Enrollment issue

Similar Messages

• Mac Enrollment Issue on SCCM 2012 SP1

  Hi Guys,
  I am working on Mac enrollment(10.7) and facing issue during enrollment. Below is the error message when we try to run the enrollment command on Mac :
  “Server connection failed. HTTP Response code is 500 and reason is Internal Server Error"
  Below are Log info:
  Enrollsrv.log : No error message is highlighted.
  Enrollweb.log:
  No error message is highlighted.
  Enrollservice.log:
  [7, PID:7304][10/28/2013 16:40:03] :ConfigManager: ChainStatus error: RevocationStatusUnknown,The revocation function was unable to check revocation for the certificate.
  ;OfflineRevocation,The revocation function was unable to check revocation because the revocation server was offline.
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [7, PID:7304][10/28/2013 16:40:03] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  [13, PID:7304][10/28/2013 17:11:01] :EnrollmentService application stop ...
  [3, PID:956][10/28/2013 17:45:37] :EnrollmentService application start ...
  [3, PID:956][10/28/2013 18:06:38] :EnrollmentService application stop ...
  [3, PID:4700][10/28/2013 18:45:39] :EnrollmentService application start ...
  [7, PID:4700][10/28/2013 19:06:40] :EnrollmentService application stop ...
  [3, PID:5872][10/28/2013 19:45:42] :EnrollmentService application start ...
  [13, PID:5872][10/28/2013 20:06:42] :EnrollmentService application stop ...
  Can someone shed info on resolution of the above issue?
  Also, is there any means by which we can troubleshoot the Mac enrollment issue step by step? Also what entries needs to be checked in all logs for successful enrollment?

  the following links may give you some hints:
  http://social.technet.microsoft.com/Forums/en-US/48bc7fcc-3d84-4042-abac-67f30d701121/mac-enrollment-issue?forum=configmanagerdeployment
  http://www.windows-noob.com/forums/index.php?/topic/7391-mac-enrollment-issue/

• Window 8.1 device mdm enrolment issue

  Window 8.1 device(Laptop and Tablet) doesn't shows the option of entering enrollment server address while enrolling it through Network->Workplace Settings.
  Windows Phone 8.1 doesn't have this issue. 

  Did you try the Nokia Software Recovery Tool already?

• Re-enrollment issue

  We are upgrading the clients to Windows 8.1 with SCCM 2012 and are experience a strange issue with users and computers certificates,
  the clients both consist of laptops, desktops and hybrids (Lenovo Tablet) and the only client that experiences this problems is the laptop.
  There active directory is running windows server 2003 as does the certificate authority with a two tier.
  When the client first deploys and goes through the task sequence they both get the certificates installed, user certificate and computer
  certificate.  However during and redeployment of the client were, I suspect, when an certificated already have been issued it can't reenroll once more, except when enforcing it with certutil –pulse in which the certificates gets installed.
  As the auto enrollment have worked fine with Windows XP clients, but also works with the desktops and hybrid I have no idée to fix this.
  I have looked through the certificate authority and controlled all the settings, but I don’t suspect the CA is the issue here since it can reenroll, just on other clients when they are redeployed.
  In the CA I can read this error in the event viewer; but the error doesn’t get any more specific.
  "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not
  have permission to request this type of certificate"
  Why this does only happened to laptops and not the desktops/hybrids? There is no difference between them either in AD or in CA, not
  in the task sequence either if someone interested in that, just different standard applications and drivers.
  Why does the command certutil -pulse work on the contrary to GPO?
   Is this issue even a problem that related to the certificate authority?

  I'm actually seeing the same issue here for my Windows 8.1 workstations. Until Windows 8 the autoenrollment policies have not been a problem. The client certificates are needed for the automatic client enrollment in System Center Configuration Manager. Until
  now I've checked if the group policies were applied well. Results of the get-certificateautoenrollmentpolicy are:
  PS C:\Users\administrator> Get-CertificateAutoEnrollmentPolicy -context machine -scope applied
  PolicyState                : Enabled
  EnableMyStoreManagement    : True
  EnableTemplateCheck        : True
  ExpirationPercentage       : 10
  StoreName                  : {MY}
  EnableBalloonNotifications : False
  So it looks like the policy is being applied.
  When rebooting or manually updating the policies with gpupdate no certificate is enrolled. When I use the certutil -pulse command however i receive a certificate without any problems. I've been testing with your suggestion to change the permissions
  on the template (giving authenticated users enroll permissions as well) but this doesn't change anything. 
  We're using a Server 2008 R2 CA
  Did you get any further with this?

• ConfigMgr R2 - Mac OS Enrollment Issues

  Hello everyone,
  First, a few details on where I'm at:
  Single ConfigMgr 2012 R2 Site w/ PKI 
  Requisite roles are installed and HTTPS is enabled to allow 'internet and intranet' clients
  Apple iMac with OSX 10.9
  Mac is added to Active Directory
  R2 Client is installed on Mac
  Entered server name into Safari, installed Root Certificate and allowed it to 'Always Trust'
  Ran 'Configuration Manager' tool in Preferences, go to enroll, enter credentials, and I get:
  "Server is not trusted. Do you want to continue?"  I choose yes and get the following:
  "Error: Enrollment error (0x8018002a)"
  If I look in the System Keychain on the Mac I see the 'SCCM' public and private keys.  Running 'CMDiagnostic' doesn't show me any blatant errors.
  If I take the Mac and connect to the Internet outside of our Domain I simply get 'Unable to contact the server for this request.'  If I type in the FQDN of the server into Safari at that point it does not resolve.  If I do an NSLOOKUP with the
  trailing '.' or do a DIG of the address outside of the Domain, I do get it to resolve.
  Any ideas?  Next steps?

  What guide are you following?  Installing the certificate through Safari isn't related to client enrollment.
  What do you see for errors on enrollment point that is trying to issue the certificate?
  http://technet.microsoft.com/en-us/library/hh427342.aspx#BKMK_CertificateEnrollment
  I hope that helps,
  Nash
  Nash Pherson, Senior Systems Consultant
  Now Micro -
  My Blog Posts
  If you found a bug or want the product to work differently,
  share your feedback.
  <-- If this post was helpful, please click the up arrow or propose as answer.
  I have to be honest, I had a consultant here to help with this last week and he never got it working so I'm now trying to go over everything he did to try and figure out what is going on.
  Those logs you asked for, those look to be for the Certificate Registration Point but I don't have that role installed.  When I look at the Mac OS Enrollment instructions I only see the Enrollment Point and Enrollment Proxy Point which are installed.

• OAB/OSB Oracle Advanced/Standard Benefits Enrolling Issue manually.

