11-03-2022 04:57 AM - edited 11-03-2022 05:03 AM
We recently setup JAMF AD CS connector.
We can see in the IIS logs that we are getting the below 200 return code so we know JAMF pro is talking to it.
2022-11-02 13:13:31 <Interanl_IP> POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 52.39.2.203 Java-SDK - 200 0 0 1162
And 52.39.2.203 is an IP that belongs to JAMF.
It will fail in the GUI with the error:
Failed to inject certificates into the profile
In the JAMF pro logs each time an attempt is made we see the below....
2022-11-01 16:33:08,650 [WARN ] [lina-exec-8] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:08,902 [WARN ] [lina-exec-8] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,194 [WARN ] [ina-exec-42] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,205 [WARN ] [ina-exec-42] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,577 [WARN ] [ina-exec-47] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:14,614 [WARN ] [ina-exec-47] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:33:18,528 [WARN ] [ina-exec-65] [HTMLResponse ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:19,362 [WARN ] [ina-exec-47] [HTMLResponse ] - CSRF risk found. Denying request.
2022-11-01 16:33:25,705 [WARN ] [ina-exec-68] [HTMLResponse ] - CSRF risk found (AJAX). Denying request.
2022-11-01 16:33:28,462 [WARN ] [ina-exec-30] [HTMLResponse ] - CSRF risk found. Denying request.
2022-11-01 16:34:08,923 [WARN ] [lina-exec-7] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:08,957 [WARN ] [lina-exec-7] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,581 [WARN ] [lina-exec-6] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:34:35,608 [WARN ] [lina-exec-6] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,406 [WARN ] [ina-exec-36] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,407 [WARN ] [ina-exec-36] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,749 [WARN ] [ina-exec-67] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:35:02,781 [WARN ] [ina-exec-67] [Credentials ] - We don't want to return an X509 Cert from a PKCS12 data blob
2022-11-01 16:39:52,486 [ERROR] [-Pki-Pool-4] [ertificatePayloadInjector] - Problem requesting certificate from ADCS
com.jamfsoftware.jss.core.service.certapi.CertificateRequestServiceException: Problem requesting certificate from ADCS
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:136) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.getCertificateFor(AdcsCertificatePayloadInjector.java:73) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.getPkiPayloadCertificate(PKICertificateInjectorService.java:279) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.issueAndBindCertificate(PKICertificateInjectorService.java:253) ~[classes/:?]
at com.jamfsoftware.jss.objects.pki.payload.PKICertificateInjectorService.lambda$issueCertificate$6(PKICertificateInjectorService.java:223) ~[classes/:?]
at org.springframework.security.concurrent.DelegatingSecurityContextRunnable.run(DelegatingSecurityContextRunnable.java:82) ~[spring-security-core-5.7.2.jar:5.7.2]
at org.springframework.scheduling.support.DelegatingErrorHandlingRunnable.run(DelegatingErrorHandlingRunnable.java:54) ~[spring-context-5.3.21.jar:5.3.21]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[?:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[?:?]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[?:?]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[?:?]
at java.lang.Thread.run(Thread.java:834) ~[?:?]
Caused by: com.jamfsoftware.pki.adcs.exception.AdcsConnectorCertificateNotIssuedException: INTERNAL_ERROR: System.ArgumentException - CCertRequest::Submit: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)
at com.jamfsoftware.pki.adcs.AdcsConnectorClientImpl.requestCertificate(AdcsConnectorClientImpl.java:128) ~[adcs-connector-client-10.42.0-t1665776579.jar:?]
at com.jamfsoftware.jss.objects.pki.adcs.AdcsCertificatePayloadInjector.initiateCertRequestWithAdcsProxy(AdcsCertificatePayloadInjector.java:134) ~[classes/:?]
... 12 more
In researching 0x80070057 we know it means "Check CA name in the PKI Certificates settings in Jamf Pro." From https://docs.jamf.com/technical-papers/jamf-pro/integrating-ad-cs/10.40.0/Analyzing_Errors_in_the_JA...
And we have tried both the Root CA and integumentary.
The Root one stays shutdown while the integumentary is online. in the CA Name Name of the certificate authority, settings we have tried both and still get the same error.
Thoughts?
11-09-2022 01:42 PM - edited 11-09-2022 01:45 PM
Could be this error is common enough that sharing this experience may not solve your issue. We saw this recently when our Identity team migrated their PKI infrastructure from AWS to Azure and their load balancers were not configured correctly. To be more specific, the configurations on the load balancers didn't match and once this was addressed the issue resolved itself.
EDIT: We saw this once before the instance I described above and the issue was with the PKI certificate template hosted on the PKI server. I don't recall the exact issue the Identity team discovered with their template but this may also be worth a look.