PKI certificate request fails with a Configuration Profile only for some machines

mpro
New Contributor II

This is somewhat related to the discussion at https://jamfnation.jamfsoftware.com/discussion.html?id=4987, but there are enough distinct differences, I wanted to create a new thread to see if anyone else has seen this issue.

We have a configuration profile to push out several certificates, including our root and intermediary certificates, as well as requesting a machine certificate from the PKI server itself. We were able to get it working with our pilot users and many users after that, but only recently, we tried to add more computers into the group and found that the profile was not being created.

After investigating this a little more with assistance from our JAMF rep, we were able to determine that the profile failed to be created and the JSS reported the management error:
The 'Active Directory Certificate' payload could not be installed. The certificate request failed.

The curious part is that some requests were made and granted while others failed.

We have since determined that several of the computers that have this problem are on 10.9.X and when looking through the PKI server logs, we saw several errors for different machines:

  1. Active Directory Certificate Services denied request 5811 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=MACHINE1. Additional information: Denied by Policy Module
  2. Active Directory Certificate Services denied request 5804 because The DNS name is unavailable and cannot be added to the Subject Alternate name. 0x8009480f (-2146875377). The request was for CN=MACHINE2. Additional information: Denied by Policy Module
  3. Active Directory Certificate Services denied request 5803 because The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422). The request was for CN=MACHINE3. Additional information: Denied by Policy Module

In addition to this, we determined that these machines also reported 2 IP Addresses each on an NSLOOKUP and were wondering if that was affecting this too.

Has anyone come across a similar issue when requesting PKI certificates?

1 ACCEPTED SOLUTION

mpro
New Contributor II

After working on this with Microsoft, it turns out that the Apple article is slightly out of date. For Mavericks, we needed to have the PKI certificate Subject Name use the UPN and not the DNS name as shown in this article and this screenshot:

http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
http://afp548.com/wp-content/uploads/2012/11/image.png

Once we changed the Subject Name checkbox, the certificates were granted and our Mavericks machines were able to get the certificates.

View solution in original post

1 REPLY 1

mpro
New Contributor II

After working on this with Microsoft, it turns out that the Apple article is slightly out of date. For Mavericks, we needed to have the PKI certificate Subject Name use the UPN and not the DNS name as shown in this article and this screenshot:

http://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/
http://afp548.com/wp-content/uploads/2012/11/image.png

Once we changed the Subject Name checkbox, the certificates were granted and our Mavericks machines were able to get the certificates.