On the process to implement CBA (Certificate Based Authentication) on XenMobile for a customer, we got issue: unable to enroll with CBA on XMS 10.4.1 with iOS devices.
Looking on the DebugLogFile in the XMS Web Admin portal, we can see:
Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 401 Unauthorized
On the IIS Logs on the PKI we see:
POST /certsrv/certfnsh.asp – 443 – SRV_IP ZDM-certsrv/1.0 401
Solution 1:
Enable Client Certificate Mapping Authentication inside IIS under the CertSrv web site – http://support.citrix.com/article/CTX136962
Solution 2:
Verify that “Accept” Client certificates is checked inside the CertSrv page within IIS.
Note: Require SSL option is not required for this to work
For my customer after reviewing the configuration, it appears that Client Certificate Mapping Authentication was not enabled and the certificate on CertSrv was Denied
Note: Those information are provided based on my own experience.