none
Mac Enrollment Issue RRS feed

  • Question

  • Hello,

    Having some trouble enrolling my first Mac device with SCCM 2012 SP1.

    I have installed the client and am trying to use the CMEnroll Tool with no success.

    Command I am using is this:

    CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u "domain\username"

    and on the client I recieve the error:

    Server connection failed. http response code is 500 and reason is internal server error.

    On the server in the EnrollmentServer.log I recieve this error:

    [6, PID:5748][02/01/2013 13:48:35] :WindowsIdentity is created for domain: domain user: username
    [6, PID:5748][02/01/2013 13:48:35] :validated user credentials
    [6, PID:5748][02/01/2013 13:48:35] :Handling RequestSecurityToken
    [6, PID:5748][02/01/2013 13:48:35] :claim identity name: domain\username
    [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777220
    [6, PID:5748][02/01/2013 13:48:35] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:  
    [6, PID:5748][02/01/2013 13:48:35] :Template: ConfigMgrMacClientCertificate
    [6, PID:5748][02/01/2013 13:48:35] :CA: System.Collections.Generic.List`1[System.String]
    [6, PID:5748][02/01/2013 13:48:35] :The CA server.domain is in forest cac.local
    [6, PID:5748][02/01/2013 13:48:35] :Impersonating caller: domain\username
    [6, PID:5748][02/01/2013 13:48:35] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
    [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
    [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: CA Chains count: 2
    [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;
    [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
    [6, PID:5748][02/01/2013 13:48:50] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
       at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
       at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
    [6, PID:5748][02/01/2013 13:48:50] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed

    Any ideas?

    Friday, February 1, 2013 2:53 AM

All replies

  • Anyone?
    Wednesday, February 6, 2013 3:49 AM
  • Im also having this issue. Any ideas?
    Wednesday, February 6, 2013 2:24 PM
  • Same issue, anyone? anyone? Bueller? Bueller?
    Saturday, February 9, 2013 12:02 AM
  • Have you followed the instructions on these links fully?<o:p></o:p>

    ·        Create the Cert Template:<o:p></o:p>

    http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012<o:p></o:p>

    Go to Deploying the Client Certificate for Mac Computers 

    ·        Setup SCCM and install client:

          http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

    Monday, February 11, 2013 10:50 PM
  • Yer those two guides are what I have been using. :)
    Tuesday, February 12, 2013 8:08 AM
  • As a workaround, you could manually import a certifcate to your Mac client. I have deployed Mac clients to ConfigMgr without using enrollment process at all.

    Is your certificate server running on Windows Server 2008 R2 or Windows Server 2012? I had problems running enrollment server on Windows Server 2012 during ConfigMgr 2012 SP1 beta, but it should've been fixed in ConfigMgr 2012 SP 1 RTM version.

    Panu

    Tuesday, February 12, 2013 10:46 AM
  • Manually importing sounds like something that is worth trying... Thanks for the suggestion.

    And we are using Windows 2008 R2.

    Tuesday, February 12, 2013 10:53 AM
  • I had a similar problem with my test environment when using CMenroll command. I got the following error message ..\EnrollmentProxyPoint\Logs\EnrollmentWeb.log:

    System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'intranet-FQDN'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    I had defined both internet FQDN and intranet FQDN (different FQDNs) to my Enrollment point server and the IIS certificate is for internet FQDN. Then I changed Internet FQDN to intranet FQDN and created a new IIS certificate to this new name. After these changes, the enrollment worked fine.

    Panu

    Tuesday, February 12, 2013 12:56 PM
  • OK I tried creating a new certificate with just the internal FQDN and that did not work either, same error message received for me.

    Sunday, February 17, 2013 10:00 PM
  • Found a page on turning CRL checking on for the Mac:

    http://securityskeptic.typepad.com/the-security-skeptic/2011/04/mac-users-listen-up-enable-certificate-checking.html

    Didn't help but seemed like something I needed to do.

    Monday, February 18, 2013 5:54 AM
  • As a workaround, you could manually import a certifcate to your Mac client. I have deployed Mac clients to ConfigMgr without using enrollment process at all.

    Is your certificate server running on Windows Server 2008 R2 or Windows Server 2012? I had problems running enrollment server on Windows Server 2012 during ConfigMgr 2012 SP1 beta, but it should've been fixed in ConfigMgr 2012 SP 1 RTM version.

    Panu

    I have manually imported the cert on the client and I still experience the same issue with the Mac enrollment.

    Monday, February 18, 2013 5:57 AM
  • Have you tried to use your server's internal FQDN as the internet FQDN (site system properties)? Then ConfigMgr thinks that the computer's internal & internet FQDN are the same, even though they really aren't the same. Mac client is always an "internet" client even when it is within the internal network.

    If you manually import the cert to your Mac computer, you just  install the client. You don't need to do enrollment in that scenario.

    Panu

    Monday, February 18, 2013 10:29 PM
  • Not sure if you've solved this by now lord_hydrax, but I was having this same issue and I found a solution. Try running the command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -i on your site server, as described in Fei Xia's MSDN blog. This command refreshes the ASP settings in IIS.

    Monday, April 22, 2013 3:16 PM
  • fighting this battle right now, I get the same error as above and I have tried importing the cert on the MAC manually, still doesn't work.
    Thursday, April 9, 2015 6:57 PM
  • Been bashing my head against this for an hour. This was the command that fixed my 500 error. Thank you!
    Friday, June 14, 2019 12:08 AM