none
OSX 10.9.1 client enrollment fails RRS feed

  • Question

  • -Client installs, but fails to even begin communicating with the EnrollmentService. ( I can browse to the EnrollmentServer page just fine and even download the Cab for the Win Mobile devices.)

    I have selected my certificate Template (duplicated Authenticated Session) in Client Settings.   

    Terminal says:

    Contacting Server: https://configmgr.domain.com/enrollmentserver/deviceenrollmentwebservice.svc

    Connect failed with error: connection closed via error

    SSL HandShake Failed: 80004005

    ***Have a call in to MS Support.  No initial contact yet, but expect to hear back next week. Other things tried:

    1. Installed new MAC OS 10.9.2

    2. Reinstalled all roles on 2012 R2 server (but not .net 4.5, which I suspect to be the issue.  Concern how the OS will behave if I uninstall it.  I Know I will lose powershell an other things if I do and want guidance for that)

    3. Tried with many MAC machine, all 10.9.2.  Tried with Mobile Device, seems to be hitting the same wall, failing to connect after installing the client.

    Anyone out there that can assist?  Again, the client installs fine.  The error is not the typical errors you will see with you online searches.  See above.

    Monday, March 24, 2014 7:57 PM

Answers

  • PROBLEM SOLVED!

    Issue was a combination of factors. Everything was 2012 R2.  Even the CA.  Which has the option of SHA512.  While a 2008 R2 server would work correctly as an HTTPS MP, 2012 R2 would not. Kept seeing errors about a TLS 1.2 communication request and that the server was not accepting that request.

    ***THE FIX - Disable TLS 1.2 causing the client to try another method of authentication***

    Here is copied text from the exported key that contains 2 subkeys and with a value each:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledbyDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000001

    There was no post that actually said to do this.  With me zeroing in on schannel and my coworkers knowledge of cipher algorithms and SSL Handshakes.  I hope this helps someone else.  Took about 2 work weeks out of my life. 

    -LvilleSystemsJockey

    Wednesday, April 16, 2014 11:34 PM

All replies

  • PROBLEM SOLVED!

    Issue was a combination of factors. Everything was 2012 R2.  Even the CA.  Which has the option of SHA512.  While a 2008 R2 server would work correctly as an HTTPS MP, 2012 R2 would not. Kept seeing errors about a TLS 1.2 communication request and that the server was not accepting that request.

    ***THE FIX - Disable TLS 1.2 causing the client to try another method of authentication***

    Here is copied text from the exported key that contains 2 subkeys and with a value each:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledbyDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000001

    There was no post that actually said to do this.  With me zeroing in on schannel and my coworkers knowledge of cipher algorithms and SSL Handshakes.  I hope this helps someone else.  Took about 2 work weeks out of my life. 

    -LvilleSystemsJockey

    Wednesday, April 16, 2014 11:34 PM
  • Thanks this would explain the problem i'm also experience.  Thank again for you time..

    Cheers

    Tuesday, May 20, 2014 9:40 AM
  • Glad it could save you some time.  I spent about 3 weeks trying to figure it out. 
    Tuesday, May 20, 2014 4:35 PM
  • Thank you very much!
    • Edited by dejansh Friday, May 27, 2016 2:38 PM
    Tuesday, May 24, 2016 8:48 PM
  • Thank you! This did the trick! I'm so grateful to you I didn't waste 2 work weeks of my life!
    Wednesday, September 7, 2016 7:20 PM