cancel
Showing results for 
Search instead for 
Did you mean: 

Afaria 6.6 iOS can't install config_payload

Former Member
0 Kudos

Hi Experts,

In Afaria 6.6 with hotfix 2011_06 we have the issue that we can't instal the enrollment config_payload profile when enrolling a new iOS (we only tested with iOS5) device.

In the Afaria Administrator we've added following things in Server Configuration --> Provisioning Server: Signing Certificate name (same as in installation), CA Name. When I test the Certificates Request there I get the "Certificate server verified" message.

But when i try to enroll a new device via the Afaria App we get an error when installing the provisioning profile (Profile Failed to Install: The profile "config Payload" could not be installed.). Besides this the profile is not verified... A kb on frontline.sybase.com saying this means that the profile is signed but can not be traced back to a known root?

When looking at the Iphone Configuration Utility it says that the server certificate for our server token check in is invalid but we followed the steps in the install guide to create a root and signing certificate on our CA server? Can someone give some pointers on where we might made a mistake?

Thanks in advance!

Kind regards,

Robin

The Iphone Configuration Utility gives back following error:

testiPhone profiled[122] <Notice>: (Error) MC: Connection to https://ip:port/authorized/aipService.svc/TokenCheckin failed with error: NSError:

    Desc   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23002^JType   : MCFatalError^JParams : (^J    "https://ip:port/authorized/aipService.svc/TokenCheckin"^J)

testiPhone profiled[122] <Notice>: (Error) MDM: Cannot Authenticate. Error: NSError:

    Desc   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23002^JType   : MCFatalError^JParams : (^J    "https://ip:port/authorized/aipService.svc/TokenCheckin"^J)

testiPhone profiled[122] <Notice>: (Error) MC: Cannot install MDM “mdmfeexxxxxxxxxxxxxxxxxxx”. Error: NSError:^JDesc   : The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JSugg   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JUS Sugg: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    "mdmfeexxxxxxxxxxxxxxxxxxx"^J)^J...Underlying error:^JNSError:^JDesc   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23002^JType   : MCFatalError^JParams : (^J    "https://ip:port/authorized/aipService.svc/TokenCheckin"^J)

testiPhone profiled[122] <Notice>: (Error) MC: Rolling back installation of profile “Sybase  iAnywhere”...

testiPhone profiled[122] <Notice>: (Error) MC: Installation of profile “Sybase  iAnywhere” failed with error: NSError:^JDesc   : The profile “Config Payload” could not be installed.^JSugg   : The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JUS Desc: The profile “Config Payload” could not be installed.^JUS Sugg: The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JDomain : MCProfileErrorDomain^JCode   : 1009^JType   : MCFatalError^JParams : (^J    "Config Payload"^J)^J...Underlying error:^JNSError:^JDesc   : The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JSugg   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The payload “mdmfeexxxxxxxxxxxxxxxxxxx” could not be installed.^JUS Sugg: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCInstallationErrorDomain^JCode   : 4001^JType   : MCFatalError^JParams : (^J    "mdmfeexxxxxxxxxxxxxxxxxxx"^J)^J...Underlying error:^JNSError:^JDesc   : The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JUS Desc: The server certificate for “https://ip:port/authorized/aipService.svc/TokenCheckin” is invalid.^JDomain : MCHTTPTransactionErrorDomain^JCode   : 23002^JType   : MCFatalError^JParams : (^J    "https://ip:port/authorized/aipService.svc/TokenCheckin"^J)

Accepted Solutions (0)

Answers (2)

Answers (2)

0 Kudos

Hi Robin,

Issue here is that you haven't provided your first server certificate where device is hitting during installation of enrollment server (I meant https://ip:port/authorized/aipService.svc/TokenCheckin certificate of IP should be selected when installing enrollement server and port should be given).

To do this Generate the certificate request (In IIS) using FQDN (using which device is connecting to it) and generate certificate from your CA. Complete the certificate request in IIS and export the certificate and import into trusted root certificate and personal certificate store of enrollment server. Re-install the enrollment server and select imported certificate and the port number.

It should solve the problem.

Regards,

Abhishek Joshi

D_Olderdissen
Advisor
Advisor
0 Kudos

There are at least two things that can go wrong.

  1. Your certificates you installed in Afaria are faulty.
  2. The certificate on the first HTTPS server, the iOS5 device hits, is incorrect.

The error looks like No2. It seems you are not using a RS and hit your Afaria directly. That would most likely mean, you need a valid HTTPS certificate on the IIS of your IOS Provisioning server.

Recommended tests:

  • Try if enrollment works with an iOS4
  • Import the root cert of your signing authority of the HTTPS cert on your IIS into the iOS5 device. Then test again.
Former Member
0 Kudos

Hi Dirk,

So basically when i go to server properties --> component configuration --> Certificate Authority (iOS only)

I should test it there with the https enabled? If the test there is successful then the iPhone should be able to connect to the CA?

We currently have no iOS4 phone available only iOS5.

Thanks in advance!

Kind Regards,

Robin

Former Member
0 Kudos

Hi Dirk,

I'have an Afaria 7 Appliance installed.

I also have a Reverse Proxy bridging SSL to http, I installed the server certificate (along with the Root CA Certificate) on the RS box and it is shown as valid.

But when trying to enroll my iOS device I have the same error as Robin.

On the other side, If I manually install the Root CA Certificate in my iOS device, then I can install the Config Payload and the enrollment works.

Of course I don't want to manually install this certificate on all the corporate iOS devices, so is there a way to do it via Afaria Server?

Or am I missing something with the SSL server certificate installation so that the Root CA Certificate can't be installed on the iOS device as part of the Config Payload installation?

Thanks in advance for your help.

Regards

Fabio

Former Member
0 Kudos

I solved the problem myself.

Reinstalling the enrollment server , I could specify the SSL server Certificate to be bound to the https connection.

During enrollment, Afaria client also shows the installation on the iOS device of the root certificate linked to the SSL server certificate.

For more information follow Sybase Knowledge Base Article ID #7706.

Fabio