on 01-21-2014 2:03 PM
Hi,
I have successfully enrolled android devices through my Afaria server without Relay in my architecture.
Now I wanted to enroll IOS devices through Afaria.
I have installed all the certificates viz- Apple INC, APNS certificate and Intermediate cert on my Afaria server.
Now when i try to enroll IOS device I am getting the following error in IOS configuration utility-
Jan 21 15:15:45 SAP-Mobilitys-iPhone profiled[1697] <Notice>: (Note ) MC: Enrolling in OTA Profile service...
Jan 21 15:15:50 SAP-Mobilitys-iPhone profiled[1697] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
Desc : Invalid Profile
US Desc: Invalid Profile
Domain : MCProfileErrorDomain
Code : 1000
Type : MCFatalError
Please help me to resolve this issue???
Keith,
Dont mad at me if i said i understand nothing
If i am not mistaken, u mean that, I need both version because of chain. Rgiht?
So, what can i do to work well?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
Many admin users for Afaria only know as much about Microsoft's PKI/CA as is absolutely necessary to run Afaria (which is very little relative to all there is to know). So it's no problem that you aren't more familiar with it.
From the Certificate Authority page in Afaria, check the server address of your CA. Go to that machine via RDP and open Start > Administrative Tools > Certification Authority. Click the "+" next to your CA's name to expand the folder tree. Highlight the "Issued Certificates" folder. Click the "Request ID" column header on the right side of the window twice to sort descending. Double-click on the top (most recent) certificate.
In the certificate interface, click the "Details" tab and scroll down to the "CRL Distribution Points" entry. Highlight the entry and copy the CDPs. Each one starts with "URL=". Don't copy that part, just the actual URL. Then navigate to the "Certification Path" tab in the same certificate interface. If there are more than two entries there, you'll need to get the CDPs from each of the intermediate CAs in the chain.
To get those, you can highlight the intermediate CA in the cert path and click the "View Certificate" button to see the certificate window for that CA's certificate. Then it would be the same process of going to the Details tab and copying the CRL Distribution Points.
From the machine running the Afaria Enrollment Server, open an elevated command prompt. (Right-click > Run as Administrator) Then, for each URL you copied, run the command "certutil -URL <URLYouCopied>". This will bring up the "URL Retrieval Tool" window with your pasted URL at the bottom in the "Url to Download" field. Verify the selection for the "Retrieve" field in the lower right corner is set to "CRLs (from CDP)" and click "Retrieve" If the "Status" columns returns "OK" for all CRLs then you should be fine.
For each certificate, the function needs to have access to retrieve the CRL from at least one good location. For this purpose, "file" CDPs are not valid. It needs to be either LDAP or HTTP, depending on how your PKI is configured and what your AD/LDAP environment supports. If either the identity certificate or one (or more) of the intermediate CA's certificate CDPs cannot be reached, you'll need to add a new CDP that can be reached.
Note that if you have to add a CDP to an intermediate CA you have to add the CDP on the root CA and then renew the subordinate CA's certificate to get the CDP included. If that's required, you'll also need to renew the Network Device Enrollment Service's Registration Authority ("RA") certs to preserve the chain for the device.
Note: I use "intermediate CA" and "subordinate CA" interchangeably in this case
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Hi Ketih,
Yesterday I check your directives and see That Subordinate CA's CDP are expired. Bec. Root Ca is keep shutdown. TOday I switch it on and move crl files. Now all CDP look ok
There is some screenshot as time line
1. Here is an ordinary certificate and its CDP's
Here is Subordinate CA's CDP
Here is links
Now, I can retrieve Certificate's CDPs by LDAP
Now, I can retrieve Certificate's CDPs by HTTP
Here is Subordinate CA's CDP by HTTP
As u said, file method is failed.
I think now I can enroll and load profile ..
Lets try.
Keith,
I have the same issue, while doing the steps mentioned by you, its coming as failed:
From the machine running the Afaria Enrollment Server, open an elevated command prompt. (Right-click > Run as Administrator) Then, for each URL you copied, run the command "certutil -URL <URLYouCopied>". This will bring up the "URL Retrieval Tool" window with your pasted URL at the bottom in the "Url to Download" field. Verify the selection for the "Retrieve" field in the lower right corner is set to "CRLs (from CDP)" and click "Retrieve" If the "Status" columns returns "Fail" for all CRLs then you should be fine.
I am not sure, should i check with SAP support or System admin, but i am getting error while enrolling new device on Afaria: (iOS 9) Afaria server: SP05. ( we recently upgraded the server from SP04 HF 06 to SP04 19 and then SP05)
I have a incident created (1009613 ) but no luck yet.
Can you please help me on this.
Regards
Saket
I thin V3.0 is most recent and we use it now. So there is no problem about it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
It looks from your screenshot like you have a CA named "YasarCA" which is running v2.0 of it's root cert and a CA named "YasarCA1" which is running v3.0 of its cert. If the device identity certificates are being issued by YasarCA1 and it's a subordinate CA to YasarCA then not only will the CDPs need to be included in the issued identity certs but they'll need to exist in YasarCA1's cert (which would have been issued by YasarCA, if that's the case) as well.
The root CA in a trust chain isn't checked using the revocation check call since the server should already trust it if it's in the Trusted Root store for the computer account. The function just wants to check and make sure the subordinate or leaf certificate haven't been revoked.
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Hi Ketih,
After I post, I search xsearch and found same notes.
First one covers my case maybe. But, Seems I have Different version of Enterprse PKI server like this:
and
as you see in V2.0, CDP Location #1 is expired
but in V3.0, CDP Location #1 is OK
I am not familiar about CA.
IS there anything wrong in this case?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Tevfik,
If the test is failing as well then I would start there. Based on your screenshot, ensure both https://10.1.1.56/CertSrv/mscep/mscep.dll and https://10.1.1.56/CertSrv/mscep_admin/ open to valid Network Device Enrollment Service pages from the Afaria Server. If not, then you will need to investigate your installation of the NDES role service. If both pages load but the test still fails then check the IIS log on the CA to determine what return code is being presented to the GetCACert operation call.
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Tevfik,
Have a look at these:
http://service.sap.com/sap/support/notes/2072565
http://service.sap.com/sap/support/notes/2058762
I found them using xSearch with the terms "IPH6034 IPH3017" for the MOB-AFA component.
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Hi,
I exactley get the same error.
Waat is the solution of reinstall NDES (Chetan's offer)?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Tevfik.
Most commonly, "Invalid Profile" is the result of an unacceptable character in the Certificate Authority request information (e.g. - filling in the "City" field under the "Request Info" section on the Certificate Authority configuration page with "São Paulo" will cause this because of the "ã" character). We've also seen specific devices that will always return the error until they're factory reset.
Here's a KBA about it: https://service.sap.com/sap/support/notes/1986728
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada
Message was edited by: Keith Nunn
Hi,
Thanks Chetan for your help..
I will try out the above steps.
Two questions...
1)HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword DWORD = 0 or 1 ?
2)In CA configuration tab in Afaria server,is SCEP challenge compulsary?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
You can try
Network Device Enrollment Services installation need to be refreshed.
Server Manager > Roles > Active Directory Certificate Services and removing the "Role Services" for "Network Device Enrollment Services" and then re-install and a Reboot.
Also make sure
HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword DWORD = 0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
One more thing,I will like to add.
In the Afaria server logs,on enrolling IOS devices,I get the follwing error-
IPH6003: iPhone: SetDeviceInfo Failed. Invalid Challenge for iPhone or unknown iPhone. IMEI = '358030051772***'
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.