none
MDM Enroll: Failed to receive or parse certificate enroll response. RRS feed

  • Question

  • I am working on developing an mdm server to work with the oma-dm protocol.  I am currently not able to make it past the step of enrolling windows 10 with the security token response.  Is there anyway to get a detailed log of why my security token response is failing?  All I can see is the following error inside the event viewer, MDM Enroll: Failed to receive or parse certificate enroll response.  Any help would be greatly appreciated.

    This is my security token response :

    <?xml version="1.0" ?> <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:Header> <Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</Action> <a:RelatesTo>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:RelatesTo> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <u:Timestamp u:Id="_0"> <u:Created>2018-06-08T10:23:55.125153</u:Created> <u:Expires>2018-06-13T10:23:55.125169</u:Expires> </u:Timestamp> </o:Security> </s:Header> <s:Body> <RequestSecurityTokenResponseCollection xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"> <RequestSecurityTokenResponse> <TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType> <DispositionMessage/> <RequestedSecurityToken> <BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

    #encoding#

    </BinarySecurityToken> </RequestedSecurityToken> <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID> </RequestSecurityTokenResponse> </RequestSecurityTokenResponseCollection> </s:Body> </s:Envelope>

    This is my wap token response :

    <wap-provisioningdoc version="1.1">
        <characteristic type="CertificateStore">
            <characteristic type="Root">
                <characteristic type="System">
                    <characteristic type="60343C95EEE5FF72049F64C0AE9B6F8DB5CC5DBF">
                        <parm name="EncodedCertificate"
                              value="MIIDLjCCAhagAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDExJTdGVlbCBUYWxvbiBNRE0gQ0EwHhcNMTcxMTE2MjIzODM2WhcNMTgxMTE2MjIzODM2WjAdMRswGQYDVQQDExJTdGVlbCBUYWxvbiBNRE0gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCu8qzdCArpAFqoKXQY3iQCH9hC9mqxb3ZSk46xXiJzU7JsQ7O8KDyTpZRWA80VPyiFAXKOFwNaODnmGl3ZLvLhkBMJrL3jZtN5Kb1BcKOtOnw7/ALRcvleSpqm2+O3bsnVV2U7v3l3z0cyIcIF5SoPGemDtLM/ZP38Xgj4PuIp0vQoSlEd2c+C3kUJocpJdVyeHdjOwjgeO+XHXkkDdgiAa3za/WMphIWA5AD6NvtyERoas+OZHSAdP+iwY061UquTwdzzkTOloEYhFZb3jCFBzb1G+8oNUcf5p2lbB99kaVVPfIWTfOzWpzjS2ke1jcLv5AY5rp13Md1Eiw44qiwZAgMBAAGjeTB3MB0GA1UdDgQWBBRpO6JX6ZSEj5bR2b9UtQP+Aoos2jBFBgNVHSMEPjA8gBRpO6JX6ZSEj5bR2b9UtQP+Aoos2qEhpB8wHTEbMBkGA1UEAxMSU3RlZWwgVGFsb24gTURNIENBggEBMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAwqw6gAL47DfKNKeMkECm45xazx4Z9RN6GRTacPlJhEZt9utQ+1IrwdQCudbFeQEbDSUeuO6TLFb5i8t8DhQmEQR8HcWwfgYvW2FX+qa9Xy6tiInqMwQKfZro+XIwrruer09OTp6ZKGxR5DkY2y5cK5rF/kIoUKn1Vxt9qjh/fVdSxhiKqscgmUqjX6InlyGyekmEGqVGTS4rmm+IUqLm8HcS0GG/6fosYML/fieQRFwo6fSwaug89xxH3cOJ6vUuyZwoxgxfnaK0Q9NlDndOiWDwcFE7Ys4fU/pCzovOPlj3UBTKL5yaYnIoffTZi1rS5GoB2KasfmPGtBIGp93CA="/>
                    </characteristic>
                </characteristic>
            </characteristic>
        </characteristic>
        <characteristic type="CertificateStore">
            <characteristic type="My">
                <characteristic type="User">
                    <characteristic type="C0909B78700EBDA4C02A56209F53344B5FBAF6F6">
                        <parm name="EncodedCertificate"
                              value="MIIC2jCCAcKgAwIBAQIBAjANBgkqhkiG9w0BAQUFADAaMRgwFgYDVQQDDA8qLnNhZmVraWRkby5jb20wHhcNMTgwNjA4MTcyMzU1WhcNMTgwNjEzMTcyMzU1WjAdMRswGQYDVQQDDBJTdGVlbCBUYWxvbiBNRE0gQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC11ET9GCvLIM5iFWjZ4N6r9u+X4iwbJk85apLdihpTpgTbympO+mkMhv/qw55EDh7muz6CC7jGF2TMmNnErITzswrsU1j4zERFN+mnXa+FS+3rE1hObg5isNszN7q9Xp6UBjsJxYUgX+/Er2OfiYj8Tse8gksP9T1XAwqJGrfv/qscrGzJeiVCRDuK8zJFR5iWOca8XxUsKyi2Jl9Fszx6MBSJN5mgpWvOaeoeczUhClwxxXUJJcyoNWn1DtPQ+zkKbGs0UxgnlzsjA1nn174jrOoaq91I4g7973rAEyoCvLr7VqLZumNkE5BFe8Yd/OJ87FaMc0TZVTNBA8doTjV9AgMBAAGjKDAmMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADggEBAK7qJzy5udJMQnr8z1lXrcJGTl9ESsPGzFFC1QG3AE8RpF34rTPSMVkBVnE4ljtvprEZ6EHbBvhPYPwaw7Me+2lIacXyvgKTagbdwOyVzScsO2e70M2T/p8TkK1u5ctmJZRnw+PQh+cROgMj8xZ3DF1CzUjvpLHKi8CXlRiTWGQflmo96DG5fTTVxIr+XobYkFl6MvWaG7wOFwqMffH2OKke6pohSuDFPmPEQyTwEPpgxiViVcgUSTtyAjWTf0oLDv4glX5BRtPQBL5jLyBISUzdD7RTA+phxblHp2rDMoalXg+IrjgU38Z6e59jPXaKwQpa0m5OkkLJa7I6Hb+kB/k="/>
                        <characteristic type="PrivateKeyContainer"/>
                    </characteristic>
                </characteristic>
                <characteristic type="WSTEP">
                    <characteristic type="Renew">
                        <parm datatype="boolean" name="ROBOSupport" value="true"/>
                        <parm datatype="integer" name="RenewPeriod" value="4"/>
                        <parm datatype="integer" name="RetryInterval" value="1"/>
                    </characteristic>
                </characteristic>
            </characteristic>
        </characteristic>
        <characteristic type="APPLICATION">
            <parm name="APPID" value="w7"/>
            <parm name="PROVIDER-ID" value="MDMServer"/>
            <parm name="NAME" value="MDM"/>
            <parm name="ADDR" value="http://localhost/omadm/rs/syncml"/>
            <parm name="CONNRETRYFREQ" value="6"/>
            <parm name="INITIALBACKOFFTIME" value="30000"/>
            <parm name="MAXBACKOFFTIME" value="120000"/>
            <parm name="BACKCOMPATRETRYDISABLED"/>
            <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
            <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=MDM%20CA;Stores=My%5CUser"/>
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="CLIENT"/>
                <parm name="AAUTHTYPE" value="DIGEST"/>
                <parm name="AAUTHSECRET" value="dummy"/>
                <parm name="AAUTHDATA" value="dummy"/>
            </characteristic>
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="APPSRV"/>
                <parm name="AAUTHNAME" value="123456789"/>
                <parm name="AAUTHSECRET" value="dummy"/>
            </characteristic>
        </characteristic>
        <characteristic type="DMClient">
            <characteristic type="Provider">
                <characteristic type="MDMServer">
                    <characteristic type="Poll">
                        <parm datatype="integer" name="NumberOfFirstRetries" value="8"/>
                        <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/>
                        <parm datatype="integer" name="NumberOfSecondRetries" value="5"/>
                        <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/>
                        <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/>
                        <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/>
                        <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/>
                        <parm datatype="boolean" name="PollOnLogin" value="true"/>
                    </characteristic>
                    <parm datatype="string" name="EntDeviceName" value="Administrator_Windows"/>
                </characteristic>
            </characteristic>
        </characteristic>
    </wap-provisioningdoc>




