Skip to main content

I've installed the connector according to Jamf documentation on a server running Windows server 2016 and different one running 2022. I have found multiple posts on the Jamf forum regarding setting up a service account as the identity on the ADCSproxy. I created a service account, switched the identity, I added the same service account to the IISUSR group on the machine, and to the local admins. Port 443 is open on the device, port 443 is open on our network.

 

When I try to test the site from within the IIS Manager, I get an error: ERROR_CONNECTION_RESET. Certificate invalid, site not secure.

 

Any ideas?

I can't say for sure if this is your issue, but I can tell you from some (painful) first hand experience, that ADCS Connector, or more specifically, IIS, is VERY particular about the certificates that are in the Root Certification Authority directory in the cert store. Any certs in there have to be self signed, meaning the Issued to and Issued by values must match. If you think about it, that Root Cert store contains the certs that act as authority for other intermediate certificates, so it makes sense that they must have self trust and not be dependent on another issuer.

So I guess what I'm saying is, your error is indicating a certificate trust issue. I would take a look at the certs in that Root Certification Authority and see if any of them are not self signed.

There's a Powershell command you can run as well that will help you determine if any certs in that location are at fault. I'll dig it up and post it here. It's been posted on some other threads here as well if you search around on ADCS.

 

Edit: In case you wanted to test out the cert issue, here is the PS command you can run

Get-Childitem cert:\\LocalMachine\\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\\computer_filtered.txt"

The output file should be blank. If anything appears in it, it means it's a non Self-Signed cert and should be dealt with.

I can't say for sure if this is your issue, but I can tell you from some (painful) first hand experience, that ADCS Connector, or more specifically, IIS, is VERY particular about the certificates that are in the Root Certification Authority directory in the cert store. Any certs in there have to be self signed, meaning the Issued to and Issued by values must match. If you think about it, that Root Cert store contains the certs that act as authority for other intermediate certificates, so it makes sense that they must have self trust and not be dependent on another issuer.

So I guess what I'm saying is, your error is indicating a certificate trust issue. I would take a look at the certs in that Root Certification Authority and see if any of them are not self signed.

There's a Powershell command you can run as well that will help you determine if any certs in that location are at fault. I'll dig it up and post it here. It's been posted on some other threads here as well if you search around on ADCS.

 

Edit: In case you wanted to test out the cert issue, here is the PS command you can run

Get-Childitem cert:\\LocalMachine\\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File "c:\\computer_filtered.txt"

The output file should be blank. If anything appears in it, it means it's a non Self-Signed cert and should be dealt with.


Thanks for the reply! output file was blank. I have Jamf support looking at it too. I'm completely lost. I've added a service account, given permissions to the site, the network and security opened every port up for a short time, and nothing. It's like the ADCSproxy site doesn't exist.

 

As a side issue, when we built them it not supported on Windows Server 2022 but is on Windows Server 2019

Reply


Terms & ConditionsCookie settings