locked
SCCM 2012 SP1 CU2 - Mac Client Enrollment - Revocation Error in the Logs RRS feed

  • Question

  • I'm trying to enroll a Mac client in our SCCM 2012 environment and keep getting Error 500 spat back at me. Digging into the EnrollmentService.Log I find the following:

    [3, PID:7992][07/17/2013 11:31:55] :EnrollmentService application start ...
    [7, PID:7992][07/17/2013 11:31:55] :WindowsIdentity is created for domain:  user: auser@company.corp
    [7, PID:7992][07/17/2013 11:31:55] :Created WindowsIdentity using user's email address as UPN.
    [7, PID:7992][07/17/2013 11:31:55] :validated user credentials
    [7, PID:7992][07/17/2013 11:31:55] :Handling RequestSecurityToken
    [7, PID:7992][07/17/2013 11:31:55] :claim identity name: company\auser
    [7, PID:7992][07/17/2013 11:31:56] :ConfigManager: RefreshCache: Creating Enrollment Profile 1
    [7, PID:7992][07/17/2013 11:31:56] :EnrollmentServiceProfile: GetDBCAs retrieved Template information: 
    [7, PID:7992][07/17/2013 11:31:56] :Template: ConfigMgrMacClientCertificate
    [7, PID:7992][07/17/2013 11:31:56] :CA: System.Collections.Generic.List`1[System.String]
    [7, PID:7992][07/17/2013 11:31:56] :The CA HQCA.Company.Corp is in forest Company.Corp
    [7, PID:7992][07/17/2013 11:31:56] :Impersonating caller: company\auser
    [7, PID:7992][07/17/2013 11:31:56] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
    [7, PID:7992][07/17/2013 11:31:56] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
    [7, PID:7992][07/17/2013 11:32:05] :ConfigManager: CA Chains count: 2
    [7, PID:7992][07/17/2013 11:32:05] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ;
    [7, PID:7992][07/17/2013 11:32:05] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
    ;
    [7, PID:7992][07/17/2013 11:32:05] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
    ;
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
       at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
    [7, PID:7992][07/17/2013 11:32:05] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed

    I'm using the -ignorecertchainvalidation flag when running CMEnroll, so I would expect the system to *not* attempt a Revocation Check. Everything appears to match up with our settings in Test, where enrollment works fine. Windows systems are autoenrolling for certificates just fine, so I'm pretty sure the CA in general is working as it should.

    We've got a decent number of Macs that we want to "manage", so getting this going is important.

    Thanks in advance for any assitance.

    Wednesday, July 17, 2013 3:42 PM

All replies

  • I am seeing this same issue. I guess Microsoft engineers don't want to (or are scared to) provide a response to this.

    Mike Brown

    Wednesday, April 23, 2014 1:59 PM
  • did you get a soloution?
    Thursday, July 9, 2015 1:09 AM
  • Install the Certificate Authority Web Enrollment. MACs need the CRL function in this piece. Also use the -ignorecertchainvalidation flag when running CMEnroll.

    This fixed it for me.


    Mike Brown

    Thursday, July 9, 2015 1:13 PM
  • Hi Mike,

    Could you provide some more details on exactly how this error was resolved. I am facing same problem and same error message. Please help me as there is not much help from other forums for MAC devices enrollment error.

    EnrollmentService application start ... Enrollment 8/30/2017 3:41:10 PM 3 (0x0003)
    WindowsIdentity is created for domain: Company\ad-ID Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    validated user credentials Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    Handling RequestSecurityToken Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    claim identity name: Company\ad-ID Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    WindowsIdentity is created for domain: emea user: sccmadmin Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    Created WindowsIdentity for SQL connection: emea\sccmadmin Enrollment 8/30/2017 3:41:12 PM 9 (0x0009)
    ConfigManager: RefreshCache: Creating Enrollment Profile 16777217 Enrollment 8/30/2017 3:41:14 PM 9 (0x0009)
    EnrollmentServiceProfile: GetDBCAs retrieved Template information:   Enrollment 8/30/2017 3:41:15 PM 9 (0x0009)
    Template: MacClientCertificate Enrollment 8/30/2017 3:41:15 PM 9 (0x0009)
    CA: System.Collections.Generic.List`1[System.String] Enrollment 8/30/2017 3:41:15 PM 9 (0x0009)
    The CA CAserver.emea.company.org is in forest company.org Enrollment 8/30/2017 3:41:17 PM 9 (0x0009)
    Impersonating caller: Company\ad-ID Enrollment 8/30/2017 3:41:17 PM 9 (0x0009)
    Revert back to self: NT AUTHORITY\NETWORK SERVICE Enrollment 8/30/2017 3:41:22 PM 9 (0x0009)
    ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS Enrollment 8/30/2017 3:41:22 PM 9 (0x0009)
    ConfigManager: CA Chains count: 2 Enrollment 8/30/2017 3:41:25 PM 9 (0x0009)
    ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ; Enrollment 8/30/2017 3:41:25 PM 9 (0x0009)
    ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
    ; Enrollment 8/30/2017 3:41:25 PM 9 (0x0009)
    Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
    ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
    ;
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, Boolean hasSecurityHeader, WindowsIdentity caller, ActionEnum action)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
       at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest) Enrollment 8/30/2017 3:41:25 PM 9 (0x0009)
    FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed Enrollment 8/30/2017 3:41:25 PM 9 (0x0009)
    Wednesday, August 30, 2017 10:57 PM
  • Roles and Features for your CA Server. You must have a Revocation server in order for MACs to enroll.

    Mike Brown

    Thursday, August 31, 2017 12:53 PM