Help

Yosemite Not Pulling Certificate From ADCS (AD Certificate Configuration Profile)

ndelgrande
New Contributor

Posted on ‎05-14-2015 12:31 PM

Is anyone else running into a problem with fresh Yosemite Macs, not able to get a certificate from an Active Directory Certificate Server using the AD Certificate Config Profile? It's working fine for Mavericks, but not Yosemite. I took the exact same Mac, built it with our Mavericks configuration and it worked. I then re-built it with our Yosemite configuration, and it didn't work. "Cert Request Failed" is the only error we see.

Even when trying manually using profiles -I -F <path to mobileconfig file> doesn't work.

JSS version 9.66 which will be upgraded to the latest version later this week.

I wanted to ask here before I opened a ticket.

Thanks

  • Nick

5deb5dd406f344fe942a7504d9745f85

0 Kudos
8 REPLIES 8

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎05-14-2015 12:45 PM

It is working ok for us at a couple of sites.

I would have a look at the settings on the certificate template on the CA and the server side logs.

The client won't tell you much, other than the enrollment failed. I think that is by design to avoid compromising security.

0 Kudos

ndelgrande
New Contributor

Posted on ‎05-14-2015 12:48 PM

Thanks David. I can't post the template for security reasons. Are you on 9.72?

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎05-14-2015 12:54 PM

It's 9.65 in our case.

0 Kudos

ndelgrande
New Contributor

Posted on ‎05-14-2015 01:12 PM

Good to know you got it working. Unfortunately the ADCS server is supported by another team in another state.

0 Kudos

davidacland
Honored Contributor II
Honored Contributor II

Posted on ‎05-14-2015 01:20 PM

Hopefully it will be embraced with open arms!

I'm working for an external support company so always have to request changes from the onsite CA server admin at the clients sites. It can be a challenge sometimes.

0 Kudos

bofh
New Contributor III

Posted on ‎05-15-2015 11:02 AM

Hi,

at first - I added the CA and the Intermediate CA Certificate to the mac ... 712211c2dae54ea58fbdcaa1bf05f7c0

after that i configured the CA Settings within the same Configuration profile like this:
5c1db30e0e9e4b80b9ef4ec7c6e5e924

Be sure that:
The Certificate Template exists
The User you are using is existing and has rights on the template
You use HTTP (without S!) to connect to certsrv.

But - I have some issues too which i couldnt address so far - i thought about DNS but that can't be a Problem.

bofh

0 Kudos

bentoms
Release Candidate Programs Tester

Posted on ‎05-20-2015 02:11 PM

@ndelgrande2 Works fine for us, are the clients bound at the time of the request?
756fbfa02b234cef977773c577cf3838

0 Kudos

ndelgrande
New Contributor

Posted on ‎05-20-2015 02:14 PM

Yes, everything has been setup and working since 10.9. It was just showing as "pending" forever for any new Yosemite Configuration. We think the ADCS box was having issues, as I just heard certs are pulling again but I need to test.

Thanks for all the help and feedback.

0 Kudos