JAMF AD CS Connector Error "Failed to inject certificates into the profile"

Question

We recently setup JAMF AD CS connector. We can see in the IIS logs that we are getting the below 200 return code so we know JAMF pro is talking to it.  2022-11-02 13:13:31 <Interanl_IP> POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 52.39.2.203 Java-SDK - 200 0 0 1162  And 52.39.2.203 is an IP that belongs to JAMF.It will fail in the GUI with the error:  Failed to inject certificates into the profile  In the JAMF pro logs each time an attempt is made we see the below....  2022-11-01 16:33:08,650 [WARN ] [lina-exec-8] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:08,902 [WARN ] [lina-exec-8] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,194 [WARN ] [ina-exec-42] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,205 [WARN ] [ina-exec-42] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,577 [WARN ] [ina-exec-47] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,614 [WARN ] [ina-exec-47] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:18,528 [WARN ] [ina-exec-65] [HTMLResponse             ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:19,362 [WARN ] [ina-exec-47] [HTMLResponse             ] - CSRF risk found. Denying request.
2022-11-01 16:33:25,705 [WARN ] [ina-exec-68] [HTMLResponse             ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:28,462 [WARN ] [ina-exec-30] [HTMLResponse             ] - CSRF risk found. Denying request.
2022-11-01 16:34:08,923 [WARN ] [lina-exec-7] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:08,957 [WARN ] [lina-exec-7] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,581 [WARN ] [lina-exec-6] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,608 [WARN ] [lina-exec-6] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,406 [WARN ] [ina-exec-36] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,407 [WARN ] [ina-exec-36] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,749 [WARN ] [ina-exec-67] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,781 [WARN ] [ina-exec-67] [Credentials              ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:39:52,486 [ERROR] [-Pki-Pool-4] [ertificatePayloadInjector] - Problem requesting certificate from ADCS
com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Problem requesting certificate from ADCS
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:136) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getCertificateFor(AdcsCertificatePayloadInjector.java:73) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.getPkiPayloadCertificate(PKICertificateInjectorService.java:279) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.issueAndBindCertificate(PKICertificateInjectorService.java:253) ~[classes/:?]
	at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.lambda$issueCertificate$6(PKICertificateInjectorService.java:223) ~[classes/:?]
	at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:82) ~[spring-security-core-5.7.2.jar:5.7.2]
	at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.3.21.jar:5.3.21]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
	at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
	at java.lang.Thread.run(Thread.java:834) ~[?:?]
Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: INTERNAL_ERROR: System.ArgumentException - CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
	at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.requestCertificate(AdcsConnectorClientImpl.java:128) ~[adcs-connector-client-10.42.0-t1665776579.jar:?]
	at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:134) ~[classes/:?]
	... 12 more  In researching 0x80070057 we know it means "Check CA name in the PKI Certificates settings in Jamf Pro." From https://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.40.0/Analyzing_Errors_in_the_JAMFSoftwareServer-log_File.html And we have tried both the Root CA and integumentary.The Root one stays shutdown while the integumentary is online. in the CA Name Name of the certificate authority, settings we have tried both and still get the same error. Thoughts?

brandonpeek · Answer

Could be this error is common enough that sharing this experience may not solve your issue. We saw this recently when our Identity team migrated their PKI infrastructure from AWS to Azure and their load balancers were not configured correctly. To be more specific, the configurations on the load balancers didn't match and once this was addressed the issue resolved itself.

EDIT: We saw this once before the instance I described above and the issue was with the PKI certificate template hosted on the PKI server. I don't recall the exact issue the Identity team discovered with their template but this may also be worth a look.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded