Enterprise Mobility Agent with Trust Protection Platform 15.4
When trying to retrieve a certificate with Enterprise Mobility Agent, the User Agent will check in but the certificate will not enroll or retrieve. Viewing the Default SQL Channel log shows the following error:
A system at hostname HOSTNAME attempted to retrieve certificate work on behalf of USERNAME, while the system requires windows authentication to fulfill this request. IP: xxx.xxx.xxx.xxx
Windows integrated authentication must be enabled on the TPP Server (VEDClient web site) configured with Enterprise Mobility Agent.
You should configure Microsoft Internet Information Services (IIS) by enabling Windows Authentication for the VEDClient web site. This includes:
disabling Anonymous Authentication, and
enabling Windows Authentication
Note: if using Server Agent and Enterprise Mobility Agent, enable Windows Authentication (for Enterprise Mobility) and leave Anonymous Authentication (for Server Agent) enabled for the VEDClient website.
Follow the sections in the "Venafi Trust Protection Platform Installation Guide" TPP 15.4 documentation to configure the following:
Setting Up Windows Integrated Authentication for Web Consoles
Enabling Windows authentication for Trust Protection Platform