On the process to implement CBA (Certificate Based Authentication) on XenMobile for a customer, we got issue: unable to enroll with CBA on XMS 10.4.1 with iOS devices.

Looking on the DebugLogFile in the XMS Web Admin portal, we can see:

Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 401 Unauthorized

On the IIS Logs on the PKI we see:

POST /certsrv/certfnsh.asp – 443 – SRV_IP ZDM-certsrv/1.0 401

Solution 1:
Enable Client Certificate Mapping Authentication inside IIS under the CertSrv web site – http://support.citrix.com/article/CTX136962
Solution 2:
Verify that “Accept” Client certificates is checked inside the CertSrv page within IIS.
Note: Require SSL option is not required for this to work

For my customer after reviewing the configuration, it appears that Client Certificate Mapping Authentication was not enabled and the certificate on CertSrv was Denied

 

Note: Those information are provided based on my own experience.