After configuring Client Certificate Authentication for XMS but you cannot request a certificate from the Issuing Server

java.lang.RuntimeException: Could not create mobileconfig PA Credentials
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:574)
at com.sparus.nps.apple.push.commands.InstallProfileCommand.asBinary(InstallProfileCommand.java:318)
at com.sparus.nps.apple.push.commands.InstallProfileCommand.prepare(InstallProfileCommand.java:246)
Caused by: java.lang.IllegalStateException: Could not create payload
at com.sparus.nps.iphone.payload.PKICredential.toPayloadDict(PKICredential.java:134)
at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:488)
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:519)
Caused by: com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:147)
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueCredential(AbstractIssuingAdapter.java:92)
at com.sparus.nps.iphone.payload.PKICredential.createPayload(PKICredential.java:85)
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:107)
at com.zenprise.zdm.pki.util.CredentialCaFactory$CredentialCa.sign(CredentialCaFactory.java:204)
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:137)
Caused by: java.io.IOException: Cannot obtain certificate from certsrv authority: 401 Unauthorized
at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity0(MsCertSrvConnector.java:252)
at com.sparus.nps.pki.connector.MsCertSrvConnector.generateClientIdentity(MsCertSrvConnector.java:207)
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:90)

If you see this error within the Debug Log File verify if:

1. Client Certificate Mapping Authentication is Enabled under the >CertSrv web site >Authentication within IIS
2. “Accept” Client certificates radio button is checked under the >CertSrv web site >SSL Settings within IIS
3. Active Directory Client Certificate Authentication is enabled under >Server (Issuing Server Name (Domain/User)) >Authentication within IIS
4. the Service Account which generated the user certificate is enabled, not locked out and the certificate is still valid. To do this, install the previously created User/Service Account Certificate
onto a onto a local domain machine open a browser and navigate to the https://mymsca.certsrv/ website where you should be prompted with the User/Service Account Certificate

Once you confirm the above, push a Credential Policy specifying the Credential Provider you created for Client Certificate Authentication and see if

a) the Policy deploys

b) there is a successful request for the Client Certificate within the Issuing Server IIS Log File verified by a HTTP 200 OK Response
2016-04-11 19:40:05 192.168.192.168 POST /certsrv/certfnsh.asp - 443 KRKLAB\kkennedy X.X.90.128 ZDM-certsrv/1.0 - 200 0 0 530

c) there is an issued certificate for the user you enrolled or deployed the Credential Policy to

 

---

Problem Cause

XMS is unable to succesfully negotiate a request to the Issuing Server for a Client Certificate due to either an invalid/expired User/Service Account, or Invalid credentials for the required authentication method, recieving instead a HTTP Response 401 Unauthorized

After configuring Client Certificate Authentication for XMS but you cannot request a Client Certificate from the Issuing Server

Configuring Client Certificate Authentication for XMS
http://support.citrix.com/content/dam/supportWS/kA260000000TZNMCA4/Configure_CBA_for_Secure Mail_and_XM.pdf

Enable Client Certificate Mapping Authentication
http://support.citrix.com/article/CTX136962