on 07-23-2012 2:42 PM
Hi everyone,
I'm trying to connect my iPad to Afaria 7, and I'm receiving a 'Verification failed' message in the Afaria Application.
Even when I try to enroll the device with self-service portal, I received the same message.
I'm using Afaria 7 Appliance.
Thanks in advanced.
Florencia,
Are you using debbuger View Application ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ximena Garcia,
We are getting error http://<server>/aips2/aipService.svc/PostData has failed with status 406, when afaria tries to install the profile service. We have a self signed certificate which is OK.
Basically I don't know where I can find logging, or how to troubleshoot?
the Afaria environment are reachable on port 80 http://190.2.50.181/aips, http://190.2.50.181/aips2 and http://190.2.50.181/CertSrv.
Can you help me further?
Steps to proceed.
Thank you very much!
Kind regards,
Jacco Raymakers
iOS 5 and higher devices will force a HTTPS connection during the second phase of the enrolment. So when using a self signed cert and a mixed HTTP + HTTPS environment, the iOS connects first on HTTP, finds a cert for that it has no root cert in the keychain, requests from the user if he want's to import it, and then does his HTTPS thing.
So you do need to enable the HTTPS networking for the inbound MDM traffic. If you are only using HTTPS, you will need to either manualy import the root cert of your self signed cert signing entity or you need to use a real cert where the root cert is already on the device.
In order to get some visibility, download the AICU (Apple iPhone Configuration Utility), install it and hook up your iOS device via cable. In AICU select your device and switch to the "Console" tab => voilá you get the device side logs ...
On the Afaria side, look at the Relay Server logs, the RSOE logs, the Afaria logs. Also recommended would be to run debugview.exe (a MS tool, plz google) on the Afaria server.
Dirk,
Thanks for your reply! I will install the AICU and debugview.exe and see what is going on.
We only using HTTPS and the root cert is already imported from signing entity into afaria server.
Question: Must the common name of the certificate have a certain format like *.company.corp (wildcards) in stead of: afaria.company.corp? Or does this not jeopardise the enrollment process of iOS devices?
Kind regards,
Jacco Raymakers
Yes, the common name in the cert must match and must be resolvable from the iOS device perspective:
The common name must be the box that the iOS device hits first on it's way to the Afaria Server as the iOS MDM interface will run a DNS lookup on the common name inside the cert to make sure the server it is talking to the server in the cert.
That has tripped a bunch of people, particularly when enrolling via WLAN and strange DNS lookup or routing rules. 🙂
Hi,
I have the same error 406 'host not found' enrolling an iOS device.
Raymakers, can you please give me some more details on how you solved the problem?
What do you entered as Common Name in the IIS Certificate Request?
When you are talking about external host do you mean you entered as Common Name the Public IP Address (or public server name) of the Afaria Server?
IN the following the error reported by AICU tool (the part in Italian is saying that the host specified was not found):
Dec 10 16:15:19 iPad profiled[800] <Notice>: (Note ) MC: Checking for MDM installation...
Dec 10 16:15:19 iPad profiled[800] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Dec 10 16:15:22 iPad profiled[800] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Dec 10 16:15:22 iPad profiled[800] <Error>: Dec 10 16:15:22 SecTrustEvaluate [leaf AnchorTrusted]
Dec 10 16:15:28 iPad profiled[800] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc : Si verificato un errore del network.
Sugg : Impossibile trovare un server con il nome host specificato.
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code : 22005
Type : MCFatalError
...Underlying error:
NSError:
Desc : Impossibile trovare un server con il nome host specificato.
Domain : NSURLErrorDomain
Code : -1003
Type : MCFatalError
Dec 10 16:15:28 iPad profiled[800] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : Si verificato un errore del network.
Sugg : Impossibile trovare un server con il nome host specificato.
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code : 22005
Type : MCFatalError
...Underlying error:
NSError:
Desc : Impossibile trovare un server con il nome host specificato.
