locked
Windows Phone 8.1 MDM Implementation : Certificate enrollment issue RRS feed

  • Question

  • I am working on windows phone enrollment. Currently stuck at certificate enrollment. I am using JAVA for this.

    I am getting below error in logs :

    5, , , , 56, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Function NCryptOpenKey failed with result (0x80090016). , 2, 1480, NCryptOpenKey, 0x80090016, , , 1, 1.798817395
    16, , , , 113, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Soap Request Message: <s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
        <s:header>
            <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rst/wstep</a:action>
            <a:messageid>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:messageid>
            <a:replyto>
                <a:address>http://www.w3.org/2005/08/addressing/anonymous</a:address>
            </a:replyto>
            <a:to s:mustunderstand="1">http://10.10.25.151:8080/ws/api/wp/enrollservice</a:to>
             , 3, 1480, <s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
        <s:header>
            <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rst/wstep</a:action>
            <a:messageid>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:messageid>
            <a:replyto>
                <a:address>http://www.w3.org/2005/08/addressing/anonymous</a:address>
            </a:replyto>
            <a:to s:mustunderstand="1">http://10.10.25.151:8080/ws/api/wp/enrollservice</a:to>
            , , , , 1, 3.952185989
    17, , , , 5, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Data transmission attempt (1) failed with (2147942487). , 3, 1480, 1, 2147942487, , , 1, 4.278878750
    18, , , , 72, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x80070057 , 2, 1480, 0x80070057, , , , 1, 4.305893333

    From error code value 0x80070057, it seems that some value is wrong in response that I am sending to device. But, not able to identify it.

    Can you please have a look over the provisioning xml given below and provide some solution for above error?

    Also, can you please guide me for how to process the PKCS#10 certificate request got from device and send proper certificate enrollment response to device?

    Thanks in advance..

    Provisioning XML:

    <wap-provisioningdoc version="1.1">
    <characteristic type="CertificateStore">
       <characteristic type="Root">
    <characteristic type="System">
    <characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">">
    <parm name="EncodedCertificate" value="Base64 Encoded self signed certificate" />
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="My">
    <characteristic type="User">
    <characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">">
    <parm name="EncodedCertificate" value="Base64 Encoded client certificate generated on the fly" />
    </characteristic>
    <characteristic type="PrivateKeyContainer" />
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="APPLICATION">
    <parm name="APPID" value="w7" />
    <parm name="PROVIDER-ID" value="MDMServer" />
    <parm name="NAME" value="Test" />
    <parm name="ADDR" value="http://localhost:8080/ws/api/wp/synchML" />
    <parm name="CONNRETRYFREQ" value="6" />
    <parm name="INITIALBACKOFFTIME" value="30000" />
    <parm name="MAXBACKOFFTIME" value="120000" />
    <parm name="BACKCOMPATRETRYDISABLED" />
    <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
    <parm name="SSLCLIENTCERTSEARCHCRITERIA"
    value="Subject=MDMLocalClientCert&amp;Stores=MY%5CUser" />
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="CLIENT" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHSECRET" value="dummy" />
    <parm name="AAUTHDATA" value="nonce" />
    </characteristic>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="APPSRV" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHNAME" value="dummy" />
    <parm name="AAUTHSECRET" value="dummy"/>
    <parm name="AAUTHDATA" value="nonce" />
    </characteristic>
    </characteristic>
    <characteristic type="DMClient"> 
    <characteristic type="Provider">
    <characteristic type="MDMServer">
    <characteristic type="Poll">
    <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
    <parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
    <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
    <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
    <parm name="NumberOfRemainingScheduledRetries" value="0"
    datatype="integer" />
    <parm name="IntervalForRemainingScheduledRetries" value="1560"
    datatype="integer" />
    </characteristic>
    <parm name="EntDeviceName" value="WP8Device"
    datatype="string" />
    </characteristic>
    </characteristic>
    </characteristic>
    </wap-provisioningdoc>
    Thursday, August 28, 2014 4:54 AM

All replies

  • I am also facing similar issue in windows phone 8.1 mdm enrollment. 

    Logs:

    86, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, HttpSendRequest failed with (2147954407). , 1, 4020, 2147954407, , , , 1, 4.616982083
    87, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, HttpSendRequest failed with (2147954407). , 1, 4020, 2147954407, , , , 1, 4.616993229
    88, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, HttpSendRequest failed with (2147954407). , 1, 4020, 2147954407, , , , 1, 12.158854166
    89, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, HttpSendRequest failed with (2147954407). , 1, 4020, 2147954407, , , , 1, 12.158864322
    90, , , , 72, Unknown, , , , , , , , , 4,
    91, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x80072EE7 , 0, 4020, 0x80072EE7, , , , 1, 4.643467083
    92, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x80072EE7 , 0, 4020, 0x80072EE7, , , , 1, 12.168432343
    93, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x8018000E , 0, 4020, 0x8018000E, , , , 1, 28.434419635
    94, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x80070057 , 1, 4020, 0x80070057, , , , 1, 47.768846145
    95, , , , 5, Unknown, , , , , , , , , 3,
    96, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Data transmission attempt (1) failed with (2147954407). , 1, 4020, 1, 2147954407, , , 1, 4.617317135
    97, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Data transmission attempt (1) failed with (2147954407). , 1, 4020, 1, 2147954407, , , 1, 12.159049635

    98, , , , , , Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Data transmission attempt (1) failed with (2147942487). , 0, 4020, 1, 2147942487, , , 1, 

    Can anybody help on this?

    Thursday, August 28, 2014 1:46 PM
  • Seeing the exact same issue, with both of the following:

    • NCryptOpenKey failed with result (0x80090016)
    • Data transmission attempt(1) failed with (2147954407)
    Tuesday, September 2, 2014 9:39 PM
  • You appear to be using 'localhost' and IP addresses in your server URLs, you should be using fully qualified (DNS resolvable) host names.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Wednesday, September 3, 2014 2:15 PM
  • Hi Eric,

    I am using IP address in ADDR field of provisioning XML. I do not have server with DNS resolvable domain name for my development. Is it mandatory to give domain name in ADDR field?

    I tried giving domain name of server where webservice to cater synchML request is not present(just to try out domain name suggestion you gave) but device is not sending any request other than CONNECT to that server.

    Regards,

    Ganesh Shinde

    Wednesday, September 10, 2014 5:36 AM
  • In the provisioning XML in below tag for Root and User certificate, value should be thumbprint of the certificate. I was using incorrect hard coded value there which I think was causing the issue.

    <characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">">

    Also updated Tag structure which was holding user certificate as below:

            <characteristic type="My">
                <characteristic type="User">
                    <characteristic type="UserCertHashValue">
                        <parm name="EncodedCertificate" value="Base64EncodedUserCertValue" />
                        <characteristic type="PrivateKeyContainer">
                          <parm name="KeySpec" value="2" />
                          <parm name="ContainerName" value="ConfigMgrEnrollment" />
                          <parm name="ProviderType" value="1" />
                        </characteristic>
                    </characteristic>
                </characteristic>
                <characteristic type="WSTEP">
                    <characteristic type="Renew">
                         <parm name="ROBOSupport" value="true" datatype="boolean" />
                         <parm name="RenewPeriod" value="42" datatype="integer" />
                         <parm name="RetryInterval" value="7" datatype="integer" />
                     </characteristic>
                </characteristic>
            </characteristic>

    Regards,

    Ganesh Shinde

    • Proposed as answer by Ganesh14Shinde Tuesday, October 14, 2014 8:33 AM
    Tuesday, October 14, 2014 8:32 AM