locked
MDM Client Certificate not getting installed - Error 0x82ac0201 RRS feed

  • Question

  • Hi,

    We are trying to implement the MS-MDE2 and enrol Windows 10 Machines. We are failing at the enrolment step. The certificate response seems to be parsed properly however the client certificate is not installed in the system. That is the certificate sent in CertificateStore > My > User is never installed.

    This results in an error 0x82ac0201 while syncing. 

    1. We have verified the CSR and the Certificate that we give and they have the same public Key.

    2. The Self-Signed CA Root Certificate is always installed. That is the certificate sent in CertificateStore > Root > System does get installed.

    3 The CN and SSLCLIENTSEARCHCRITERIA do match.

    Here is the XML Request/Response.

    A. Windows 10 machine sends the following request,

    s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
        <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
        <a:ReplyTo>
            <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To s:mustUnderstand="1">https://270d40e1.ngrok.io/api/v1/windows/enrollment/9/enrollment_service</a:To>
        <wsse:Security s:mustUnderstand="1">
            <wsse:BinarySecurityToken ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">OQ==</wsse:BinarySecurityToken>
        </wsse:Security>
    </s:Header>
    <s:Body>
        <wst:RequestSecurityToken>
            <wst:TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</wst:TokenType>
            <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
            <wsse:BinarySecurityToken ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">MIIC5jCCAc4CAQAwSjFIMEYGA1UEAww/NzRFRDI4MDgtRjlEQi00OTAzLTkyRTYt
    ODA4RkU2IUVGRjVENDA2RTg5NTQyNDNBQTEwQ0FFOTk4MUM4M0Q5MIIBIjANBgkq
    hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0OyklihkuhuzYH46Zgu37WIrwBqQ6bQB
    qWObCgAzkLkBFqVLImexun3RuOPYgqd82DN/1eONPzEbdj+cf9qe9PdQFnG7cFKx
    8VwZzJbyk6vlzFu81xhGdVq4Vto+OwS5pgPiRptzSR7PScUS/SCaO1Jzvu/bML2R
    BDfUpo8dE7QLE5tMeDv/6x4WDAB6PjiXzX8wpR8LBr7PR/YD6BaVn9iW781A0l+q
    8Md4mvcYjnjiOJSThvJpyVYdLoKeFc8t12Y9+2AIQkG8eiyIsR31/cwPNo4ltOZz
    TDGE5h1CnKU+lQFuCj1loWWAkcBwnasEGQAEl8SuGRpnhECNRoqUmQIDAQABoFcw
    VQYJKoZIhvcNAQkOMUgwRjATBgNVHSUEDDAKBggrBgEFBQcDAjAvBgorBgEEAYI3
    QgEABCFFRkY1RDQwNkU4OTU0MjQzQUExMENBRTk5ODFDODNEOQAwDQYJKoZIhvcN
    AQELBQADggEBADA5dJjVeJwpQmGqCeQEHffveBPObKqbTRj88AjxrzaMrBSE/q5P
    lBhK1FAArXWmSdg4G8POaWNCJz9siQA9RE6WtzeLA6z1DGxxaF1wkVe76CnCmEHZ
    CN3ZnKqulTRsCzXqYu9yyUuOCEsK6F8xrj9IIn6cNeRUBmVQwmngu1niL6jIhRf+
    9sIF9tcLhVZ15/+Fv74nFR5bbcWPK9+BZnW5c75fJbwot/GloBhPyFA7L2G0xadL
    tAcIW8VqrSYUbmK58ZWEqBBzlXGb3LGpbO27iwR4SBE2El/krE6WO5JlwEuMD8cr
    MNHq8Tu/Hgw2/ERDMDyYjgKw3ATqyDgdaPQ=</wsse:BinarySecurityToken>
            <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
                <ac:ContextItem Name="UXInitiated">
                    <ac:Value>true</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="HWDevID">
                    <ac:Value>B0F9488778A8E31A3445CBC0090D67E212A3FF9793459E5C40DFEC2358A6517F</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="Locale">
                    <ac:Value>en-IN</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="TargetedUserLoggedIn">
                    <ac:Value>true</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="OSEdition">
                    <ac:Value>48</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="DeviceName">
                    <ac:Value>DESKTOP-DPK7P3R</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>A0-AF-BD-D0-5B-97</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>A0-AF-BD-D0-5B-98</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>BE-22-20-52-41-53</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>C0-B6-20-52-41-53</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>98-29-A6-38-15-3B</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>C4-F9-20-52-41-53</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="MAC">
                    <ac:Value>A0-AF-BD-D0-5B-9B</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="DeviceID">
                    <ac:Value>EFF5D406E8954243AA10CAE9981C83D9</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="EnrollmentType">
                    <ac:Value>Full</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="DeviceType">
                    <ac:Value>CIMClient_Windows</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="OSVersion">
                    <ac:Value>10.0.16299.0</ac:Value>
                </ac:ContextItem>
                <ac:ContextItem Name="ApplicationVersion">
                    <ac:Value>10.0.16299.0</ac:Value>
                </ac:ContextItem>
            </ac:AdditionalContext>
        </wst:RequestSecurityToken>
    </s:Body>
    </s:Envelope>

    2. MDM Server response

    <?xml version="1.0" encoding="UTF-8"?>
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
        <soap:Header>
            <a:Action soap:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep/RequestSecurityTokenResponse</a:Action>
            <a:MessageID>urn:uuid:697a173c-6237-45eb-9190-156bf8334df0</a:MessageID>
            <a:To>http://www.w3.org/2005/08/addressing/anonymous</a:To>
            <a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
        </soap:Header>
        <soap:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                <RequestSecurityTokenResponse>
                    <TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType>
                    <RequestedSecurityToken>
                        <BinarySecurityToken xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc">PHdhcC1wcm92aXNpb25pbmdkb2MgdmVyc2lvbj0iMS4xIj4KICAgICAgICA8
    Y2hhcmFjdGVyaXN0aWMgdHlwZT0iQ2VydGlmaWNhdGVTdG9yZSI+CiAgICAg
    ICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iUm9vdCI+CiAgICAgICAgICAg
    IDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJTeXN0ZW0iPgogICAgICAgICAgICAg
    IDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSIxYzMzMDdlNmE5ZTgwMTEzZjZjNjQ3
    YTljNmViMzkzYTU3YjkwNjE3Ij4KICAgICAgICAgICAgICAgIDxwYXJtIG5h
    bWU9IkVuY29kZWRDZXJ0aWZpY2F0ZSIgdmFsdWU9Ik1JSURFakNDQWZxZ0F3
    SUJBUUlKVXdXUmpueUpMQWhlTUEwR0NTcUdTSWIzRFFFQkN3VUFNQll4RkRB
    U0JnTlZCQU1NQzIxdlltbHNiMk5yTG1sdU1CNFhEVEU0TURjeE16RXhNak16
    TmxvWERUTTRNRGN4TXpFeE1qTXpObG93RmpFVU1CSUdBMVVFQXd3TGJXOWlh
    V3h2WTJzdWFXNHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dn
    RUtBb0lCQVFERXNuRXVTVXI0VFJ2Q1RiMFpqUzNwcW1sVTd5QVlUcXAycVdW
    bithTW9salBFM3NEMHgzbXNMU3VBdXl1cTg5eStWMXRFRjFQMUFpZnd2dzdS
    dGJKdnI0UndjK3ArV0xPZ2pqREcvL3lxQ25aSk8yQzM2Y045WDBrb3dmbVA4
    NFp6Z3EvampXeVVvOUljb2orWG1RRlpicGN6ejhoL0F1V0dOeTMweVpiZUl3
    czNMNzJZeGxRcmNRQ0xYbk9DT3Izd3JPQmtBUk5TZVlhaFN4dTlka3pRV3Y3
    NkU1M1Q5d2l4Z0owKzRHNGNJZ1dHMFFtQlEvMzVCMGZMdGRUOUpaTzMwZnlJ
    MEFtQzBzZmpHQW5VTnlwaDh1SXJJd2VoWUgzRmpYV1VqaExvQ3ZOT3hFL0dy
    enN1dm0wSS9NVzM0MmVBM21xT3Yya1FKVmIzYzAxRFFqbHpBZ01CQUFHall6
    QmhNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEZ1lEVlIwUEFRSC9CQVFEQWdF
    R01CMEdBMVVkRGdRV0JCUzR3OXRoZm0xcFFYUHYxVFRYU1luY0x6ZTQxREFm
    QmdOVkhTTUVHREFXZ0JTNHc5dGhmbTFwUVhQdjFUVFhTWW5jTHplNDFEQU5C
    Z2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFKSDQ2TWNCd2RmQVhSMlNqVkVraG91
