locked
Workplace Join errors - ADFS and device registration... RRS feed

  • Question

  • On the client I get:

    Workplace Join operation failed. Activity Id: 74d3e342-b4bf-49c2-a7d5-af802ca31f69
    Exit code: 0x80180008
    Error Message: Unknown error.
    Registration Service URI: https://sts.{removed}/EnrollmentServer/DeviceEnrollmentWebService.svc


    On the server I get:

    The following exception occured while enrolling a device.

    Additional information
    Error: System.ServiceModel.FaultException`1[Microsoft.DeviceRegistration.WindowsDeviceEnrollmentServiceError]:
    WindowsEnrollmentServiceError (Fault Detail is equal to Microsoft.DeviceRegistration.WindowsDeviceEnrollmentServiceError)..

    and

    The Device Registration Service could not authenticate the caller.

    Additional information
    Failure Type: AuthenticationError.
    Failure Reason: Invalid JWT token..

    I followed all of the walk-through's...and service discovery is working. ADFS is working and authenticating users.
    Even when I try to do the workplace join, I get the messages above but the user also has a successful logon event in the event log.

    When I look through the trace logs for ADFS and DRS there are no errors. In fact, it looks like its all working.

    Help!

    Monday, December 30, 2013 1:17 AM

Answers

  • After building a new lab where everything functions as advertised I think I have found the cause of the error.

    I was using a wildcard certificate in my first setup. It had *.domain.com in both the subject and subject alternative name. I assumed that this would work when they say in the instructions that you should have enterpriseregistration.domain.com in the subject alternative name as well as a duplicate of the subject.

    Not so.

    So to be clear, the setup procedure will check that you have a valid certificate for the url enterpriseregistration.domain.com when you enable the DRS. A wildcard certificate is valid, but workplace join REQUIRES the subject alternative name contain the "enterpriseregistration" entry. If it's not there it will not issue a JWT token during workplace join. Oddly, browsing directly to the "otaprofile" endpoint in the DRS relying party entry works. I was able to enroll IOS devices by using the endpoint url directly.

    In short, even if you are using a wildcard certificate it still needs to look like this:

    subject: *.domain.com

    subject alternative name : *.domain.com

    subject alternative name : enterpriseregistration.domain.com

    • Marked as answer by Joshua Toon Thursday, January 2, 2014 11:46 PM
    Thursday, January 2, 2014 11:46 PM

All replies

  • Well,

    I have turned on all of the logging available in the device registration services config file. It looks like there is indeed an error when trying to workplace join a windows client. Here is the exception that is thrown:

    <Message>WindowsEnrollmentServiceError</Message>
    <StackTrace>
    at Microsoft.DeviceRegistration.WindowsDeviceEnrollmentService.AuthenticateCallerWithRetryHelper(Object messageRequest)
    at Microsoft.DeviceRegistration.WindowsDeviceEnrollmentService.RequestSecurityToken(Message messageRequest)
    at SyncInvokeRequestSecurityToken(Object , Object[] , Object[] )
    at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
    at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)
    at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage31(MessageRpc&amp; rpc)
    at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
    </StackTrace>

    The thing is that I am able to register IOS clients successfully. I took a trace of both attempts. It shows the IOS client successfully enrolling and the windows device failing on the method "RequestSecurityToken".

    Right before this it looks like the service sends the client some OAuth endpoints. Right after that it fails with a "Invalid JWT token" message.

    Wednesday, January 1, 2014 12:19 PM
  • After building a new lab where everything functions as advertised I think I have found the cause of the error.

    I was using a wildcard certificate in my first setup. It had *.domain.com in both the subject and subject alternative name. I assumed that this would work when they say in the instructions that you should have enterpriseregistration.domain.com in the subject alternative name as well as a duplicate of the subject.

    Not so.

    So to be clear, the setup procedure will check that you have a valid certificate for the url enterpriseregistration.domain.com when you enable the DRS. A wildcard certificate is valid, but workplace join REQUIRES the subject alternative name contain the "enterpriseregistration" entry. If it's not there it will not issue a JWT token during workplace join. Oddly, browsing directly to the "otaprofile" endpoint in the DRS relying party entry works. I was able to enroll IOS devices by using the endpoint url directly.

    In short, even if you are using a wildcard certificate it still needs to look like this:

    subject: *.domain.com

    subject alternative name : *.domain.com

    subject alternative name : enterpriseregistration.domain.com

    • Marked as answer by Joshua Toon Thursday, January 2, 2014 11:46 PM
    Thursday, January 2, 2014 11:46 PM