Jamf Nation Community

miyonfaga · ‎02-01-2024

Building a Jamf Cloud instance. Jamf 11.1.3

Test machines is Sonoma 14.2. The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'

(disregard the AD bind error. FWIW that's temporary because I'll be using Connect)

The machine seems to set up fine but doesn't get a machine certificate from my ADCS connector. The WiFi payload which would normally deliver it - gives 'unable to decrypt profile'.

AJPinto · ‎02-02-2024

Assuming your device is domain bound, which is required for issuing ADCS certs to Macs. Is the machine certificate being deployed by a Certificate Configuration profile and in you keychain?

statusBrew · ‎02-19-2024

@miyonfaga - happy to help on this one, I've recently also had issues with ADCS Connector not working, and that was an error I got during the troubleshooting.

I do now have this working, so if this is still an issue for you, happy to help further.

Worth looking at the inetpub logs on the ADCS connector server - do you have an response code?

Logs are at C:\inetpub\logs\LogFiles\W3SVC2

This article was quite useful, but only got me so far:

https://travellingtechguy.blog/jamf-adcs-connector/

caseyj3350 · ‎02-22-2024

@statusBrew I'm getting 403 in the IIS logs at that path - any ideas? Everything is setup per that blog..

statusBrew · ‎02-23-2024

403 is a slightly different error that I was getting.

I got 401, meaning unauthorised, but 403 means forbidden, suggesting there might be a connection issue between JamfCloud and your ADCS connector.

https://travellingtechguy.blog/troubleshooting-with-postman-testing-the-jamf-adcs-connector-client-c...

The link above might be helpful, as it does specifically mention 403 errors and how to further diagnose what it is.

QQ - is your ADCS connector sat behind a LB of some kind?

It could be that if it is, the LB is intercepting the conneciton and breaking the MTLS auth - the traffic needs to be allowed through without any inspection or altering of the connection in anyway, else the MTLS breaks. (As per my understanding, I'm not a network engineer so very basic understanding!)

caseyj3350 · ‎02-26-2024

Weird.. ok, i'll check that - No, its just a single server, no LB involved at all.

FutureFacinLuke · ‎03-14-2024

Following this thread as I had a functioning ADCS that has now started to show an Unable to Decrypt Profile error when deploying profiles with 403s in the log.

We think that Jamf Cloud cannot talk to the ADCS connector any more is there a good way to confirm this?

statusBrew · ‎03-19-2024

Do you see 403 errors in the logs on your ADCS server?
If you do, then it could suggest that Jamf Cloud can connect to the ADCS Connector server, else how would it know to attempt to retrieve a cert, and then get an error back?

My previous link above is a good troubleshooting page from TTG talking about various errors, including 403 errors. Did you have a go at any of those steps? Where did you get a failure/get stuck?

Basholding · ‎03-20-2024

We are also having problems. We have asked our network team to setup a NAT rule in the firewall to allow the Jamf Pro IP addresses to be allowed on our ADCS server but still getting 'Unable to decrypt' error after they made the change.

C:\inetpub\logs\LogFiles\W3SVC2 gives the following:

2024-03-20 18:44:10 ::1 GET / - 443 - ::1 Mozilla/5.0+(Windows+NT+10.0;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/ 403 14 0 2574

statusBrew · 4 weeks ago

Is the NAT rule set to inspect the traffic, or pass through with no interception?

Jamf Nation Community

Unable to Decrypt Profile? ADCS Connector