    • Edited by weys Friday, June 8, 2018 5:40 PM
    Friday, June 8, 2018 5:39 PM

All replies

  • Hello weys,

    Thank you for your question. One of our Protocols engineers will assist you. 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Friday, June 8, 2018 8:12 PM
    Moderator
  • Hi weys,

    I will assist you with this question. I will research the issue, and let you know what I find.

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Friday, June 8, 2018 9:30 PM
    Moderator
  • Thank you Jeff.
    Friday, June 8, 2018 9:40 PM
  • Hi weys,

    There are a few differences I notice in your security token response from the example in [MS-MDE] section 4.3.2:

    1. Your Action tags are <Action> and </Action> instead of <a:Action> and </a:Action>
    2. You don't have "wst:" prepended to RequestSecurityTokenResponseCollection, RequestSecurityTokenResponse, RequestedSecurityToken. or TokenType.
    3. "wsse:" is not prepended to BinarySecurityToken.
    4. TokenType is not a child of RequestedSecurityToken
    5. The xmlns value for RequestedSecurityTokenResponseCollection is different than the sample.

    Could you check these items to see if any of them may be causing the error?

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Monday, June 18, 2018 9:17 PM
    Moderator
  • Thank you for the help.  We will make the updates tomorrow and let you know if any of your suggestions fix the issue.
    Monday, June 18, 2018 10:32 PM
  • Were you able to make any progress?

    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Thursday, June 21, 2018 10:25 PM
    Moderator
  • Hello weys,

    Could you let us know if this is still an issue for you? 

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Monday, June 25, 2018 5:11 PM
    Moderator
  • Hi weys,

    We have closed this issue as we have not heard back from you. Please post a response with your latest results if you would like further assistance.

    Thanks,


    Jeff McCashland | Microsoft Protocols Open Specifications Team

    Thursday, June 28, 2018 7:10 PM
    Moderator