Skip to Content
avatar image
Former Member

Afaria - iOS 7.1 enroll failing - The registration authority's response is invalid

Hi

I am trying to enrol an ios 7.1 device on Afaria 7 sp4 on premise.

I am getting the following error

And from the iphone utility - Cannot retrieve SCEP Identity

Any thoughts or odeas on why we cannot enrol ios due to the above error message are greatly appreciated.

Thanks

Andrew

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Jun 13, 2014 at 04:17 PM

    Found this snippet, maybe helpful:

    SOLUTION:
    Network Device Enrollment Services installation may need to be refreshed. This can be done by going to Server Manager > Roles > Active Directory Certificate Services and Remote the Role Services fore Network Device Enrollment Services and then re-add it following a Reboot.

    Following the reinstall of Network Device Enrollment Services, it may be required to check the following:

    HKLM\Software\Microsoft\Cryptography\MSCEP\EnforcePassword\EnforcePassword DWORD = 0
    The default entry for this key is "1", and must be changed to "0" for the Afaria iPhone provisioning process.

    from

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jun 03, 2014 at 09:18 PM

    Hi Andrew,

    Hopefully this is thread is going to be helpful:

    Also it's quite possible has something to do with certificate itself.

    Thanks

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Vadim

      Thanks very much for the response, I will check out the links, and let you know how I get on.

      I have seen so many different threads on similar errors, but nothing works for us at the moment.

      Thanks

      Andrew

  • avatar image
    Former Member
    Jun 10, 2014 at 07:27 AM

    Hello

    I have been trying to work this out for a few days now….I am not getting anywhere with it. I have re-created all certificates, re-configured, re-installed SP4, and still the same error.

    Setup:

    NO Relay server

    All components are on the same server: Afaria, CA, SQL server database etc.

    I have created SSL certificate for https binding.

    When I try to enrol an ios device (7 or 6) I see the following:

    Generating Key

    Enroling Certificate

    Then I get the following:

    In the iPhone Configuration Utility:

    Jun 10 08:06:37 M514050 securityd[82] <Error>:  SecDbItemInsertOrReplace INSERT failed: The operation couldnt be completed. (com.apple.utilities.sqlite3 error 19 - reset: [19] columns ctyp, issr, slnr, agrp, sync are not unique sql: INSERT INTO cert(rowid,cdat,mdat,ctyp,cenc,labl,alis,subj,issr,slnr,skid,pkhh,data,agrp,pdmn,sync,tomb,sha1)VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?))

    Jun 10 08:06:37 M514050 securityd[82] <Error>:  securityd_xpc_dictionary_handler profiled[944] add The operation couldnt be completed. (OSStatus error -25299 - duplicate item O,cert,B9694BEC,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,skid,pkhh,v_Data,20140610070637.604202Z,17429675)

    Jun 10 08:06:37 M514050 profiled[944] <Error>:  SecOSStatusWith error:[-25299] The operation couldnt be completed. (OSStatus error -25299 - Remote error : The operation couldnt be completed. (OSStatus error -25299 - duplicate item O,cert,B9694BEC,L,dku,com.apple.certificates,0,ctyp,cenc,labl,subj,issr,slnr,skid,pkhh,v_Data,20140610070637.604202Z,17429675))

    Jun 10 08:06:37 M514050 profiled[944] <Notice>: (Note ) MC: Attempting to retrieve issued certificate...

    Jun 10 08:06:37 M514050 profiled[944] <Notice>: (Note ) MC: Could not retrieve issued certificate: NSError:

    Desc   : The SCEP server returned an invalid response.

    US Desc: The SCEP server returned an invalid response.

    Domain : MCSCEPErrorDomain

    Code   : 22013

    Type   : MCFatalError

    Jun 10 08:06:37 M514050 profiled[944] <Notice>: (Error) MC: Cannot retrieve SCEP identity: NSError:

    Desc   : The SCEP server returned an invalid response.

    US Desc: The SCEP server returned an invalid response.

    Domain : MCSCEPErrorDomain

    Code   : 22013

    Type   : MCFatalError

    Jun 10 08:06:37 M514050 profiled[944] <Notice>: (Error) MC: Failure occurred while retrieving profile during OTA Profile Enrollment: NSError:

    Desc   : The SCEP server returned an invalid response.

    US Desc: The SCEP server returned an invalid response.

    Domain : MCSCEPErrorDomain

    Code   : 22013

    Type   : MCFatalError

    Jun 10 08:06:37 M514050 profiled[944] <Notice>: (Error) MC: Installation failed. Error: NSError:

    Desc   : Profile Installation Failed

    Sugg   : The SCEP server returned an invalid response.

    US Desc: Profile Installation Failed

    US Sugg: The SCEP server returned an invalid response.

    Domain : MCInstallationErrorDomain

    Code   : 4001

    Type   : MCFatalError

    ...Underlying error:

    NSError:

    Desc   : The SCEP server returned an invalid response.

    US Desc: The SCEP server returned an invalid response.

    Domain : MCSCEPErrorDomain

    Code   : 22013

    Type   : MCFatalError

    Extra info:

    {

    isPrimary = 1;

    }

    Also, I can see the following in the log on the server, all returned with 200 OK

    2014-06-10 07:06:33  POST /aips2/aipService.svc/BootstrapEnrollment GUID=2488a65a-0178-4185-936c-12766d4dc0ed 80 -  Profile/1.0 200 0 0 2112

    2014-06-10 07:06:36 GET /certsrv/mscep/mscep.dll operation=GetCACert&message=itelliServer 80 - profiled/1.0+CFNetwork/672.1.14+Darwin/14.0.0 200 0 0 111

    2014-06-10 07:06:36 GET /aips2/aipService.svc/scep id=SE5KQUtKRkVMSUVERUdCTkpCRk9NQ0lQSk9HS0NLR0tESkpNQ0RLR1BLRFBKTkVISExKQkhHRkVPTEdIQklPR0pMSEZGRk9QTktDRVBKTE1GTEpQSEhNS09FUENMS0hGRU9CRERKQUJBSEJIR0RNS0JIQ0JKUEdOTE5HS0tLRExKRkFCRU9PS0xLRkRJSk9QTERMT0JNS05IQUxHTkZOTlBHQktLSUlFTUJGTE9ET0lNTE1BR1BDQ0lOTEhNRklERkJEREdMREFNQkVQTUxMQUFBQ0RDSEVLQ0pISVBKTExPTEJQQkdIQUhDSkZOTkdMS0ZDR0hFTFBNRVBNSkRGQ05HT1BGTklHTExOSUVKRU1PQ1BLQktIQk5GUFBOR0FPTUxGS0VQTEhGUERQR0pPSUJITk1QQkNMfA==?operation=GetCACert&message=itelliServer 80 -  profiled/1.0+CFNetwork/672.1.14+Darwin/14.0.0 200 0 0 339

    Does anyone have any ideas on this? Are there any tools out there that will tell me what is wrong with the scep response? I can download the scep response as a file, but not sure what to do with it.

    Thanks

    Andrew


    iphone error.jpg (33.2 kB)
    Add comment
    10|10000 characters needed characters exceeded