  Hello Everyone - The issue I am about to list below maybe peculiar in ERP nature and I think it will get lot of Benefits Guru thinking as it has got me(tho I am no Benefits Guru).
  First, lets get basic nuts and bolts in place about the environment,
  1. We are using Oracle 11i for just HR with functionality of payroll and benefits as suitable to client.
  2. Payroll is outsourced, maintaining benefits is outsourced.
  3. Deciding if it is OSB or OAB is bit tricky here, as parts of both are used.
  4. Only one Life Event - 'UnRestricted' is used.
  5. Benefit Programs, Plans, Options are built just as it is in outsourced Benefits Portal.
  6. Activity Rate is built and attached to Payroll Elements. This maintains the correct information for employee benefits and this information is pushed to outsourced Payroll for deductions.
  7. Open Enrollements were done in NOV.11 FOR THE year-2012.
  8. No Benefits or Payroll concurrent processes are executed in Oracle.
  9. New enrollments and changes to current enrollments are done via Benefits Service Center-->Non-Flex Program form.
  Now that we have established the ground, lets detail out the issue,
  10.A new plan is created for LTD as of Jan.01,2012. This plan falls in a Plan Type. We just have one single Benefit Program. Variable Rate Profile and Standard Rates for LTD plan started as of Jan.01,2012.
  11. Eligibility Profile is created for this plan based on only Age band, e.g., 1-20..21-29...etc.
  12. Variable Rate Profile is built as per the age band and attached with above Eligibility Profile. Details of important information for Variable Rate profile is as the following,
  - Employee Payroll Contribution
  - Aftertax
  -Monthly
  - Multiply By
  - Rates
  Calculation Method - Multiple of Compensation
  Multiplier - .07
  Operator - PER hUNDRED
  Comp. Factor - Monthly Salary
  Rounding COde - Round to Nearest Hundreth
  13. Standard rate details are as below,
  - Calculation Method - Flat Amount
  - Enter Value At Enrollment is selected.
  Values for Min,Max,Increment,Default is enter
  No other information on any other form is enter.
  Lets come to the issue now, please keep in mind that Non Flex Program form is used via Benefits Service Center to execute below situations,
  ============================================================================================================
  Situation 1-
  Client wanted to put employees on this plan from Jan.01,2012 BUT is not able to because the pay period start date for Jan.01,2012 falls on Dec.19,2011. As plan is created on Jan.01,2012 so it is not allowing to enroll employees on Jan.01 so instead they are enrolled as of Jan.02,2012(pay period start date for second period 2012).
  Questions 1-
  Is it ok to start them on Jan.02,2012? Does that mean employees are not covered for one day? Is it possible to change the start date of the plan, variable profile and standard rate before or on Dec.19,2011? OR can we force to enroll employees from Jan.01,2012?
  ===========================================================================================================
  Situation 2 -
  New employees are created after January 2012 and and benefits administrator tries to enroll them on the plan. Employee start date falls in middle of the pay period start and end date hence while enrolling a system error pops up that employee assignment is not active as of the pay period start date. This is true so as a workaround, these employees are enrolled on the plan from the next pay period from the date of joining.
  Question 2 -
  Is this expected functionality in benefits? IF it is then is there a way to enroll employees on the benefit plan as of the joining date, without worrying about the pay period start date?
  ===============================================================================================================
  Situation 3 -
  Different behavior on non flex program form for just one employee who has been with the company for 2 years on full-time basis. When tried to enroll this employee on the LTD plan, a pop-up window appears with all rate options setup as per the variable rate profile. If a rate is selected from this list than it defaults the amount in the Defined section of Amount Tab. While for everyone else, when enrolling them on the Plan, no pop-up window appears and the benefits administrator can enter the Amount in Defined section.
  Question 3 -
  Is this an expected functionality? Can someone please shed some light on why this is happening and how to fix it?
  =============================================================================================================
  Thats all I have for now and I really need advice on the 3 situations above. I have hit the road block and not sure how to proceed.
  Looking forward to the post replies.
  Thanks in Advance.

