also make sure your computer names don't have any characters that AD doesn't like and are 15 characters or less.
Posted on 06-06-2018 05:44 AM
Figured out the it was and AD permissions issue. Manually editing them in AD fixed the issue. Thanks for the help!
Posted on 06-08-2018 12:41 PM
What do the two that fail have in common and how do they differ from those that work? E.g., kind of a long shot here, but if it works on older OSs and fails on new, see https://support.apple.com/en-us/HT207459
Posted on 01-28-2019 10:17 AM
@ACMT Can you elaborate on this? I'm trying to get my mac's to join our wifi on their own, or at least prompt for it, and i'm in a 'mac users should switch to pc's" type of house so it's a struggle to get much help on the AD side. I get the same error on a couple mac's i'm testing with, using the steps from here: https://sachinparmarblog.com/wireless-802-1x-eap-tls-on-mac-os-x/
Any other help that can be offered would be great.
Posted on 07-22-2019 10:16 PM
I'm with @slundy , could you elaborate what within Active Directory you had to fix?
I don't/didn't know what to fix, so I just asked my AD guy to complete delete, then re-add the Active Directory object for the Macbook. After testing Config Profile push, and then testing again, this same Macbook came back with exactly the same error.
We have 1100+ Macbook that had succeeded in getting Wifi profile. We have 50 or so Macbook that fails this constantly. The Config Profile setup would be the same. I really don't know what's the diffference within AD.
Posted on 05-05-2020 12:01 AM
@ACMT Hi, please could you let us know what changes you made within AD settings? I am facing the same issues for my user, and do have AD access, so if you could advise. Thanks!
Posted on 05-05-2020 06:30 AM
@slundy @Bernard.Huang @jino.john I believe I deleted the existing computer record in AD, verified it was in the right group, and renamed the machine to the serial number. Honestly I dont 100% recall what change was made to resolve this because it was a while ago.