locked
Windows phone 8.1 enrollment RSTR contents RRS feed

  • Question

  • Hi Guys

    I am stuck at windows phone 8.1 enrollment phase. 

    I have bunch of questions related to RSTR contents which are not clearly mentioned in Windows phone 8.1 protocol Document.

    1. cert-thumbprint which is a hash of encoded certificate ? or hash before encoding certificate to base64 ?

    2. What algorithm to be used for creating hash for certificates

    3. Client certificate is in DER format. Should the CA root certificate be in same DER format ? or both have to be in PEM

    4. Not very clear about the contents of <characteristic type="APPAUTH"> in WAP xml

    So far I have tried with

    1 PEM formated CA root certificate 2. DER formated client certificate 3. SHA-256 hash of these 2 certs 4. <characteristic type="APPAUTH"> all values for AAUTHLEVEL , AAUTHTYPE,AAUTHSECRET are plain text hardcoded and generating nonce for AAUTHDATA.

    But still device is not getting enrolled and I am not able to get the logs for failure. I tried with Logging support for Enterprise server creation new in Windows phone 8.1 but could not see logs using mentioned tool.

    What is wrong going here ? Can anyone provide here working Sample WAP XML of course without actual certs to let me check with my xml. May be I can figure out caucuses of enrollment faiure  

    Monday, July 14, 2014 9:55 AM

All replies

  • The thumbprint is the SHA-1 hash of the DER-encoded form of the certificate. For more information on SHA-1, see [FIPS180]. For more information on DER encoding, see [X690].


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.


    • Edited by Eric Fleck Monday, July 14, 2014 5:07 PM
    Monday, July 14, 2014 5:07 PM
  • Thanks Eric For reply.

    I changed format for my ROOT cert from PEM to DER and used sha1 algorithm to calculate hash. But still device is not getting enrolled. I used Power Tool to get the logs.

    Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Function NCryptOpenKey failed with result (0x80090016). , 2, 3464, NCryptOpenKey, 0x80090016, , , 1,

    Not sure but is this error due to self-signed certs for https communication or due to certs generated using openssl ?

    Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Enrollment succeeded with server (enterpriseenrollment.test.com). , 0, 3464, enterpriseenrollment.test.com,

    Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x82AA0001 , 0, 3464, 0x82AA0001

    Not getting any clue for the failure. I can share across my RSTR and full mdm logs for more info.
    FYI: I am using self signed CA for https communication and same cert is sent across during enrollment.

    Can you please let me know in case of more logging is needed



    • Edited by winvil Wednesday, July 16, 2014 8:52 AM
    Tuesday, July 15, 2014 1:30 PM
  • You will get one NCryptOpenKey error from initialization activity so this may be normal ...unless you are seeing multiple errors of this type.

    What seems confusing is the log which indicates success: "Enrollment succeeded with server (enterpriseenrollment.spring.in)"...

    error: 0x82AA0001 indicates an XML parsing error, check to make sure you are sending well formed XML using UTF-8 encoding. (Tip: Use a binary editor to view the payload to make sure there are no hidden or unprintable characters.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, July 15, 2014 4:57 PM
  • Hi Eric ,

    I cross checked my XML. Looks like there was issue with formatting after resolving this issue, I could see logs for installing certificate but yet enrollment is not successful.

    Here are the logs

    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Provider Id is TestMDM 
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Enrollment succeeded with server (enterpriseenrollment.test.com)

    [MDM Cert Installer Start] Install cert in app container.
    [MDM Cert Installer] Uninstalling enrollment cert for OMADM session
    [MDM Cert Installer End] Success

    [MDM Enroll End] Error HRESULT: 0x80042009 got this error in between.

    Could not get event logs in exact sequence but looking at the logs device is getting enrolled but some how it is failing and rolling back certs not sure about reason. Any leads on this ?

    PS Is there any source to get these HRESULT codes to indicate error reason
    • Edited by winvil Wednesday, July 16, 2014 2:56 PM
    Wednesday, July 16, 2014 2:33 PM
  • Any updates on this?
    Tuesday, July 22, 2014 7:15 PM
  • Any updates on this?
    Tuesday, July 22, 2014 7:15 PM
  • For more in-depth diagnostic assistance please open a support incident with Microsoft Developer Support.  You can open a support case here: http://go.microsoft.com/fwlink/p/?LinkId=390481

    (...select Problem type: "Developing an MDM solution" and an appropriate category.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Friday, July 25, 2014 5:28 PM