Windows 8.1 MDM Client enrollment policy request problem RRS feed

  • Question

  • We are using Windows 8.1 RTM and trying to enroll MDM Client. We have all required services working with Windows Phone 8 and our goal is to add Window 8.1 MDM support

    We understood differences between two platforms in terms of enrollment process. The following steps we succeeded to complete:

    1. Auto-Discovery HTTPS POST request redirected to EnterpriseEnrollment.domain.com/EnrollmentServer/Discovery.svc

    2. Discovery response differentiated for 2 platforms and returning AuthPolicy = "Federate" with AuthenticationUrl=<redirect login page url>

    3. Authentication Request received on AuthenticationServiceUrl?appru=<appid>&login_hint=<User Principal Name> and returns HTML Login page

    4. Upon entered credentials submission the request sent to Authentication service

    5. After authentication is complete HTML form document with a POST method action of appid, provided earlier, returned to the device (as stated in MS_MDE 3.2. example)

    6. Getting "Allow apps and services from IT admin" screen with "I agree" checkbox

    7. Device sends POST /EnrollmentServer/DeviceEnrollmentPolicyService.svc/federated HTTP/1.1 request which fails with:

    HTTP/1.1 500 Internal Server Error

    http://www.w3.org/2005/08/addressing/soap/faulturn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0s:Sendera:InvalidSecurityAn error occurred when verifying security for the message.

    The DeviceEnrollmentPolicyService.svc is WCF endpoint:

      var host = new ServiceHost(typeof(TService), new Uri(address));
                var federationBinding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
                var message = federationBinding.Security.Message;
                message.EstablishSecurityContext = false;
                message.IssuedKeyType = SecurityKeyType.BearerKey;
                message.IssuerMetadataAddress = new EndpointAddress("https://acsnamespace.accesscontrol.windows.net/v2/wstrust/mex");
                message.IssuerAddress = new EndpointAddress("https://acsnamespace.accesscontrol.windows.net/v2/wstrust/13/issuedtoken-symmetric");
                message.ClaimTypeRequirements.Add(new ClaimTypeRequirement("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", true));
                host.AddServiceEndpoint(typeof(TContract), federationBinding, "federated");

    How can we find out what are proper bindings for Windows 8.1 built-in MDM Component when it's connecting to Enrollment Policy Server? Is there any other security related issues can cause that error?



    Monday, November 4, 2013 3:43 PM


  • Alex - please contact me off-line.  MSMALL at Microsoft.  We have a team that deals with 8.1 MDM enrollment that you'll need to contact and the process isn't clear.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Monday, November 4, 2013 9:29 PM