none
Mac Client Certificate not found RRS feed

  • Question

  • Hey all, i'm trying to install the ConfigMgr client on a mac system. The site is 2012 SP1 RTM however since there is no release yet of the mac client i'm using the mac client install from the SP1 beta install folder (Suggested by Microsoft)

    I followed the instructions on how to install clients on mac computer from technet. Everything from the install and the enrollment seems to complete fine no errors. After the enrollment when I open System Preferences > Configuration Manager it says "Certificate not found" If i check the ccmclient log file on the mac it shows the following errors

    Failed to Parse MgmtAuthority ServerList

    Failed to get server list

    Failed to GetProperty Mode from Configuration Provider : 80070490

    Requested certificates not available in store

    Certificate not found in store. Bailing out!

    Failed to validate certificate

    The certificate shows up under system in the keychain, the only strange thing is it shows for name the user who enrolled in the certificate. I figured it should have showed the system name. The root ca is also there. Any help would be appreciated, thanks

    

    Wednesday, January 2, 2013 5:58 PM

Answers

  • Okay so figured this out, and i'll post in case this happens to someone else. The certificate will always show under the keychain with a name of whoever the user was that did the enrollment. So if you used Joe Smith, then the certificate will be called Joe Smith. In my case the account I used to enroll had a active directory display name of two words such as "Joe Smith" Because of this space in between, configuration manager client kept listing the certificate as "Joe". I was then realized that indeed just like the error said the certificate could not be found because its looking for Joe and the the certificate says Joe Smith. The fix was instead do the enrollment with a normal account with no spacing in the name. This may be a bug or Microsoft may not recommend creating AD accounts with display names with spaces.

    • Marked as answer by RyanD1 Wednesday, January 2, 2013 6:54 PM
    Wednesday, January 2, 2013 6:54 PM

All replies

  • Okay so figured this out, and i'll post in case this happens to someone else. The certificate will always show under the keychain with a name of whoever the user was that did the enrollment. So if you used Joe Smith, then the certificate will be called Joe Smith. In my case the account I used to enroll had a active directory display name of two words such as "Joe Smith" Because of this space in between, configuration manager client kept listing the certificate as "Joe". I was then realized that indeed just like the error said the certificate could not be found because its looking for Joe and the the certificate says Joe Smith. The fix was instead do the enrollment with a normal account with no spacing in the name. This may be a bug or Microsoft may not recommend creating AD accounts with display names with spaces.

    • Marked as answer by RyanD1 Wednesday, January 2, 2013 6:54 PM
    Wednesday, January 2, 2013 6:54 PM
  • Or, it could be that you are using the "Beta" client. I'd say file an item on Connect to see if you get any feedback.

    Jason | http://blog.configmgrftw.com

    Wednesday, January 2, 2013 8:07 PM
    Moderator
  • I can verify that the same happens with SP1 RTM.
    Thursday, February 7, 2013 1:51 AM
  • The Problem still exists in 2012 R2 CU2.

    Are there any good news?

    Wednesday, August 27, 2014 12:49 PM
  • Same Situation in CU3 of SCCM 2012R2.

    Are there any solutions for this bug/ feature?

    Tuesday, October 7, 2014 6:25 AM
  • Are you kidding me. I've been smacking my forehead against a Mac client 'no certificate found' all day and the user name I used does indeed have a space in the Name attribute. I will really feeling like slapping some dope if this is the problem.

    born to learn!

    Thursday, December 4, 2014 12:15 AM
  • Hey guys,

    I FINALLYYYYYYYYYYYYYYYYYYYYYYYY got it to work!!!!

    I have an SCCM 2012 R2 SP1 CU2 enrivonment installed on Server 2012 R2. The CA is 2012R2 as well. The CU2 was a necessity for Yosemite and El Capitan machines. I was successfully able to enroll both Yosemite and El Capitan Machines.

    I had everything setup correctly including going to the FQDN on a browser on the Mac client and the site SSL is trusted by the enterprise CA. The problem was with the Config Manager Mac certificate template. On the security pane for the certificate template, I was trying all kinds of things like domain computers, domain users, the individual user, all with read and enroll permissions but none of those worked. I still kept getting the 500 error. The config manager site system status was showing error for enrollment point and the log stated that the user trying to enroll wasn't able to authenticate with the CA.

    After reading through the step by step certificate setup on https://technet.microsoft.com/en-us/library/gg682023.aspx, I realized the instruction said to add an admin user that will perform the enrollment. So I used an admin account (non-domain admin but local admin to all machines and has AD read permissions) with read and enroll permissions instead of the individual users or a group that contained all mac users/computers. After changing this, I was able to enroll the Macs.

    This might be a bit stupid on my part as some of the tutorials out there shows that they are using sccmadmin as the enrolling account. But I figured a user with read and enroll permission would be fine but that was not the case.

    I see tons of posts out there where people are having issues with this so I hope this helps someone!

    Ricky
    Friday, March 4, 2016 10:14 PM