    QURNdkswQVl6cFpkcFhkL2RJcFk0MGdheE8vaWF0WjZCUXYvNTdzYmUvSmFt
    SnpkcDRGWjgvbFl2NFdFZm1IclVuN1VBL29ncHBaakRxRjA0Q2k1SUVXcWhx
    b2ZaVjlNUzczMXJ3TTg4YjVkWlkvQW9iTHRBd3gwSW80QUhpYWFVem5jL3Nq
    aXNSKzhBUzZ5MmQ0QmRDWU8vektvWlhPampZTGV1YUlMTEZyZUNjZlEzWVhS
    Q3RRZTlRMjY5RGdvbjJIbCtXMnVmbGdzZmQzWEJTL3Fvalg2RUlCdlgzdEla
    S2FDUmVIdzdkV040emc1a1Y2YnlkdkpYVTU5N2QwZ2FlWHdaUFhNQjJXNFZ5
    ZGlBR01SVitTTmJXZXJLcmI5UWFTR3pneTJlbkZhczE4UFVMWFFaeUlGbU5F
    N1ROTmc9PSIgLz4KICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgog
    ICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgICAgICAgPC9jaGFy
    YWN0ZXJpc3RpYz4KICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgICAg
    IDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJDZXJ0aWZpY2F0ZVN0b3JlIj4KICAg
    ICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJNeSI+CiAgICAgICAgICAg
    IDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJVc2VyIj4KICAgICAgICAgICAgICA8
    Y2hhcmFjdGVyaXN0aWMgdHlwZT0iOTQzMzM3ZDEyZTBmZTc2ZGM2NGQyOGEw
    OTFhMGU1NTYxNDdiOWIzNCI+CiAgICAgICAgICAgICAgICA8cGFybSBuYW1l
    PSJFbmNvZGVkQ2VydGlmaWNhdGUiIHZhbHVlPSJNSUlER0RDQ0FnQ2dBd0lC
    QVFJVWNWaktzY2lwSzBRNnUxMUlYK0dkV0RZa3hIQXdEUVlKS29aSWh2Y05B
    UUVGQlFBd0dqRVlNQllHQTFVRUF3d1BiV1J0TG0xdlltbHNiMk5yTG1sdU1C
    NFhEVEU0TURjeE16RXpNVGt5TlZvWERURTVNRGN4TXpFNU1Ua3lOVm93SWpF
    Z01CNEdBMVVFQXd3WFRXeHdRMnhwWlc1MFFYVjBhR1Z1ZEdsallYUnBiMjR3
    Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRFE3
    S1NXS0dTNkc3TmdmanBtQzdmdFlpdkFHcERwdEFHcFk1c0tBRE9RdVFFV3BV
    c2laN0c2ZmRHNDQ5aUNwM3pZTTMvVjQ0MC9NUnQyUDV4LzJwNzA5MUFXY2J0
    d1VySHhYQm5NbHZLVHErWE1XN3pYR0VaMVdyaFcyajQ3QkxtbUErSkdtM05K
    SHM5SnhSTDlJSm83VW5PKzc5c3d2WkVFTjlTbWp4MFR0QXNUbTB4NE8vL3JI
    aFlNQUhvK09KZk5mekNsSHdzR3ZzOUg5Z1BvRnBXZjJKYnZ6VURTWDZyd3gz
    aWE5eGlPZU9JNGxKT0c4bW5KVmgwdWdwNFZ6eTNYWmozN1lBaENRYng2TElp
    eEhmWDl6QTgyamlXMDVuTk1NWVRtSFVLY3BUNlZBVzRLUFdXaFpZQ1J3SENk
    cXdRWkFBU1h4SzRaR21lRVFJMUdpcFNaQWdNQkFBR2pUakJNTUJNR0ExVWRK
    UVFNTUFvR0NDc0dBUVVGQndNQ01Ba0dBMVVkRXdRQ01BQXdDd1lEVlIwUEJB
    UURBZ2VBTUIwR0ExVWREZ1FXQkJRdXVuVisybVRCR0JRRmk0QVpwbHJhUWVp
    aU56QU5CZ2txaGtpRzl3MEJBUVVGQUFPQ0FRRUFuWWFqR0QvYUNlVHpyRXB1
    V1h3Q0pnSDZPOXpBcEdySmM5S1RJMTU5b3dPbjBXYnA2RldDVFRoT3lVUVNk
    QlZ1ZlB0Z0s5UVNJRHppN0hxdklLTGF1akIra1lUeFAyWnU3aGFpR1ovNWlV
    NFA4clZsUk5Ld1ZqYTdxQ1VYNE1nS0dZT0ZmUStlY2NrWDh6bkJEZ0MwdFRP
    KzJoY0tpb21Qdy9MbFVNSnVwRDdzSUN1LzFUT0NXcDBUcldkajBZM0hONUxT
    aDAyd2llS2ZiTDhQeVVIZFExRFRqalcyZWxrNCtrL3pkTWRLMnE2T1V0QlIv
    aGx5ckxFQzlka2Jud2hzZ2dvZDc1RjFDUEMvTXRjNXlkbE5hMENBQkduemZM
    TlRXOURTNFh0WGE3K21LbHJuWTd2dXJZLy9PKzVoZWdLc3FxRkZ4aklWTzM3
    YmdLM0VhN21MV0E9PSIgLz4KICAgICAgICAgICAgICA8L2NoYXJhY3Rlcmlz
    dGljPgogICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJQcml2
    YXRlS2V5Q29udGFpbmVyIiAvPgogICAgICAgICAgICA8L2NoYXJhY3Rlcmlz
    dGljPgogICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iV1NURVAi
    PgogICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJSZW5ldyI+
    CiAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJST0JPU3VwcG9ydCIgdmFs
    dWU9InRydWUiIGRhdGF0eXBlPSJib29sZWFuIiAvPgogICAgICAgICAgICAg
    ICAgPHBhcm0gbmFtZT0iUmVuZXdQZXJpb2QiIHZhbHVlPSI2MCIgZGF0YXR5
    cGU9ImludGVnZXIiIC8+CiAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJS
    ZXRyeUludGVydmFsIiB2YWx1ZT0iNCIgZGF0YXR5cGU9ImludGVnZXIiIC8+
    CiAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICAgICAg
    PC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+
    CiAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICA8Y2hhcmFjdGVy
    aXN0aWMgdHlwZT0iQVBQTElDQVRJT04iPgogICAgICAgICAgPHBhcm0gbmFt
    ZT0iQVBQSUQiIHZhbHVlPSJ3NyIgLz4KICAgICAgICAgIDxwYXJtIG5hbWU9
    IlBST1ZJREVSLUlEIiB2YWx1ZT0iTW9iaUxvY2tNZG1TZXJ2ZXIiIC8+CiAg
    ICAgICAgICA8cGFybSBuYW1lPSJOQU1FIiB2YWx1ZT0iTW9iaUxvY2sgUHJv
    IiAvPgogICAgICAgICAgPHBhcm0gbmFtZT0iQUREUiIgdmFsdWU9Imh0dHBz
    Oi8vMjcwZDQwZTEubmdyb2suaW8vYXBpL3YxL3dpbmRvd3MvZW5yb2xsbWVu
    dC9tZG1fY29uZmlnIiAvPgogICAgICAgICAgPHBhcm0gbmFtZT0iQ09OTlJF
    VFJZRlJFUSIgdmFsdWU9IjYiIC8+CiAgICAgICAgICA8cGFybSBuYW1lPSJJ
    TklUSUFMQkFDS09GRlRJTUUiIHZhbHVlPSIzMDAwMCIgLz4KICAgICAgICAg
    IDxwYXJtIG5hbWU9Ik1BWEJBQ0tPRkZUSU1FIiB2YWx1ZT0iMTIwMDAwIiAv
    PgogICAgICAgICAgPHBhcm0gbmFtZT0iQkFDS0NPTVBBVFJFVFJZRElTQUJM
    RUQiIC8+CiAgICAgICAgICA8cGFybSBuYW1lPSJERUZBVUxURU5DT0RJTkci
    IHZhbHVlPSJhcHBsaWNhdGlvbi92bmQuc3luY21sLmRtK3htbCIgLz4KICAg
    ICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJBUFBBVVRIIj4KICAgICAg
    ICAgICAgPHBhcm0gbmFtZT0iQUFVVEhMRVZFTCIgdmFsdWU9IkNMSUVOVCIg
    Lz4KICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUFVVEhUWVBFIiB2YWx1ZT0i
    RElHRVNUIiAvPgogICAgICAgICAgICA8cGFybSBuYW1lPSJBQVVUSFNFQ1JF
    VCIgdmFsdWU9InBhc3N3b3JkMSIgLz4KICAgICAgICAgICAgPHBhcm0gbmFt
    ZT0iQUFVVEhEQVRBIiB2YWx1ZT0iV1daQmxUTWZnbEJHVG5ySDE1T2htQT09
    IiAvPgogICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICAgIDxj
    aGFyYWN0ZXJpc3RpYyB0eXBlPSJBUFBBVVRIIj4KICAgICAgICAgICAgPHBh
    cm0gbmFtZT0iQUFVVEhMRVZFTCIgdmFsdWU9IkFQUFNSViIgLz4KICAgICAg
    ICAgICAgPHBhcm0gbmFtZT0iQUFVVEhUWVBFIiB2YWx1ZT0iQkFTSUMiIC8+
    CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRITkFNRSIgdmFsdWU9InRl
    c3RjbGllbnQiIC8+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIU0VD
    UkVUIiB2YWx1ZT0icGFzc3dvcmQyIiAvPgogICAgICAgICAgPC9jaGFyYWN0
    ZXJpc3RpYz4KICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgICAgIDxj
    aGFyYWN0ZXJpc3RpYyB0eXBlPSJETUNsaWVudCI+CiAgICAgICAgICA8Y2hh
    cmFjdGVyaXN0aWMgdHlwZT0iUHJvdmlkZXIiPgogICAgICAgICAgICA8Y2hh
    cmFjdGVyaXN0aWMgdHlwZT0iTW9iaUxvY2tNZG1TZXJ2ZXIiPgogICAgICAg
    ICAgICAgIDxwYXJtIG5hbWU9IkVudERldmljZU5hbWUiIHZhbHVlPSJNTFAt
    TWFuYWdlZC1MYXB0b3AiIGRhdGF0eXBlPSJzdHJpbmciIC8+CiAgICAgICAg
    ICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IlBvbGwiPgogICAgICAgICAg
    ICAgICAgPHBhcm0gbmFtZT0iSW50ZXJ2YWxGb3JGaXJzdFNldE9mUmV0cmll
    cyIgdmFsdWU9IjE1IiBkYXRhdHlwZT0iaW50ZWdlciIgLz4KICAgICAgICAg
    ICAgICAgIDxwYXJtIG5hbWU9Ik51bWJlck9mRmlyc3RSZXRyaWVzIiB2YWx1
    ZT0iOCIgZGF0YXR5cGU9ImludGVnZXIiIC8+CiAgICAgICAgICAgICAgICA8
    cGFybSBuYW1lPSJJbnRlcnZhbEZvclNlY29uZFNldE9mUmV0cmllcyIgdmFs
    dWU9IjMiIGRhdGF0eXBlPSJpbnRlZ2VyIiAvPgogICAgICAgICAgICAgICAg
    PHBhcm0gbmFtZT0iTnVtYmVyT2ZTZWNvbmRSZXRyaWVzIiB2YWx1ZT0iNSIg
    ZGF0YXR5cGU9ImludGVnZXIiIC8+CiAgICAgICAgICAgICAgICA8cGFybSBu
    YW1lPSJJbnRlcnZhbEZvclJlbWFpbmluZ1NjaGVkdWxlZFJldHJpZXMiIHZh
    bHVlPSIxMCIgZGF0YXR5cGU9ImludGVnZXIiIC8+CiAgICAgICAgICAgICAg
    ICA8cGFybSBuYW1lPSJOdW1iZXJPZlJlbWFpbmluZ1NjaGVkdWxlZFJldHJp
    ZXMiIHZhbHVlPSIwIiBkYXRhdHlwZT0iaW50ZWdlciIgLz4KICAgICAgICAg
    ICAgICAgIDxwYXJtIG5hbWU9IlBvbGxPbkxvZ2luIiB2YWx1ZT0idHJ1ZSIg
    ZGF0YXR5cGU9ImJvb2xlYW4iIC8+CiAgICAgICAgICAgICAgICA8cGFybSBu
    YW1lPSJBbGxVc2Vyc1BvbGxPbkZpcnN0TG9naW4iIHZhbHVlPSJ0cnVlIiBk
    YXRhdHlwZT0iYm9vbGVhbiIgLz4KICAgICAgICAgICAgICA8L2NoYXJhY3Rl
    cmlzdGljPgogICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgICAg
    ICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICA8L2NoYXJhY3RlcmlzdGlj
    PgogICAgICA8L3dhcC1wcm92aXNpb25pbmdkb2M+</BinarySecurityToken>
                    </RequestedSecurityToken>
                    <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
                </RequestSecurityTokenResponse>
            </RequestSecurityTokenResponseCollection>
        </soap:Body>
    </soap:Envelope>

    3. WAP Response XML

    <wap-provisioningdoc version="1.1">
        <characteristic type="CertificateStore">
            <characteristic type="Root">
                <characteristic type="System">
                    <characteristic type="1c3307e6a9e80113f6c647a9c6eb393a57b90617">
                        <parm name="EncodedCertificate" value="MIIDEjCCAfqgAwIBAQIJUwWRjnyJLAheMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC21vYmlsb2NrLmluMB4XDTE4MDcxMzExMjMzNloXDTM4MDcxMzExMjMzNlowFjEUMBIGA1UEAwwLbW9iaWxvY2suaW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEsnEuSUr4TRvCTb0ZjS3pqmlU7yAYTqp2qWVn+aMoljPE3sD0x3msLSuAuyuq89y+V1tEF1P1Aifwvw7RtbJvr4Rwc+p+WLOgjjDG//yqCnZJO2C36cN9X0kowfmP84Zzgq/jjWyUo9Icoj+XmQFZbpczz8h/AuWGNy30yZbeIws3L72YxlQrcQCLXnOCOr3wrOBkARNSeYahSxu9dkzQWv76E53T9wixgJ0+4G4cIgWG0QmBQ/35B0fLtdT9JZO30fyI0AmC0sfjGAnUNyph8uIrIwehYH3FjXWUjhLoCvNOxE/Grzsuvm0I/MW342eA3mqOv2kQJVb3c01DQjlzAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBS4w9thfm1pQXPv1TTXSYncLze41DAfBgNVHSMEGDAWgBS4w9thfm1pQXPv1TTXSYncLze41DANBgkqhkiG9w0BAQsFAAOCAQEAJH46McBwdfAXR2SjVEkhouADMvK0AYzpZdpXd/dIpY40gaxO/iatZ6BQv/57sbe/JamJzdp4FZ8/lYv4WEfmHrUn7UA/ogppZjDqF04Ci5IEWqhqofZV9MS731rwM88b5dZY/AobLtAwx0Io4AHiaaUznc/sjisR+8AS6y2d4BdCYO/zKoZXOjjYLeuaILLFreCcfQ3YXRCtQe9Q269Dgon2Hl+W2uflgsfd3XBS/qojX6EIBvX3tIZKaCReHw7dWN4zg5kV6bydvJXU597d0gaeXwZPXMB2W4VydiAGMRV+SNbWerKrb9QaSGzgy2enFas18PULXQZyIFmNE7TNNg==" />
                    </characteristic>
                </characteristic>
            </characteristic>
        </characteristic>
        <characteristic type="CertificateStore">
            <characteristic type="My">
                <characteristic type="User">
                    <characteristic type="943337d12e0fe76dc64d28a091a0e556147b9b34">
                        <parm name="EncodedCertificate" value="MIIDGDCCAgCgAwIBAQIUcVjKscipK0Q6u11IX+GdWDYkxHAwDQYJKoZIhvcNAQEFBQAwGjEYMBYGA1UEAwwPbWRtLm1vYmlsb2NrLmluMB4XDTE4MDcxMzEzMTkyNVoXDTE5MDcxMzE5MTkyNVowIjEgMB4GA1UEAwwXTWxwQ2xpZW50QXV0aGVudGljYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQ7KSWKGS6G7NgfjpmC7ftYivAGpDptAGpY5sKADOQuQEWpUsiZ7G6fdG449iCp3zYM3/V440/MRt2P5x/2p7091AWcbtwUrHxXBnMlvKTq+XMW7zXGEZ1WrhW2j47BLmmA+JGm3NJHs9JxRL9IJo7UnO+79swvZEEN9Smjx0TtAsTm0x4O//rHhYMAHo+OJfNfzClHwsGvs9H9gPoFpWf2JbvzUDSX6rwx3ia9xiOeOI4lJOG8mnJVh0ugp4Vzy3XZj37YAhCQbx6LIixHfX9zA82jiW05nNMMYTmHUKcpT6VAW4KPWWhZYCRwHCdqwQZAASXxK4ZGmeEQI1GipSZAgMBAAGjTjBMMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQuunV+2mTBGBQFi4AZplraQeiiNzANBgkqhkiG9w0BAQUFAAOCAQEAnYajGD/aCeTzrEpuWXwCJgH6O9zApGrJc9KTI159owOn0Wbp6FWCTThOyUQSdBVufPtgK9QSIDzi7HqvIKLaujB+kYTxP2Zu7haiGZ/5iU4P8rVlRNKwVja7qCUX4MgKGYOFfQ+ecckX8znBDgC0tTO+2hcKiomPw/LlUMJupD7sICu/1TOCWp0TrWdj0Y3HN5LSh02wieKfbL8PyUHdQ1DTjjW2elk4+k/zdMdK2q6OUtBR/hlyrLEC9dkbnwhsggod75F1CPC/Mtc5ydlNa0CABGnzfLNTW9DS4XtXa7+mKlrnY7vurY//O+5hegKsqqFFxjIVO37bgK3Ea7mLWA==" />
                    </characteristic>
