Mac Enrollment Issue

Hello,

Having some trouble enrolling my first Mac device with SCCM 2012 SP1.

I have installed the client and am trying to use the CMEnroll Tool with no success.

Command I am using is this:

CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u "domain\username"

and on the client I recieve the error:

Server connection failed. http response code is 500 and reason is internal server error.

On the server in the EnrollmentServer.log I recieve this error:

[6, PID:5748][02/01/2013 13:48:35] :WindowsIdentity is created for domain: domain user: username
[6, PID:5748][02/01/2013 13:48:35] :validated user credentials
[6, PID:5748][02/01/2013 13:48:35] :Handling RequestSecurityToken
[6, PID:5748][02/01/2013 13:48:35] :claim identity name: domain\username
[6, PID:5748][02/01/2013 13:48:35] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777220
[6, PID:5748][02/01/2013 13:48:35] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:  
[6, PID:5748][02/01/2013 13:48:35] :Template: ConfigMgrMacClientCertificate
[6, PID:5748][02/01/2013 13:48:35] :CA: System.Collections.Generic.List`1[System.String]
[6, PID:5748][02/01/2013 13:48:35] :The CA server.domain is in forest cac.local
[6, PID:5748][02/01/2013 13:48:35] :Impersonating caller: domain\username
[6, PID:5748][02/01/2013 13:48:35] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
[6, PID:5748][02/01/2013 13:48:35] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
[6, PID:5748][02/01/2013 13:48:50] :ConfigManager: CA Chains count: 2
[6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;
[6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
[6, PID:5748][02/01/2013 13:48:50] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
   at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
   at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
   at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
   at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
   at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
   at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
[6, PID:5748][02/01/2013 13:48:50] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed

Any ideas?

February 1st, 2013 2:53am
Anyone?
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2013 3:49am
Im also having this issue. Any ideas?
February 6th, 2013 2:24pm
Same issue, anyone? anyone? Bueller? Bueller?
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2013 12:02am

Have you followed the instructions on these links fully?<o:p></o:p>

        Create the Cert Template:<o:p></o:p>

http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012<o:p></o:p>

Go to Deploying the Client Certificate for Mac Computers 

        Setup SCCM and install client:

      http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

February 11th, 2013 10:50pm
Yer those two guides are what I have been using. :)
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2013 8:08am

As a workaround, you could manually import a certifcate to your Mac client. I have deployed Mac clients to ConfigMgr without using enrollment process at all.

Is your certificate server running on Windows Server 2008 R2 or Windows Server 2012? I had problems running enrollment server on Windows Server 2012 during ConfigMgr 2012 SP1 beta, but it should've been fixed in ConfigMgr 2012 SP 1 RTM version.

Panu

February 12th, 2013 10:46am

Manually importing sounds like something that is worth trying... Thanks for the suggestion.

And we are using Windows 2008 R2.

Free Windows Admin Tool Kit Click here and download it now
February 12th, 2013 10:53am

I had a similar problem with my test environment when using CMenroll command. I got the following error message ..\EnrollmentProxyPoint\Logs\EnrollmentWeb.log:

System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'intranet-FQDN'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

I had defined both internet FQDN and intranet FQDN (different FQDNs) to my Enrollment point server and the IIS certificate is for internet FQDN. Then I changed Internet FQDN to intranet FQDN and created a new IIS certificate to this new name. After these changes, the enrollment worked fine.

Panu

February 12th, 2013 12:56pm

OK I tried creating a new certificate with just the internal FQDN and that did not work either, same error message received for me.

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2013 10:00pm

Found a page on turning CRL checking on for the Mac:

http://securityskeptic.typepad.com/the-security-skeptic/2011/04/mac-users-listen-up-enable-certificate-checking.html

Didn't help but seemed like something I needed to do.

February 18th, 2013 5:54am

As a workaround, you could manually import a certifcate to your Mac client. I have deployed Mac clients to ConfigMgr without using enrollment process at all.

Is your certificate server running on Windows Server 2008 R2 or Windows Server 2012? I had problems running enrollment server on Windows Server 2012 during ConfigMgr 2012 SP1 beta, but it should've been fixed in ConfigMgr 2012 SP 1 RTM version.

Panu

I have manually imported the cert on the client and I still experience the same issue with the Mac enrollment.

Free Windows Admin Tool Kit Click here and download it now
February 18th, 2013 5:57am

Have you tried to use your server's internal FQDN as the internet FQDN (site system properties)? Then ConfigMgr thinks that the computer's internal & internet FQDN are the same, even though they really aren't the same. Mac client is always an "internet" client even when it is within the internal network.

If you manually import the cert to your Mac computer, you just  install the client. You don't need to do enrollment in that scenario.

Panu

February 18th, 2013 10:29pm

Not sure if you've solved this by now lord_hydrax, but I was having this same issue and I found a solution. Try running the command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -i on your site server, as described in Fei Xia's MSDN blog. This command refreshes the ASP settings in IIS.

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2013 3:16pm
fighting this battle right now, I get the same error as above and I have tried importing the cert on the MAC manually, still doesn't work.
April 9th, 2015 3:01pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics