Hi Dharmaraj,

thank you for your respond. I changed value in CA registry as you mentioned.

Now error message changed to different:

Profile Installation Failed

The SCEP server configuration is not supported

I checked KBs in http://frontline.sybase.com/support/knowledgebase.aspx and I think there is no related issue to me.

Have any idea?

Thanks in advice

Hi,

Please click on SERVERECEPTEST.exe available on bin folder of iphone server( Program files).

and tick the proxy option.

Please follow the step

1. open serversceptest.exe and tick the proxy option

2. verify the CA server setting properly configured on Afaria console

3. Outbound enabler communicating to relay server

In any case above method dont work remove the NDES role from the CA server and Add again the same role.

Could you please help me with filling Common Name and Challenge parameters in ServerSCEPtest.exe. I always receive

CSR creation: 2048 bit RSA key...

Provisioning server CA address: http://***************/certsrv/mscep/mscep.dll//

SCEPcertificateAcquisition Exception: Value cannot be null.

Parameter name: certificate

--- Time: 0,0156 sec.

Also there are logs in CA\Application:

Active Directory Certificate Services denied request 34 because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017).  The request was for L=City , S=CZ, C=CZ, CN=1961C219EFD0DCDD83C0B0460A09C0DF1D11DAFB, OU=EMEA ICT, O="Company.".  Additional information: Denied by Policy Module

The Network Device Enrollment Service cannot submit the certificate request (The request was denied by a certificate manager or CA administrator.).  0x80004005

One more note. I don't use Relay server. I'm using squid reverse proxy.

HI,

Please help with the architecture ,  what i assume .now

Standalone server + IOS and Portal package component + CA server in one single server  .

Please confirm what kind of CA server you are using , Standalone , Enterprise or Subordinate.

1. Common name you can identify either at the time of installation of CA server or you can get from  the    personal certificate  eg : RS-WIN2008R2-CA it wil end with -CA ,

2. Please ensure the setting in afaria console done properly .

3. verify the credential of SCEP on afaria console.

4. Check the scep id privileged domain admin

You can try below option for your error.

        Open Regedit

1. Go to HKLM\SOFTWARE\Microsoft\cryptography\mscep -> right click -> permissions

2. Select User of network enrollment and add full control permissions (user could be verified to check the IIS_IUSR group, maybe it’s the only user in there) .

3. Change the setting in policy module right click on certificate authority

If the problem still occurred please remove the NDES role and Add again the role .. You can try with restating the ca server also.

Thanks a lot.

Finally I remove NDES role and add again with same result.

I verifed settings in afaria console in Server > Configuration > Certificate Authority even test is PASSED.

My configuration is standalone Afaria + IOS + SSP ... etc, standalone subCA.

CA was installed base on installation manual + added

HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword key is set to 0

Playing all day long and no change:(

Hi,

Did you done with this setting for Subordinate CA server.

•     Open “Certificate Authority” = > certsrv.msc
•     Highlight CA server, right click -> properties
•     Policy module -> properties -> follow the settings in the certificate template if applicable

Open Regedit

•     Go to HKLM\SOFTWARE\Microsoft\cryptography\mscep -> right click -> permissions
•     Select User of network enrollment and add full control permissions  (user could be verified to check the IIS_IUSR group, maybe it’s the only user in there)
• - On the CA Server open Internet Information Services (IIS) Manager, click on the CertSrv virtual directory
• - Double click the Request Filtering icon in the IIS section in the center pane.
• - Click "Edit Feature Settings" in the right pane.
• - Change the value of the "Maximum query string" to 65538.
• - Stop and restart IIS.

If still it don't work remove the scep setting from Afaria console and check , please help with the IOS device logs also if possible

Hi thanks a lot for your tips...

1- set Policy module properties - There is XSSCEPPolicyModule.DLL - no properties is available (Afaria SCEP Policy Module - This module has no configurable items. To change database settings, run Afaria SCEP Policy setup.

2 - HKLM\SOFTWARE\Microsoft\cryptography\mscep added full control for user of NDES (it's also member of IIS_IUSRS

3- Request filtering is 65536

Please could you help me to get iphone logs in windows? I checked what I have in:

c:\Users\aberan\AppData\Roaming\Apple Computer\Logs\

and no log seems to be related to afaria or certificate or profile installation

Download IPHONEconfiguration utlity (ICU) on System ( MAC OR Windows) .

Connect the device and enroll

Great.

I'm attaching log from enroll process

Hi,

Just need help in understanding .

While installing the Iphoneserver component did you select the SSL certificate . if not reinstall the enrollment server component select the SSL certificate for HTTPS connection .

Hi,

ok. My fault. I didn't have implemented SSL yet. Based on installation manual was marked optional, I want to start as simple as possible and then add SSL functionality.

OK. So I start with SSL but I don't know if I realy understand product & configuration.

Now it's set but not working. Mobile devices can be enrolled only via HTTP. When I switched enrollment policy to https I receive server not found. Even on Afaria Client installed at server failed with timeout - The connection to the Server failed. The session did not complete.

Finally, I'm lost with my config. Please could you check, if I go right way?

My infrastructure is:

Standalone Afaria server < reverse proxy > Internet

Standalone server IIS has 80+443

In Afaria configuration:

Device communication: XNET 3007, XNETS 3008, HTTP 3011, HTTPS 3012

Access control server: HTTP 3009 (at this time that's all not implemented yet, I think it's only for exchange)

Enrollment server: Use HTTPS + FQDN in server address (no port?)

Package server: Direct Access with HTTPS, FQDN as server address(no port?)

Android enrollment policy: address https://FQDN:3012

In IIS there is only 80+443, but netstat shows all added ports are listening, so I think Afaria server will handle with 30** ports and forward to 80/443?

Our reverse proxy can't handle XNET/S probably, just HTTP/S so I want to realize all future connection on HTTP secure ports like my 3012 definition.

My internal server has same FQDN as published into internet.

Please could you review my configuration? Did I set ports right?

Hi,

Okie the configuration look like just follow the below steps.

Steps:

1. SSL certificate is mandatory for IOS5 and above. ( Enrollment code will connect with http it will redirect to https for IOS device as enrollment process so its okie even if you allow http connection to generate enrollment code.

2. For Android SSL certificate is not mandatory , you can connect the device with http connection.

3. Required Apple root certificate and push certificate for IOS device apart from SSL and CA certificate.

4. Ports to open 2195 & 2196 for Apple , for GCM 5228 -5230 , SMTP  25 , port 80 and 443 for your public ip

5. If connected to wifi you will required to open port 5223

6. Import the SSL certificate on you IIS and make sure to select the certificate for 443 in IIS setting

7. Device communication you can use http://fqdn:80 or 443 port

8.portal package http://fqdn:8080

9. Make sure to install all the hotfix available for Afaria 7sp3 version.

Try this

Hi,

thanks.

Are you sure about device communication ports? If I set device communication to ports 80&443 XSRedirector failed in few seconds. IMHO it's in conflict with IIS (Afaria, SSP).

Log:

XRS4940: Service: An unexpected error has occurred in the following Afaria component: XSRedirector.EXE. The service is stopping.  EXPLANATION: A fatal error occurred that could not be handled. All communications are disabled.  ACTIONS: Close all other Afaria applications, then attempt to start the Afaria service again. If this error persists, try shutting down the machine before restarting the service. If this error still persists, contact your support representative.

A.

Hi,

You need to change the setting

1. Keep the http option untick on device communication and mention manual path of server below where device first communication address  : you have to mention http://fqdn:80

Or

Another option will be to define other port for http : 8081