To resolve, I copied the adcs-proxy-ca certificate to my JamfPro Tomcat server (/etc/pki/ca-trust/source/anchors/ is a system directory RHEL uses for certs, so you can copy the adcs-proxy-ca cert here if you want the OS to trust it as well) and added it to the Java cacerts file, followed by a restart of Tomcat. I run RHEL on all of my JamfPro servers so I am guessing this might by why my server did not trust the adcs-proxy-ca cert after uploading it through the web GUI? Potentially a Windows Server based Jamf environment would not have this issue. My master JamfPro Tomcat server did not trust the adcs-proxy-ca certificate so it would not authenticate against it. There's the client-cert for the JamfPro Tomcat server to use, and a CA from the AD CS Connector server (adcs-proxy-ca). The AD CS Connector requires clients to have a certificate to communicate with it (remember the two certificates you upload to the JamfPro interface). I also looked at C:inetpublogsLogFilesW3SVC2 on the Connector server and found 403 errors from my master JamfPro Tomcat server.īoth of those led me to think there was a certificate trust error. (Unable to build an ADCS Connector client.)Ĭaused by: .ResourceAccessException: I/O error on GET request for "": PKIX path building failed: .SunCertPathBuilderException: unable to find valid certification path to requested target nested exception is : PKIX path building failed: .SunCertPathBuilderException: unable to find valid certification path to requested target As suggested by TravellingTechGuy's blog I looked through the JAMFSoftwareServer.log file and found: Certificate request ID 05 has failed. My main issue was getting Jamf to connect to the Connector, I kept getting "Unable to retrieve ADCS certificate from certificate payload" when testing certificate config profiles. Lots of good content in here to help with the whole process and wanted to contribute one piece that may help others. Had to troubleshoot some communication issues with the Connector. Just finished setting up a new AD CS environment last Friday and integrated Jamf's AD CS Connector. Depending on your CA structure, dont forget to add your intermediate and root certificate payloads so the certificate chain is valid. Template Name - as the one you created with the process above.ĥ. As a particular application in my environment requires Subject Alternative Name - i set it to DNS name with a value of "CN=$COMPUTERNAME.my.domain"Ĥ. Give it a name, and set your Certificate Subject to "CN=$COMPUTERNAME.my.domain"ģ. Close Certificate Template Console - Right Click Certificate Template - New - Certificate Template to Issue - Select your Certificate TemplateĢ. Click Subject Name - Click "Supply in the request" optionĦ. Click Security tab - Add Proxy Server computer and set Read, Enroll and Autoenroll permissions (as advised by Jamf)ĥ. Type in the Template Display Name and Template NameĤ. Select Workstation Authentication and Right Click - Duplicate Templateģ. Right click Certificate Template - Manage TemplateĢ. Just to sum it up for other people's reference.ġ. 1x WiFi Profile to use AD cert for EAP-TLS and do have a concern with computers that are not on the network to receive the AD machine Cert. Can I please confirm that by integrating my AD CA to Jamf Pro, does it mean that i can push AD Cert to computers via Config Profile eventhough the computer doesnt have connection to the domain?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |