on 10-10-2013 8:14 AM
Hello,
I'm installing Afaria server. Android enrollment is working, now I'm facing problem with iOS devices enrollment.
When installing Profile Service (show as unsigned - don't know it's right or wrong) I got message on iPhone:
Profile Installation Failed - The SCEP server returned an invalid response
Also there is event log message in my CA server:
Source: NetworkDeviceEnrollmentService
Error: The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.
I have 2 servers: Afaria 7 SP2 and Afaria 7 SP3 both has same issue.
Did someone has same problem? Didn't find any solution related to my issue.
Thanks
Ales
Hi guys,
so.... problem fixed
I removed XSSCEPpolicyModule.DLL from subCA server, restart all server, not just ca services and it's working
To remember, read release notes more carefully XSSCEP is not used from SP3.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ales,
I faced this issue yesterday only.
You need to change below value in your CA registry.
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword key is set to 0
Default value is 1.
After changing, you will need to reboot. Then you should be able to enroll your iOS devices.
THanks
Dharmaraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Dharmaraj,
thank you for your respond. I changed value in CA registry as you mentioned.
Now error message changed to different:
Profile Installation Failed
The SCEP server configuration is not supported
I checked KBs in http://frontline.sybase.com/support/knowledgebase.aspx and I think there is no related issue to me.
Have any idea?
Thanks in advice
Hi,
Please click on SERVERECEPTEST.exe available on bin folder of iphone server( Program files).
and tick the proxy option.
Please follow the step
1. open serversceptest.exe and tick the proxy option
2. verify the CA server setting properly configured on Afaria console
3. Outbound enabler communicating to relay server
In any case above method dont work remove the NDES role from the CA server and Add again the same role.
Could you please help me with filling Common Name and Challenge parameters in ServerSCEPtest.exe. I always receive
CSR creation: 2048 bit RSA key...
Provisioning server CA address: http://***************/certsrv/mscep/mscep.dll//
SCEPcertificateAcquisition Exception: Value cannot be null.
Parameter name: certificate
--- Time: 0,0156 sec.
Also there are logs in CA\Application:
Active Directory Certificate Services denied request 34 because An unknown error occurred while processing the certificate. 0x80090327 (-2146893017). The request was for L=City , S=CZ, C=CZ, CN=1961C219EFD0DCDD83C0B0460A09C0DF1D11DAFB, OU=EMEA ICT, O="Company.". Additional information: Denied by Policy Module
The Network Device Enrollment Service cannot submit the certificate request (The request was denied by a certificate manager or CA administrator.). 0x80004005
One more note. I don't use Relay server. I'm using squid reverse proxy.
HI,
Please help with the architecture , what i assume .now
Standalone server + IOS and Portal package component + CA server in one single server .
Please confirm what kind of CA server you are using , Standalone , Enterprise or Subordinate.
1. Common name you can identify either at the time of installation of CA server or you can get from the personal certificate eg : RS-WIN2008R2-CA it wil end with -CA ,
2. Please ensure the setting in afaria console done properly .
3. verify the credential of SCEP on afaria console.
4. Check the scep id privileged domain admin
You can try below option for your error.
Open Regedit
Go to HKLM\SOFTWARE\Microsoft\cryptography\mscep -> right click -> permissions
Select User of network enrollment and add full control permissions (user could be verified to check the IIS_IUSR group, maybe it’s the only user in there) .
If the problem still occurred please remove the NDES role and Add again the role .. You can try with restating the ca server also.
Thanks a lot.
Finally I remove NDES role and add again with same result.
I verifed settings in afaria console in Server > Configuration > Certificate Authority even test is PASSED.
My configuration is standalone Afaria + IOS + SSP ... etc, standalone subCA.
CA was installed base on installation manual + added
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword key is set to 0
Playing all day long and no change:(
Hi,
Did you done with this setting for Subordinate CA server.
Open Regedit
If still it don't work remove the scep setting from Afaria console and check , please help with the IOS device logs also if possible
Hi thanks a lot for your tips...
1- set Policy module properties - There is XSSCEPPolicyModule.DLL - no properties is available (Afaria SCEP Policy Module - This module has no configurable items. To change database settings, run Afaria SCEP Policy setup.
2 - HKLM\SOFTWARE\Microsoft\cryptography\mscep added full control for user of NDES (it's also member of IIS_IUSRS
3- Request filtering is 65536
Please could you help me to get iphone logs in windows? I checked what I have in:
c:\Users\aberan\AppData\Roaming\Apple Computer\Logs\
and no log seems to be related to afaria or certificate or profile installation
Hi,
ok. My fault. I didn't have implemented SSL yet. Based on installation manual was marked optional, I want to start as simple as possible and then add SSL functionality.
OK. So I start with SSL but I don't know if I realy understand product & configuration.
Now it's set but not working. Mobile devices can be enrolled only via HTTP. When I switched enrollment policy to https I receive server not found. Even on Afaria Client installed at server failed with timeout - The connection to the Server failed. The session did not complete.
Finally, I'm lost with my config. Please could you check, if I go right way?
My infrastructure is:
Standalone Afaria server < reverse proxy > Internet
Standalone server IIS has 80+443
In Afaria configuration:
Device communication: XNET 3007, XNETS 3008, HTTP 3011, HTTPS 3012
Access control server: HTTP 3009 (at this time that's all not implemented yet, I think it's only for exchange)
Enrollment server: Use HTTPS + FQDN in server address (no port?)
Package server: Direct Access with HTTPS, FQDN as server address(no port?)
Android enrollment policy: address https://FQDN:3012
In IIS there is only 80+443, but netstat shows all added ports are listening, so I think Afaria server will handle with 30** ports and forward to 80/443?
Our reverse proxy can't handle XNET/S probably, just HTTP/S so I want to realize all future connection on HTTP secure ports like my 3012 definition.
My internal server has same FQDN as published into internet.
Please could you review my configuration? Did I set ports right?
Hi,
Okie the configuration look like just follow the below steps.
Steps:
1. SSL certificate is mandatory for IOS5 and above. ( Enrollment code will connect with http it will redirect to https for IOS device as enrollment process so its okie even if you allow http connection to generate enrollment code.
2. For Android SSL certificate is not mandatory , you can connect the device with http connection.
3. Required Apple root certificate and push certificate for IOS device apart from SSL and CA certificate.
4. Ports to open 2195 & 2196 for Apple , for GCM 5228 -5230 , SMTP 25 , port 80 and 443 for your public ip
5. If connected to wifi you will required to open port 5223
6. Import the SSL certificate on you IIS and make sure to select the certificate for 443 in IIS setting
7. Device communication you can use http://fqdn:80 or 443 port
8.portal package http://fqdn:8080
9. Make sure to install all the hotfix available for Afaria 7sp3 version.
Try this
Hi,
thanks.
Are you sure about device communication ports? If I set device communication to ports 80&443 XSRedirector failed in few seconds. IMHO it's in conflict with IIS (Afaria, SSP).
Log:
XRS4940: Service: An unexpected error has occurred in the following Afaria component: XSRedirector.EXE. The service is stopping. EXPLANATION: A fatal error occurred that could not be handled. All communications are disabled. ACTIONS: Close all other Afaria applications, then attempt to start the Afaria service again. If this error persists, try shutting down the machine before restarting the service. If this error still persists, contact your support representative.
A.
Hi,
You need to change the setting
1. Keep the http option untick on device communication and mention manual path of server below where device first communication address : you have to mention http://fqdn:80
Or
Another option will be to define other port for http : 8081
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.