Domain : NSURLErrorDomain
Code : -1003
Type : MCFatalError
Dec 10 16:15:28 iPad profiled[800] <Notice>: (Error) MC: Installation failed. Error: NSError:
Desc : Installazione profilo non riuscita
Sugg : Si verificato un errore del network.
US Desc: Profile Installation Failed
US Sugg: A network error has occurred.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : Si verificato un errore del network.
Sugg : Impossibile trovare un server con il nome host specificato.
US Desc: A network error has occurred.
Domain : MCSCEPErrorDomain
Code : 22005
Type : MCFatalError
...Underlying error:
NSError:
Desc : Impossibile trovare un server con il nome host specificato.
Domain : NSURLErrorDomain
Code : -1003
Type : MCFatalError
Extra info:
{
isPrimary = 1;
}
Dec 10 16:15:34 iPad profiled[800] <Notice>: (Note ) MC: Checking for MDM installation...
Dec 10 16:15:34 iPad profiled[800] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Dec 10 16:15:35 iPad profiled[800] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Dec 10 16:15:35 iPad profiled[800] <Error>: Dec 10 16:15:35 SecTrustEvaluate [leaf AnchorTrusted]
Dec 10 16:15:36 iPad profiled[800] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : Una transazione con il server a http://194.243.141.81:81/aips2/aipService.svc/PostData non riuscita e ha causato lo stato 406.
US Desc: A transaction with the server at http://194.243.141.81:81/aips2/aipService.svc/PostData has failed with the status 406.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"http://194.243.141.81:81/aips2/aipService.svc/PostData",
406
)
Dec 10 16:15:36 iPad profiled[800] <Notice>: (Error) MC: Installation failed. Error: NSError:
Desc : Installazione profilo non riuscita
Sugg : Una transazione con il server a http://194.243.141.81:81/aips2/aipService.svc/PostData non riuscita e ha causato lo stato 406.
US Desc: Profile Installation Failed
US Sugg: A transaction with the server at http://194.243.141.81:81/aips2/aipService.svc/PostData has failed with the status 406.
Domain : MCInstallationErrorDomain
Code : 4001
Type : MCFatalError
...Underlying error:
NSError:
Desc : Una transazione con il server a http://194.243.141.81:81/aips2/aipService.svc/PostData non riuscita e ha causato lo stato 406.
US Desc: A transaction with the server at http://194.243.141.81:81/aips2/aipService.svc/PostData has failed with the status 406.
Domain : MCHTTPTransactionErrorDomain
Code : 23001
Type : MCFatalError
Params : (
"http://194.243.141.81:81/aips2/aipService.svc/PostData",
406
)
Extra info:
{
isPrimary = 1;
}
Dec 10 16:15:44 iPad CommCenter[60] <Error>: kDataAttachStatusNotification sent, wasAttached: 1 isAttached: 1
Thanks for your help.
Fabio Giovannetti
Hi Fabio,
The common name must contain the external host of the certificate, or if no relay server is used the internal host name.
And in the configuration of the enrollment server component, field server adress: enter here the common name of the certificate. From your information provided, I see an IP adress (probably internal), but I assume that the common name in certificate is different. So enter in the certificate whether the external host name in case of relay server , or the internal host name in case no relay server is used and enter this value in the server adress field of the enrollment server component.
Kind regards,
Jacco Raymakers
Hi Jacco,
thanks for yor reply.I passed the previous error but know, when I try to enroll my Ipad in the Ipad Console Log I have the following:
Dec 12 14:27:44 iPad profiled[1352] <Notice>: (Note ) MC: Issued certificate received.
Dec 12 14:28:44 iPad profiled[1352] <Notice>: (Error) MC: Connection to https://194.243.141.81:443/aips2/aipService.svc/TokenCheckin failed with error: NSError:
Desc : Tempo di richiesta scaduto.(TIMEOUT)
Domain : NSURLErrorDomain
Code : -1001
Type : MCFatalError
Dec 12 14:28:44 iPad profiled[1352] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:
My environment is as follows:
I have the customer relay server which bridges external request (194.243.141.81 is the public ip address) from devices (like IPad) to Afaria Server.