  Hello Everyone - The issue I am about to list below maybe peculiar in ERP nature and I think it will get lot of Benefits Guru thinking as it has got me(tho I am no Benefits Guru).
  First, lets get basic nuts and bolts in place about the environment,
  1. We are using Oracle 11i for just HR with functionality of payroll and benefits as suitable to client.
  2. Payroll is outsourced, maintaining benefits is outsourced.
  3. Deciding if it is OSB or OAB is bit tricky here, as parts of both are used.
  4. Only one Life Event - 'UnRestricted' is used.
  5. Benefit Programs, Plans, Options are built just as it is in outsourced Benefits Portal.
  6. Activity Rate is built and attached to Payroll Elements. This maintains the correct information for employee benefits and this information is pushed to outsourced Payroll for deductions.
  7. Open Enrollements were done in NOV.11 FOR THE year-2012.
  8. No Benefits or Payroll concurrent processes are executed in Oracle.
  9. New enrollments and changes to current enrollments are done via Benefits Service Center-->Non-Flex Program form.
  Now that we have established the ground, lets detail out the issue,
  10.A new plan is created for LTD as of Jan.01,2012. This plan falls in a Plan Type. We just have one single Benefit Program. Variable Rate Profile and Standard Rates for LTD plan started as of Jan.01,2012.
  11. Eligibility Profile is created for this plan based on only Age band, e.g., 1-20..21-29...etc.
  12. Variable Rate Profile is built as per the age band and attached with above Eligibility Profile. Details of important information for Variable Rate profile is as the following,
  - Employee Payroll Contribution
  - Aftertax
  -Monthly
  - Multiply By
  - Rates
  Calculation Method - Multiple of Compensation
  Multiplier - .07
  Operator - PER hUNDRED
  Comp. Factor - Monthly Salary
  Rounding COde - Round to Nearest Hundreth
  13. Standard rate details are as below,
  - Calculation Method - Flat Amount
  - Enter Value At Enrollment is selected.
  Values for Min,Max,Increment,Default is enter
  No other information on any other form is enter.
  Lets come to the issue now, please keep in mind that Non Flex Program form is used via Benefits Service Center to execute below situations,
  ============================================================================================================
  Situation 1-
  Client wanted to put employees on this plan from Jan.01,2012 BUT is not able to because the pay period start date for Jan.01,2012 falls on Dec.19,2011. As plan is created on Jan.01,2012 so it is not allowing to enroll employees on Jan.01 so instead they are enrolled as of Jan.02,2012(pay period start date for second period 2012).
  Questions 1-
  Is it ok to start them on Jan.02,2012? Does that mean employees are not covered for one day? Is it possible to change the start date of the plan, variable profile and standard rate before or on Dec.19,2011? OR can we force to enroll employees from Jan.01,2012?
  - This depends on your business case. Product feature wise, all are possible options. Some easier than others. You can control when the coverage starts and when the employee starts paying in separate codes. So, one can be different from the other.
  ===========================================================================================================
  Situation 2 -
  New employees are created after January 2012 and and benefits administrator tries to enroll them on the plan. Employee start date falls in middle of the pay period start and end date hence while enrolling a system error pops up that employee assignment is not active as of the pay period start date. This is true so as a workaround, these employees are enrolled on the plan from the next pay period from the date of joining.
  Question 2 -
  Is this expected functionality in benefits? IF it is then is there a way to enroll employees on the benefit plan as of the joining date, without worrying about the pay period start date?
  - The only requirement in OAB is that the person should be available as of the life event occured date. Of course in case of a new hire, you cannot write any data before the start date of the person. this needs to be handled via correct configuration. If you want the employees to get enrolled from the next pay period, chose appropriate rate and coverage start date codes.===============================================================================================================
  Situation 3 -
  Different behavior on non flex program form for just one employee who has been with the company for 2 years on full-time basis. When tried to enroll this employee on the LTD plan, a pop-up window appears with all rate options setup as per the variable rate profile. If a rate is selected from this list than it defaults the amount in the Defined section of Amount Tab. While for everyone else, when enrolling them on the Plan, no pop-up window appears and the benefits administrator can enter the Amount in Defined section.
  Question 3 -
  Is this an expected functionality? Can someone please shed some light on why this is happening and how to fix it?
  -- I think this is a data/setup issue. Please investigate accordingly.=============================================================================================================
  Thats all I have for now and I really need advice on the 3 situations above. I have hit the road block and not sure how to proceed.
  Looking forward to the post replies.
  Thanks in Advance.
  Edited by: Vinayaka Prabhu on Apr 23, 2012 9:24 AM

• Domain Controller Auto-Enrollment Issue

  I recently noticed one of our domain controllers is not auto enrolling its Domain Controller certificate with our AD CS server. 
  We have 2 DC's and one auto-enrolls just fine and the other one doesn't. The one that auto-enrolls fine is a Server 2008 R2 domain controller and the one that doesn't is a Server 2012 R2 domain controller (the schema has been updated to accommodate this
  domain controller). The CA is on the Server 2008 R2 DC (I noticed this issue as I am planning on migrating off the CA from the DC to its own dedicated DC). 
  I see three errors in the event log:
  Event ID 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
  Event ID 13: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from DC
  FQDN\CA Name (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Event ID 82: Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {61B8511A-9BFE-46A8-90D5-FB1709DADB2D} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
  Failed to enroll for template: DomainController
  In a packet capture, I am seeing this error: Expert Info (Note/Response): Fault: nca_s_fault_access_denied
  I did notice the "Certificate Service DCOM Access" group had no members, so I added the Authenticated Users group into it (I have a newly stood up development domain and notice Authenticated Users was in this group by default). Still not having
  any success. I tried stopping the CA service and starting it up after this group change and had no success either. I haven't rebooted any of the servers yet...didn't think I needed too. 
  I tried the "certutil -config - -ping" command and it found the proper CA and once I selected it, I was able to connect to the CA just fine and says its alive. 
  Not to sure where to look at from here as I am out of ideas. 

