Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 5 subscribers
  • Views 6819 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Certificate with windows ndes / scep

Arnoud

Hi,

First apologies for my bad english

I'am trying to get scep/ndes working.

Does sombody also use this?

I have IOS devices and sophos mobile control 4.0.3.3

as CA i use a windows CA scep/ndes server 2008r2

In Sophos:

in Settings, System setup, SCEP i use the following settings. (http and https tryd)

SCEP aserver URL:  http://<FQDN>/CertSrv/mscep/

Challenge URL: http://<FQDN>/CertSrv/mscep_admin/

User: <domain>\<username>

Password: *****

Challenge length: 16

and in Profiles,  Apple IOS i created a profile

i named it ndes test and used the following settings:

URL: https://<FQDN>/scep/

Name: <servername>-MSCEP-RA

Subject: CN=%_USERNAME_%

Type pf subject alternative name: None

Challenge: %_CACHALLENGE_%

Retries: 3

Retry delay: 10

key size: 2048

use as digital signature (unchecked)

use for encryption (unchecked)

Signature is empty

When i try to transfer the profile to a iphone i get the following error in sophos:

A value referenced by a placeholder does not exist.

When i look in server.log

2015-01-30 15:56:23,707 INFO  [SCEP_GetChallenge STDOUT] CA Challenge request started v1.0.0
2015-01-30 15:56:23,800 INFO  [SCEP_GetChallenge STDOUT] localhost
2015-01-30 15:56:25,175 INFO  [SCEP_GetChallenge STDOUT] http://<FQDN>/CertSrv/mscep_admin/
2015-01-30 15:56:25,175 INFO  [SCEP_GetChallenge STDOUT] <Domain>\<username>
2015-01-30 15:56:25,175 INFO  [SCEP_GetChallenge STDOUT] ***********
2015-01-30 15:56:25,175 INFO  [SCEP_GetChallenge STDOUT] 16
2015-01-30 15:56:25,191 INFO  [SCEP_GetChallenge STDOUT] Retries: 0
2015-01-30 15:56:25,191 INFO  [SCEP_GetChallenge STDOUT] Setting up plain http connection...
2015-01-30 15:56:25,191 INFO  [SCEP_GetChallenge STDOUT] Plain http connection set.
2015-01-30 15:56:26,035 INFO  [SCEP_GetChallenge STDOUT] 200
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] null=[HTTP/1.1 200 OK]
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] Server=[Microsoft-IIS/7.5]
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] Persistent-Auth=[true]
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] Content-Length=[1782]
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] Date=[Fri, 30 Jan 2015 14:56:25 GMT]
2015-01-30 15:56:26,144 INFO  [SCEP_GetChallenge STDOUT] Content-Type=[text/html]
2015-01-30 15:56:26,175 INFO  [SCEP_GetChallenge STDOUT] text/html
2015-01-30 15:56:26,175 INFO  [SCEP_GetChallenge STDOUT] 1782
2015-01-30 15:56:26,222 INFO  [SCEP_GetChallenge STDOUT] ��H T M L > < H e a d > < M e t a   H T T P - E q u i v = " C o n t e n t - T y p e "   C o n t e n t = " t e x t / h t m l ;   c h a r s e t = U T F - 8 " > < T i t l e > N e t w o r k   D e v i c e   E n r o l l m e n t   S e r v i c e < / T i t l e > < / H e a d > < B o d y   B g C o l o r = # F F F F F F > < F o n t   I D = l o c P a g e F o n t   F a c e = " A r i a l " > < T a b l e   B o r d e r = 0   C e l l S p a c i n g = 0   C e l l P a d d i n g = 4   W i d t h = 1 0 0 %   B g C o l o r = # 0 0 8 0 8 0 > < T R > < T D > < F o n t   I D = l o c P a g e T i t l e F o n t   F a c e = " A r i a l "   S i z e = - 1   C o l o r = # F F F F F F > < L o c I D   I D = l o c M S C e r t S r v > N e t w o r k   D e v i c e   E n r o l l m e n t   S e r v i c e < / L o c I D > < / F o n t > < / T D > < / T R > < / T a b l e > < P   I D = l o c P a g e T i t l e >   N e t w o r k   D e v i c e   E n r o l l m e n t   S e r v i c e   a l l o w s   y o u   t o   o b t a i n   c e r t i f i c a t e s   f o r   r o u t e r s   o r   o t h e r   n e t w o r k   d e v i c e s   u s i n g   t h e   S i m p l e   C e r t i f i c a t e   E n r o l l m e n t   P r o t o c o l   ( S C E P ) .   < / P > < P >   Y o u   d o   n o t   h a v e   s u f f i c i e n t   p e r m i s s i o n   t o   e n r o l l   w i t h   S C E P .     P l e a s e   c o n t a c t   y o u r   s y s t e m   a d m i n i s t r a t o r .   < / P >   < P   I D = l o c P a g e D e s c >   F o r   m o r e   i n f o r m a t i o n   s e e     < A   H R E F = h t t p : / / g o . m i c r o s o f t . c o m / f w l i n k / ? L i n k I d = 6 7 8 5 2 > U s i n g   N e t w o r k   D e v i c e   E n r o l l m e n t   S e r v i c e   < / A > .   < / P >   < P > < / F o n t > < / B o d y > < / H T M L >   
2015-01-30 15:56:26,253 INFO  [SCEP_GetChallenge STDOUT] ??<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="Arial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="Arial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> You do not have sufficient permission to enroll with SCEP.  Please contact your system administrator. </P> <P ID=locPageDesc> For more information see  <A HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </A>. </P> <P></Font></Body></HTML>
2015-01-30 15:56:26,253 INFO  [SCEP_GetChallenge STDOUT] ?<HTML><Head><Meta HTTP-Equiv="Content-Type" Content="text/html; charset=UTF-8"><Title>Network Device Enrollment Service</Title></Head><Body BgColor=#FFFFFF><Font ID=locPageFont Face="Arial"><Table Border=0 CellSpacing=0 CellPadding=4 Width=100% BgColor=#008080><TR><TD><Font ID=locPageTitleFont Face="Arial" Size=-1 Color=#FFFFFF><LocID ID=locMSCertSrv>Network Device Enrollment Service</LocID></Font></TD></TR></Table><P ID=locPageTitle> Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP). </P><P> You do not have sufficient permission to enroll with SCEP.  Please contact your system administrator. </P> <P ID=locPageDesc> For more information see  <A HREF=http://go.microsoft.com/fwlink/?LinkId=67852>Using Network Device Enrollment Service </A>. </P> <P></Font></Body></HTML>
2015-01-30 15:56:26,253 INFO  [SCEP_GetChallenge STDOUT] Getting challenge...
2015-01-30 15:56:26,253 INFO  [SCEP_GetChallenge STDOUT] Could not get challenge, trying plain UTF-16LE
2015-01-30 15:56:26,253 INFO  [SCEP_GetChallenge STDOUT] Could not get challenge. Error
2015-01-30 15:56:26,269 ERROR [EJB-Timer-1422587167732[target=jboss.j2ee:jndiName=ejb/Scheduler,service=EJB] smartphone_solutions.smartman.scheduler] Could not personalize IOS MDM

When i use the user on the server and use internet explorer and go to: http://<FQDN>/CertSrv/mscep_admin/ everything is OK.

Could somebody help me?

I have the idea that sophos does not use the user to login at the windows CA

Regards,

Arnoud

:55618


This thread was automatically locked due to age.
Unfiltered HTML