So, following the error above we had to enable port 443, on the WebListener on our ISA Server (which is a Forefront/TMG).
The WbListener asks to add a certificate when enabling port 443 and https.
My question is: what is the certificate I have to use?
We tried to immport the .pfx APNS certificate, but It's not shown as a valide certificate for the WebListener (the security team say it is a client certificate not a server one).
Can anybody help me with this problem?
Best regards
Fabio
Hi Jacco,
common name is 194.243.141.81 in the certificate
I managed to link the SSL certificate to the WebListener,but now the problem is that on ISA Server
port 443 for https is already in use, so my security team assigned port 8443.
My problem is now: how can I force IPAD to use port 8443 instead of 443 in the second step of enrollment (I mean , in the first part only http is used and it runs smoothly, but then
https://194.243.141.81:443/aips2/aipService.svc/TokenCheckin is called and I don't know how to
change the port from 443 to 8443.
Can someone help?
Regards
Fabio
No i didnt yet.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, we are now trying to install Afaria 7 outside the appliance. We're getting the following:
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: postToURL:"http://190.2.50.181:80/aips/aipService.svc/ClientData"
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: postToURL:[B]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: postToURL:[C]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: startPost
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: retryAfterAuthorizationFailure[A]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: retryAfterAuthorizationFailure[E]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: retryAfterAuthorizationFailure[F]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: resumeWithCredentials[A]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: resumeWithCredentials[E]
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: startPost
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: HTTP/1.1 406 Not Acceptable
Aug 24 17:52:13 iPad Afaria[2732] <Warning>: setStatusLine:"Se produjo un error en la conexi-n-.-"
Any idea what could it be causing it? We've followed the installation guide.
Thanks in advance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Im having the same issue,
Aug 24 18:03:35 iPad Afaria[135] <Warning>: connection:didReceiveResponse: http 200
Aug 24 18:03:35 iPad Afaria[135] <Warning>: HomeViewController enrollmentRecordRequiredDataPutEndedWith [156] and http:200
Aug 24 18:03:35 iPad Afaria[135] <Warning>: doConnect:
Aug 24 18:03:35 iPad Afaria[135] <Warning>: [AfariaAppDelegate.isClientDisabled 0]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: [AfariaAppDelegate.isClientDisabled 0]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: [AfariaAppDelegate.isClientDisabled 0]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: [HomeViewController.doConnect - resetenrollment_preference 0]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: [HomeViewController cancelPost]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: setStatusLine:"Verificando el estado del dispositivo..."
Aug 24 18:03:35 iPad Afaria[135] <Warning>: postToURL:"http://10.251.0.131:50000/ias_relay_server/client/rs_client.dll/afariaenrollmentserver/aips/aipServi..."
Aug 24 18:03:35 iPad Afaria[135] <Warning>: postToURL:[C]
Aug 24 18:03:35 iPad Afaria[135] <Warning>: startPost
Aug 24 18:03:36 iPad Afaria[135] <Warning>: HTTP/1.1 406 Not Acceptable
Aug 24 18:03:36 iPad Afaria[135] <Warning>: setStatusLine:"Se produjo un error en la conexi-n-.-"
Hi Florencia,
Have you had this particular device enrolled before? If yes, delete the previous device entry and try again. One of the possible reasons, in case of duplicate entries and conflicting UDIDs you get this message.
Best Regards,
Shival
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did you check the error messages in the iCU console? There is a lot that can go wrong and up to now, you did not disclose a lot of detail on what you did, how you did it and error details.
Keep in mind that iOS5 does require a valid HTTPS certificate on the first server it hits. Or you import the signing cert into the keychain. Where this HTTPS cert is needed, depends on your setup, but you did not talk about this yet.
And, it usually helps to kick the Safari browser from memory and to reset the Afaria client states in the client configuration.