  Ok I got this working, but not sure what finally kicked it in.
  I followed this article first: http://support.microsoft.com/kb/947237 After performing what that article mentions, I still had the same errors.  It only mentions Vista, so didn't think it applied. Not entirely sure what the certutil
  -setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG does. I think it added permissions to my DCOM COM Security for Access and Launch/Activation permissions? 
  Initially testing this, it failed with the same errors. After a few minutes, I tried again to see if the packet capture was showing the same authentication error, and it finally succeeded. 

• ESS Benefits open enrollment - Issue

  Hi,
  When we click on the benefits open enrollment link, we do not want some of the plans to be displayed to the ess user. Is there any way to control it ( SPRO or BAdI ).
  Env - EP 7.0, ECC6.0
  Thanks,
  Ravi

  I posed the same question to an ESS consultant who responded with the following:
  "The plans presented in benefits enrollment (PZ14) and Participation Overview (PZ07) are list output from ABAP.  You can go into the program and select or exclude some of them based on certain criteria.  I've seen customers extend the Plan infotype to add a flag field to make it configurable to show, not show a given plan."
  Since specific instructions weren't given, I wouldn't consider the issue answered.
  However, I can provide the following work around:
  Due to the fact that different populations have different open enrollment period timeframes, and all populations have been configured under one benefit area...we decided to create an "Open Enrollment Adjustment Reason" for each group instead.  Thus, the Adjustment Reason permissions will only display the plans we want the employee to see via ESS.  Prior to the open enrollment period for the population, we will run the Mass Adjustment Reason report to create IT378 for all relevant employees.  The OE offer will appear as another Adjustment Reason under the Enrollment service in ESS.

• Regd:Benefits Open Enrollment Issue

  Hi SAP,
  I have problem in Open Enrollment which is in ESS.
  We have used the Portal Navigation for designing the Navigation instead of Homepage Framework.
  When we were using Homepage frame work the open Enrollment works fine(ie) it will be highlighted when the period is opened and it will be glared when the period is closed.
  But now after changing the navigation design it is working fine when the period is open but its not getting blared or disabled when it is closed instead it gives me the error.
  I need to make it disable when the period is closed.
  Is there any configuration that I have to do.
  Please put me some light on it.
  Its very urgent.

  I posed the same question to an ESS consultant who responded with the following:
  "The plans presented in benefits enrollment (PZ14) and Participation Overview (PZ07) are list output from ABAP.  You can go into the program and select or exclude some of them based on certain criteria.  I've seen customers extend the Plan infotype to add a flag field to make it configurable to show, not show a given plan."
  Since specific instructions weren't given, I wouldn't consider the issue answered.
  However, I can provide the following work around:
  Due to the fact that different populations have different open enrollment period timeframes, and all populations have been configured under one benefit area...we decided to create an "Open Enrollment Adjustment Reason" for each group instead.  Thus, the Adjustment Reason permissions will only display the plans we want the employee to see via ESS.  Prior to the open enrollment period for the population, we will run the Mass Adjustment Reason report to create IT378 for all relevant employees.  The OE offer will appear as another Adjustment Reason under the Enrollment service in ESS.

