Troubleshooting - The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.

RickDalton
New Contributor III

I have a wifi config profile that works on all my Macs but 2, even if I erase and reinstall the os. When it is installed manually or through self-service it is generating an error "The ‘Active Directory Certificate’ payload could not be installed. The certificate request failed.". I have run the debug logs and I am waiting to get access to the CA server to view its cert request logs. Have the Mac bound to the AD and it is connected to the internal network via ethernet when the certs are installed but nothing happens and jamf generates the error above. While I'm waiting for access to the CA server, does anyone have any guesses about why it's not allowing the AD cert to install?

14 REPLIES 14

alexjdale
Valued Contributor III

The computer record might be disabled. There might be an AD attribute that is required but not populated (dNSHostName for example). The computer record might not have permissions to use the cert template.

Since rejoining a computer to an existing AD record won't fix unpopulated attributes and you can rejoin to a disabled record, I'd check those. Did you delete the record and rejoin as part of your troubleshooting?

RickDalton
New Contributor III

@alexjdale Forgive my lack of knowledge but I'm not familiar with computer records. So I did not do that as part of my troubleshooting. Could you elaborate on computer records? How would I delete the record and rejoin?

alexjdale
Valued Contributor III

You need to learn Active Directory or have someone with permissions do this for you, then. It doesn't sound like you have permissions or training and that's outside the scope of this thread. I don't want to tell you what to do for your particular environment.

Basically, when you join a computer to Active Directory, it either creates a new computer record or joins to an existing one. If there is a problem with that computer record that is causing the CSR to fail, then you'll need to address that at the AD level because reimaging won't solve it. The AD record would still have the same problem unless you deleted it prior to reimaging, which would force the Mac to create a fresh one.

RickDalton
New Contributor III

I'll partner with my coworker that has access. Thank you @alexjdale for your response.

cubandave
Contributor

@pz205m AD certificate requests require the AD object have permission to request the cert. make sure that the AD object is a member of the required group. That group is defined by the Settings in AD.

cubandave
Contributor

Also, do other computers work when installing the certificate through self service?

RickDalton
New Contributor III

@cubandave Yes, all other Macs install the wifi config normally via Self Service.

AVmcclint
Valued Contributor III

Make sure the computer names aren't already existing in AD - sometimes that can cause problems. Also make sure your computer names don't have any characters that AD doesn't like and are 15 characters or less.

RickDalton
New Contributor III

Figured out the it was and AD permissions issue. Manually editing them in AD fixed the issue. Thanks for the help!

laslow
New Contributor

What do the two that fail have in common and how do they differ from those that work? E.g., kind of a long shot here, but if it works on older OSs and fails on new, see https://support.apple.com/en-us/HT207459

slundy
New Contributor III

@ACMT Can you elaborate on this? I'm trying to get my mac's to join our wifi on their own, or at least prompt for it, and i'm in a 'mac users should switch to pc's" type of house so it's a struggle to get much help on the AD side. I get the same error on a couple mac's i'm testing with, using the steps from here: https://sachinparmarblog.com/wireless-802-1x-eap-tls-on-mac-os-x/

Any other help that can be offered would be great.

Bernard_Huang
Contributor III

Hi @ACMT

I'm with @slundy , could you elaborate what within Active Directory you had to fix?

I don't/didn't know what to fix, so I just asked my AD guy to complete delete, then re-add the Active Directory object for the Macbook. After testing Config Profile push, and then testing again, this same Macbook came back with exactly the same error.

We have 1100+ Macbook that had succeeded in getting Wifi profile. We have 50 or so Macbook that fails this constantly. The Config Profile setup would be the same. I really don't know what's the diffference within AD.

jino_john
New Contributor

@ACMT Hi, please could you let us know what changes you made within AD settings? I am facing the same issues for my user, and do have AD access, so if you could advise. Thanks!

RickDalton
New Contributor III

@slundy @Bernard.Huang @jino.john I believe I deleted the existing computer record in AD, verified it was in the right group, and renamed the machine to the serial number. Honestly I dont 100% recall what change was made to resolve this because it was a while ago.