Hi, what we are getting right now, is a problem in the Profile instalation. Is an error stating that the conection failed when trying to comunicate with the ../aips/aipService.svc/PostData . I don't have the logs right now, but have someone experience a similar problem?
I'll post the logs later.
Thanks in advance.
This are the logs:
Aug 17 15:50:44 iPad profiled[415] <Notice>: (Note ) profiled: Service starting...
Aug 17 15:50:44 iPad profiled[415] <Notice>: (Note ) MC: Profile -S-y-b-a-s-e -- -i-A-n-y-w-h-e-r-e -q-u-e-u-e-d -f-o-r -i-n-s-t-a-l-l-a-t-i-o-n-.
Aug 17 15:50:51 iPad profiled[415] <Notice>: (Note ) MC: Checking for MDM installation...
Aug 17 15:50:51 iPad profiled[415] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Aug 17 15:50:53 iPad profiled[415] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Aug 17 15:51:01 iPad profiled[415] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:
Desc : Se ha producido un error de red.
Sugg : No se ha encontrado ning-n -s-e-r-v-i-d-o-r -c-o-n -e-l -n-o-m-b-r-e -d-e -h-o-s-t -e-s-p-e-c-i-f-i-c-a-d-o-.^J-U-S -D-e-s-c-: -A -n-e-t-w-o-r-k -e-r-r-o-r -h-a-s -o-c-c-u-r-r-e-d-.^J-D-o-m-a-i-n -: -M-C-S-C-E-P-E-r-r-o-r-D-o-m-a-i-n^J-C-o-d-e -: -2-2-0-0-5^J-T-y-p-e -: -M-C-F-a-t-a-l-E-r-r-o-r^J-.-.-.-U-n-d-e-r-l-y-i-n-g -e-r-r-o-r-:^J-N-S-E-r-r-o-r-:^J-D-e-s-c -: -N-o -s-e -h-a -e-n-c-o-n-t-r-a-d-o -n-i-n-g-n -s-e-r-v-i-d-o-r -c-o-n -e-l -n-o-m-b-r-e -d-e -h-o-s-t -e-s-p-e-c-i-f-i-c-a-d-o-.^J-D-o-m-a-i-n -: -N-S-U-R-L-E-r-r-o-r-D-o-m-a-i-n^J-C-o-d-e -: ---1-0-0-3^J-T-y-p-e -: -M-C-F-a-t-a-l-E-r-r-o-r
Aug 17 15:51:01 iPad profiled[415] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : Se ha producido un error de red.
Sugg : No se ha encontrado ning-n -s-e-r-v-i-d-o-r -c-o-n -e-l -n-o-m-b-r-e -d-e -h-o-s-t -e-s-p-e-c-i-f-i-c-a-d-o-.^J-U-S -D-e-s-c-: -A -n-e-t-w-o-r-k -e-r-r-o-r -h-a-s -o-c-c-u-r-r-e-d-.^J-D-o-m-a-i-n -: -M-C-S-C-E-P-E-r-r-o-r-D-o-m-a-i-n^J-C-o-d-e -: -2-2-0-0-5^J-T-y-p-e -: -M-C-F-a-t-a-l-E-r-r-o-r^J-.-.-.-U-n-d-e-r-l-y-i-n-g -e-r-r-o-r-:^J-N-S-E-r-r-o-r-:^J-D-e-s-c -: -N-o -s-e -h-a -e-n-c-o-n-t-r-a-d-o -n-i-n-g-n -s-e-r-v-i-d-o-r -c-o-n -e-l -n-o-m-b-r-e -d-e -h-o-s-t -e-s-p-e-c-i-f-i-c-a-d-o-.^J-D-o-m-a-i-n -: -N-S-U-R-L-E-r-r-o-r-D-o-m-a-i-n^J-C-o-d-e -: ---1-0-0-3^J-T-y-p-e -: -M-C-F-a-t-a-l-E-r-r-o-r
Aug 17 15:51:22 iPad profiled[415] <Notice>: (Note ) MC: Checking for MDM installation...