• Adjustment Reason based Enrollment Issue

  My Open Enrollment ESS piece is working fine. The issue is with the Adjustment reason based ones.
  Basically our Open Enrollment service is enabled via regular Open Enrollment object in Benefits Adminsitration under Personnel Management ( and this works fine when I use the OPEN_ENROLLMENT service since it picks up the OPEN event).
  We also have another plan which is given to employees via 378 and so is based on an Adjustment Reason.
  When I try to enable the EMPLOYEE_GENERICENROLLMENT_SERVICE service, I get the first page which lists all the available plans for my user. But when I try to click on a particular plan, it takes me to a blank page.
  I have set the PCD URL for the Resource to the corresponding page and that is why I think the first page shows up - this is all good but I can't get to the actual enrollment from there. Any ideas?
  Thanks,
  BR

  Now, I am confused....
  You say that you are pointing your resource for OE to the area page of Benefits - and it is working fine.
  I cannot verify it since I am on ECC 6.0 and using all the services ending in 05.
  This is what I see in my system:
  EMPLOYEE_OPENENROLLMENT_SERVICE
  ROLES://portal_content/com.sap.pct/every_user/com.sap.pct.ess.employee/com.sap.pct.ess.roles/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.area_benefits_payment/com.sap.pct.ess.serv_benefits_payment
  EMPLOYEE_GENERICENROLLMENT_SERVICE
  ROLES://portal_content/com.sap.pct/every_user/com.sap.pct.ess.employee/com.sap.pct.ess.roles/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.area_benefits_payment/com.sap.pct.ess.serv_benefits_payment
  EMPLOYEE_BENEFITPAY_PAG
  ROLES://portal_content/com.sap.pct/every_user/com.sap.pct.ess.employee/com.sap.pct.ess.roles/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.employee_self_service/com.sap.pct.ess.area_benefits_payment/com.sap.pct.ess.area_benefits_payment
  The first two resources above are pointing to a Service page. (Page you see as "Enrollment" in the standard role)
  The third one points to the Area Page (Page you see as "Benefits and Payment" in the standard role)
  You should be using the PCD path of the Service page in your resources for OPEN enrollment and Generic Enrollment
  Anyway, to just quickly test your new Generic Enrollment service, you can edit the existing resource for OE and enter the URL parameter and see if it works...
  Try these things and let me know how it goes ...
  - Shanti

• Auto enrollment issue - in AD user object certificate is missing

  In our environment , we are publishing User certificate and SMIME certificate through auto enrollment, both are been pushed through same Group policy. We identified that few of the user  (around 200+ users) AD object  is not having SMIME certificate
  but user certificate is available . In the Issuing CA and users local store we can able to find the certificate . We revoked 2 or 3 user certificate and when the user next logging in , the certificate has been successfully generated, we dont know what is causing
  the issue. Please help on this.
  We have checked the group policy its applying properly.
  We have checked few of the user machine and found that the error Eventid # 6 has been generated every 8 hours once. (Automatic server enrollment  failed. the specified server can not perform the requested operation)
  The working users and affected users all are part of same OU.

  Dear All,
  Thanks for your inputs. We found solution on this. we assume issue with attribute modification conflicts 
  We are having two different issuing CA in our environment and both are in same site, in the site is having 4 domain controller. 
  - We ran the network monitor in both the Issuing CA's and found the communication between Issuing CA and domain controllers for each user certificate  (success and failure also)
  - we can able to see there is difference between both the certificate generation is less than 8 seconds
  - The first (SMIME) certificate has been published in the AD object through Domain controller A and second certificate is reaching Domain controller B for publish the second (USER) certificate in few seconds.
  - When replication is happening between Domain controller A and Domain controller B, the highest version value is winning
  - We ran the command repadmin /showobjmeta "users distinguish name" for success user and failure user
  - found success users certificate version is 2 and failure user certificate version is 1.
  Solution: We are planning to make single Issuing CA for both certificate enrollment.
  Not sure what are the impacts on this

• Fingerprint Enrollment Issue

  Hi,
  I'm having an annoyed problem with the fingerprints function. I upgraded my windows from 7 to 8.1 (64 bit) and installed HP protect tools and Validity Sensor already. But I cannot assign any new fingerprints which are the same as what I do have for windows 7 before. 
  It says that "this fingerprint has been enrolled" hence I tried to clear all data of fingerprint by accessing Administraive Console, however this didn't work. The message I received is that "Secure reader cleanup operation failed. Unspecified error 0x80004005".
  Also, I have tried to Reset all fingerprint data into factory default from BIOS. I thought it would help but again, it does nothing.  I mean I did tried to access to BIOS and do everything I can to clear/remove/delete/reset fingerprint data to default but.... 
  Well, could anyone please help me? Thank you in advance.
  Kane 
   p/s: my laptop is Probook 4540s

