Analyzing the IP Address and Error Codes in the Inetpub.log File

The IP address and error code in the Inetpub.log file can provide important information about AD CS communication.

An Inetpub.log file with a valid certificate request looks similar to the following:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2021-08-01 14:04:07 10.0.1.3 POST /api/v1/certificate/request - 443 AdcsProxyAccessUser 10.0.1.10 Java-SDK - 200 0 0 2156

2021-08-01 14:04:10 10.0.1.3 POST /api/v1/certificate/retrieve - 443 AdcsProxyAccessUser 10.0.1.10 Java-SDK - 200 0 0 63

In the example above:

  • 10.0.1.3 is the IP address of the Jamf AD CS Connector.

  • 10.0.1.10 is the IP address of the source of the request: Jamf Pro or a reverse proxy/load balancer.

  • 200 is the error code or status. 200 indicates that communication was successful.

  • The 0 immediately following 200 is the substatus.

Analyze the Inetpub.log file for these following common issues:

  • If the logs are blank, Jamf Pro server is not communicating with the Jamf AD CS Connector.

  • If the logs contain a certificate request, but no retrieve statement, Jamf Pro server is communicating with the Jamf AD CS Connector. If this occurs, examine what happened with the certificate request (see below for certificate authority (CA) troubleshooting steps). The Jamf Pro server log can provide more detail as well. Most likely a the CA name is incorrect or a there is a problem with the template.

  • If a retrieve statement is present, the communication from the Jamf Pro server to the CA and back is most likely successful. This indicates that the issue is not at the AD CS/CA level and requires further troubleshooting on the Jamf Pro server or the target device.

  • A 401 status is an Unauthorized error.

  • A 403 status is a Forbidden error.

  • 403.7 is a specific combination of Forbidden error and substatus code.

    For more information, see the following documentation from Microsoft:

    Error when you open an IIS webpage: 403.7 Forbidden: Client certificate required

  • 403.16 is a specific combination of Forbidden error and substatus code.

    For more information, see the following documentation from Microsoft:

    HTTP Error 403.16 when you try to access a website that's hosted on IIS 7.0

  • If a request statement is logged but no retrieve statement is present, the Jamf Pro server logs may say why, but on the Microsoft Windows CA side, the following can be checked:

  1. On the Windows server, navigate to Certificate authority tool > Manage templates , and select the template in use.
  2. Click the General tab and verify the text in the Template name field (not the Template display name field).

  3. Click the Security tab, and ensure the Jamf AD CS Connector computer is added with the Enroll privilege allowed:

  4. Check the failed requests in the Certificate Authority tool.

    In most cases, it provides more verbose information about the request failed.