Aug 17 15:51:22 iPad profiled[415] <Notice>: (Note ) MC: ...finished checking for MDM installation.
Aug 17 15:51:24 iPad profiled[415] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Aug 17 15:51:24 iPad profiled[415] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Desc : Error al llevar a cabo una transacci-n -c-o-n -e-l -s-e-r-v-i-d-o-r -h-t-t-p-:-/-/-1-9-0-.-2-.-5-0-.-1-8-1-/-a-i-p-s-/-a-i-p-S-e-r-v-i-c-e-.-s-v-c-/-P-o-s-t-D-a-t-a-. -E-s-t-a-d-o-: -4-0-6-.^J-U-S -D-e-s-c-: -A -t-r-a-n-s-a-c-t-i-o-n -w-i-t-h -t-h-e -s-e-r-v-e-r -a-t -h-t-t-p-:-/-/-1-9-0-.-2-.-5-0-.-1-8-1-/-a-i-p-s-/-a-i-p-S-e-r-v-i-c-e-.-s-v-c-/-P-o-s-t-D-a-t-a -h-a-s -f-a-i-l-e-d -w-i-t-h -t-h-e -s-t-a-t-u-s -4-0-6-.^J-D-o-m-a-i-n -: -M-C-H-T-T-P-T-r-a-n-s-a-c-t-i-o-n-E-r-r-o-r-D-o-m-a-i-n^J-C-o-d-e -: -2-3-0-0-1^J-T-y-p-e -: -M-C-F-a-t-a-l-E-r-r-o-r^J-P-a-r-a-m-s -: -(^J -"-h-t-t-p-:-/-/-1-9-0-.-2-.-5-0-.-1-8-1-/-a-i-p-s-/-a-i-p-S-e-r-v-i-c-e-.-s-v-c-/-P-o-s-t-D-a-t-a-"-,^J -4-0-6^J-)
Aug 17 15:52:25 iPad profiled[415] <Notice>: (Note ) profiled: Idled.
Aug 17 15:52:25 iPad profiled[415] <Notice>: (Note ) profiled: Service stopping.
Hi Ximena,
Did you check KB 8099? Here is the direct link.
Following is the solution copied from the above link:
SOLUTION:
Network Device Enrollment Services installation may need to be refreshed. This can be done by going to Server Manager > Roles > Active Directory Certificate Services and Remote the Role Services fore Network Device Enrollment Services and then re-add it following a Reboot.
Following the reinstall of Network Device Enrollment Services, it may be required to check the following:
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword DWORD = 0
The default entry for this key is "1", and must be changed to "0" for the Afaria iPhone provisioning process.
Hope the above helps.
Regards,
Shival
Hi Ximena,
Your problem seems to be pointed in the Enrollment Server of the Afaria environment. Check your settings in de configuration component "Enrollment Server" and make sure that the settings of this Enrollment Server and Certificate Authority are correct.
Secondly, make sure that from your device the following virtual directories of the Afaria environment are reachable on port 80 and 443: http://190.2.50.181/aips, http://190.2.50.181/aips2 and http://190.2.50.181/CertSrv. Those are needed to enroll your iOS device.
Best regards.
Joost Weghorst
Hi Ximena,
It seems you may have passed the original error that was in question. For the community reader's reference and considering the effort that have been put in responding to your issue, could you post here what was the solution that worked in getting through your following error?
Ipad profiled[415] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:
Regards,
Shival
This could be anything and nothing. You will need to look for more detailed error messages.
If this fails right after you are entering the short url config code into the Afaria client, the code may be incorrect. Make sure the EUSSP knows about this code.
Also get the Apple Iphone Configuration Utility (iCU), install it and hook your iOS device up with a cable. Then try to re-enroll. Switch in the iCU to the console tab. You will then see the iOS console output and more detailed error messages that will help you determine what is wrong.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.