  Hi @KaneNguyen , 
  To get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial product. You can do this at Commercial Forums.
  Even though this is a Commercial product.  Here is a link to troubleshooting the software. I would start by update the fingerprint reader device driver section in this document.
  Please let me know.
  Thanks.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• SCCM 2012 R2 + Intune - Android Enrollment issue

  Hi,
  I have an issue enrolling Android devices in our SCCM 2012 R2 in combination with Windows Intune, ADFS & DirSync.
  All devices except Android enroll just fine, are visible in SCCM, get Apps and policies. When I try to enroll my Android devices (tried multiple types and Android versions) I get
  an error after being redirected to the ADFS login page. I get an error stating the page has either moved, been deleted or is not reachable due to connectivity issues. When logging in on portal.manage.microsoft.com everything, including the redirection, works
  fine.
  All prerequisites are in place, the only thing which I haven't added is the Exchange Connector due to an 2007 backend, but afaik this isn't needed for basic Android enrollment
  and management.
  What I do notice is that the Company Portal for Android is redirected to a different URL for ADFS than, for example, my laptop.
  Laptop URL: https://adfs.contoso.com/adfs/ls/?cbcxt=portal&popupui=1&vv=&username=username%40contoso.com&mkt=&lc=9&wfresh=&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=wa%3Dwsignin1.0%26wreply%3Dhttps%253a%252f%252fmanage.microsoft.com%252fUISecurityTokenService%252fStsLoginRedirect.aspx%26wctx%3Dhttps%253a%252f%252fm.manage.microsoft.com%252f%26cbcxt%3DPortal%26wp%3DHBI_FED%26popupui%3D1%26lc%3D9%26bk%3D1392111237%26LoginOptions%3D3
  Android Device URL:
  Anyone else had these issues? As I can't seem to find anything related about it online.
  Thanks in advance,
  Br David

  Hi Nick,
  I solved this problem by adding the Root and Intermediate certificates to my ADFS proxy server. It seems, though it's is not very well documented, that Android / Chrome have issues with resolving entire certificate chains, and on top of that there are less
  Trusted Root CA's in both Chrome and Android. This is proven by the fact that iOS and WP8 enrollment worked just fine.
  After adding adding the missing Certs on my ADFS proxy server, and rebooting the machine, everything works as intended.
  Let me know if this solved your problem, if not maybe I have another idea for you.
  Br David
  edit: and ofcourse now I see your answer, so it seems you got your problem fixed. Leaving my answer up here just in case.