                    <characteristic type="PrivateKeyContainer" />
                </characteristic>
                <characteristic type="WSTEP">
                    <characteristic type="Renew">
                        <parm name="ROBOSupport" value="true" datatype="boolean" />
                        <parm name="RenewPeriod" value="60" datatype="integer" />
                        <parm name="RetryInterval" value="4" datatype="integer" />
                    </characteristic>
                </characteristic>
            </characteristic>
        </characteristic>
        <characteristic type="APPLICATION">
            <parm name="APPID" value="w7" />
            <parm name="PROVIDER-ID" value="TestMDMServer" />
            <parm name="NAME" value="Test" />
            <parm name="ADDR" value="https://270d40e1.ngrok.io/api/v1/windows/enrollment/mdm_config" />
            <parm name="CONNRETRYFREQ" value="6" />
            <parm name="INITIALBACKOFFTIME" value="30000" />
            <parm name="MAXBACKOFFTIME" value="120000" />
            <parm name="BACKCOMPATRETRYDISABLED" />
            <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="CLIENT" />
                <parm name="AAUTHTYPE" value="DIGEST" />
                <parm name="AAUTHSECRET" value="password1" />
                <parm name="AAUTHDATA" value="WWZBlTMfglBGTnrH15OhmA==" />
            </characteristic>
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="APPSRV" />
                <parm name="AAUTHTYPE" value="BASIC" />
                <parm name="AAUTHNAME" value="testclient" />
                <parm name="AAUTHSECRET" value="password2" />
            </characteristic>
        </characteristic>
        <characteristic type="DMClient">
            <characteristic type="Provider">
                <characteristic type="TestMDMServer">
                    <parm name="EntDeviceName" value="MLP-Managed-Laptop" datatype="string" />
                    <characteristic type="Poll">
                        <parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
                        <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
                        <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
                        <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
                        <parm name="IntervalForRemainingScheduledRetries" value="10" datatype="integer" />
                        <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
                        <parm name="PollOnLogin" value="true" datatype="boolean" />
                        <parm name="AllUsersPollOnFirstLogin" value="true" datatype="boolean" />
                    </characteristic>
                </characteristic>
            </characteristic>
        </characteristic>
    </wap-provisioningdoc>

    The certificate response is parsed successfully always. It is post that it fails.

    Thank you

    Friday, July 13, 2018 1:36 PM