Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Troubleshooting Certificate Auto-Enrollment

To help you troubleshoot Certificate Autoenrollment, One Identity recommends the following resolutions to some of the common errors, and methods for finding and correcting configuration problems.

Enable debug logging on Windows

You can enable full debug logging for all Certificate Autoenrollment components using the vascert command line utility.

If debug logging is configured, Group Policy extensions, the vascert tool, and launchd write log files in /Library/Preferences/com.quest.X509Enrollment/log for machine enrollment and ~/Library/Preferences/com.quest.X509Enrollment/log for user enrollment. You can enable debug logging for all of these components.

To enable debug logging

  1. As root, run the following command to configure debug logging for all users:

    /opt/quest/bin/vascert configure debug

  2. To configure debug logging for a specific user, log in as that user and run the same command.

    NOTE: Enabling debug logging causes the vascert command to write debug messages to a file in addition to stdout. Even after you enable debug logging, you must set the debug level using the -d command line option when running vascert commands manually.

  3. When you are finished debugging, run the following command as root to turn off debug logging for all users. One Identity recommends that you turn off debug logging to improve performance and conserve disk space.

    /opt/quest/bin/vascert unconfigure debug

  4. To turn off debug logging for a specific user, log in as that user and run the same command.

Pulse Certificate Autoenrollment processing

Use the vascert command line utility to manually perform Certificate Autoenrollment.

To perform Certificate Autoenrollment processing manually

  1. Decide whether you want to pulse Certificate Autoenrollment for the machine or a specific user.
  2. To pulse Certificate Autoenrollment for the machine, run the following command as root (or using sudo):

    /opt/quest/bin/vascert pulse

    NOTE: To pulse certificate enrollment for the machine, you must run the command with root privileges. This is mostly useful for troubleshooting. In some cases (such as when logging in by means of SSH), this will not result in successful certificate enrollment because the System.keychain cannot export existing private keys required for certificate renewal processing. If you just want to run Certificate Autoenrollment processing for the machine and you are not interested in the output, use vascert trigger instead.

  3. To pulse Certificate Autoenrollment for a specific user, log in as that user and run the following command:

    /opt/quest/bin/vascert pulse

    NOTE: Use the GUI to log in as the user. This ensures that the user's keychain is unlocked so that enrolled certificates can be exported and imported. Logging in by other means, such as SSH, is generally not sufficient and may lead to errors when the certstore-mac.sh script invokes the /usr/bin/security tool.

Manually apply Group Policy

If you are using One Identity Authentication Services 4.1 or higher, Certificate Autoenrollment is configured automatically by Group Policy. Use the vgptool command line utility to manually apply Group Policy.

To manually apply Group Policy

  1. Decide whether you want to apply machine policy or user policy.

    NOTE: Machine policy affects the entire system; User policy only affects the specified user.

  2. To apply machine policy, enter the following command as root (or using sudo):

    /opt/quest/bin/vgptool apply

    The terminal displays policy processing results.

  3. To apply user policy, enter the following command as root (or using sudo):

    /opt/quest/bin/vgptool apply -u <username>

    The terminal displays policy processing results.

Related Documents