• Mac Enrollment Issue

  Hello,
  Having some trouble enrolling my first Mac device with SCCM 2012 SP1.
  I have installed the client and am trying to use the CMEnroll Tool with no success.
  Command I am using is this:
  CMEnroll -s fqdn.siteserver -ignorecertchainvalidation -u "domain\username"
  and on the client I recieve the error:
  Server connection failed. http response code is 500 and reason is internal server error.
  On the server in the EnrollmentServer.log I recieve this error:
  [6, PID:5748][02/01/2013 13:48:35] :WindowsIdentity is created for domain: domain user: username
  [6, PID:5748][02/01/2013 13:48:35] :validated user credentials
  [6, PID:5748][02/01/2013 13:48:35] :Handling RequestSecurityToken
  [6, PID:5748][02/01/2013 13:48:35] :claim identity name: domain\username
  [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: RefreshCache: Creating Enrollment Profile 16777220
  [6, PID:5748][02/01/2013 13:48:35] :EnrollmentServiceProfile: GetDBCAs retrieved Template information:  
  [6, PID:5748][02/01/2013 13:48:35] :Template: ConfigMgrMacClientCertificate
  [6, PID:5748][02/01/2013 13:48:35] :CA: System.Collections.Generic.List`1[System.String]
  [6, PID:5748][02/01/2013 13:48:35] :The CA server.domain is in forest cac.local
  [6, PID:5748][02/01/2013 13:48:35] :Impersonating caller: domain\username
  [6, PID:5748][02/01/2013 13:48:35] :Revert back to self: NT AUTHORITY\NETWORK SERVICE
  [6, PID:5748][02/01/2013 13:48:35] :ConfigManager: Sending CA Success Status - ENROLLSRVMSG_CA_SUCCESS
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: CA Chains count: 2
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;
  [6, PID:5748][02/01/2013 13:48:50] :ConfigManager: ChainStatus error: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
  [6, PID:5748][02/01/2013 13:48:50] :Microsoft.ConfigurationManagement.Enrollment.EnrollmentServerException: RevocationStatusUnknown,Unknown error.;OfflineRevocation,Unknown error.;
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.SplitCACertChain(String base64cert)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.setCAChain(EnrollmentServiceProfile profile, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.ConfigManager.RefreshCache(Int32 enrollmentProfileId, EnrollmentRecordType type, String template, WindowsIdentity requester)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.ProcessRequestSecurityToken(RequestSecurityTokenType request, WindowsIdentity caller, ActionEnum action)
     at Microsoft.ConfigurationManagement.Enrollment.RequestHandler.EnrollDevice(Message messageRequest)
     at Microsoft.ConfigurationManagement.Enrollment.DeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
  [6, PID:5748][02/01/2013 13:48:50] :FaultCode is: EnrollmentServer and reason is: EnrollmentServerException InitializeFailed
  Any ideas?

  Have you followed the instructions on these links fully?<o:p></o:p>
  Create the Cert Template:<o:p></o:p>
  http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012<o:p></o:p>
  Go to Deploying the Client Certificate for Mac Computers 
  Setup SCCM and install client:
        http://www.jamesbannanit.com/2012/10/enrol-mac-os-x-clients-in-configuration-manager-2012-sp1/

• Enrollment issues after Benefits Configuration Changes

  Two of our Disability plans will no longer need to use Cost Groupings as a variant because all enrollees will have the same rates. I changed the configuration 'Define Cost Variants' screen (which has no effective date) to reflect this and added a new cost rule with a blank cost group effective 1/1/2011. All of the existing cost groups for this plan are now delimited as of 12/31/2010.
  When we try to enroll employees in these plans for 1/1/2011 Annual Enrollment, the results are inconsistent. For some employees, the plans just don't show up on the enrollment screen. For those who are currently in the plans, the plan shows up, but if you try to enroll them, you receive this error message 'No entry for plan LTD1 / cost variant FINS / key //////0000000000000'.  If I change the enrollment date to 1/2/2011, the error goes away.
  For employees where the plan does show up, and they have never been enrolled in the plan, the enrollment works fine for 1/1/2011.
  Can anyone help?
  Thanks

  hello,
  I have seen this error before and it was usually linked to incorrect configuration.
  You should check your feature CSTV1 Cost grouping and make sure it returns the correct entry for the employee
  Hope this help
  Sarah

• Anyconnect SCEP Auto-enrollment Issue

  Hello Everyone,
  I have been trying to configure cisco`s any connect client with SCEP Auto-enrollment with no success. I followed all the steps necessary to complete the configuration but still no success. What happens to me is, enrollment happens fine, certificate is downloaded according to what it should be but when I try to use it to authenticate and connect to my VPN it seems the certificate is not valid and not forwarded to the ASA, every time I reconnect the Anyconnect enrolls me to a new certificate, which means that if I repeat the process a 1000 times I`ll most likely have 1000 new certificates. Being trying for a while now and nothing seems to work with it. Can anyone tell me anything that could help me?
  I am using windows 2k12 with NDES module installed, the certificate template being used is a custom IPSEC Offline request template, the asa sends the enrollment request according to what it should be and the enrollment happens fine, the problem is that I cannot match the certificate for some reason.
  Anyone that can help me?

  Scep-proxy was not integrated into the ASA until 8.4
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html#wp1318578
  If you want to do legacy scep, this should work.  Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes.