none
Client not sending <Cred> in first SyncML message RRS feed

  • Question

  • Hi,

    I am implementing my custom MDM server and have successfully enrolled the client (federated). Note, my client is a windows 10 PC.

    This is the wap provisioning XML is sent to the client

    <?xml version="1.0" encoding="UTF-8" standalone="no"?>

    <wap-provisioningdoc version="1.1"> <characteristic type="CertificateStore"> <characteristic type="Root"> <characteristic type="System"> <characteristic type="E6E7F4391506104CC4B0557A244EF94F2FC67FBD"> <parm name="EncodedCertificate" value="<MyRootCertificate>"/> </characteristic> </characteristic> </characteristic> </characteristic> <characteristic type="CertificateStore"> <characteristic type="My"> <characteristic type="User"> <characteristic type="7DC7F8F29846A98E6D7F8FA8D48963CB888E98DE"> <parm name="EncodedCertificate" value="<MyClientCertificate>"/> </characteristic> <characteristic type="PrivateKeyContainer"/> </characteristic> <characteristic type="WSTEP"> <characteristic type="Renew"> <parm datatype="boolean" name="ROBOSupport" value="true"/> <parm datatype="integer" name="RenewPeriod" value="60"/> <parm datatype="integer" name="RetryInterval" value="4"/> </characteristic> </characteristic> </characteristic> </characteristic> <characteristic type="APPLICATION"> <parm name="APPID" value="w7"/> <parm name="PROVIDER-ID" value="MDMServer"/> <parm name="NAME" value="HP TouchPoint Manager"/> <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/rs/syncml"/> <parm name="CONNRETRYFREQ" value="6"/> <parm name="INITIALBACKOFFTIME" value="30000"/> <parm name="MAXBACKOFFTIME" value="120000"/> <parm name="BACKCOMPATRETRYDISABLED"/> <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml"/> <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DHP.OMADM.Client&amp;Stores=My%5CUser"/> <characteristic type="APPAUTH"> <parm name="AAUTHLEVEL" value="CLIENT"/> <parm name="AAUTHTYPE" value="DIGEST"/> <parm name="AAUTHSECRET" value="dummy"/> <parm name="AAUTHDATA" value="MTIzNDU="/> </characteristic> <characteristic type="APPAUTH"> <parm name="AAUTHLEVEL" value="APPSRV"/> <parm name="AAUTHTYPE" value="BASIC"/> <parm name="AAUTHNAME" value="dummy"/> <parm name="AAUTHSECRET" value="dummy"/> <parm name="AAUTHDATA" value="MTIzNDU="/> </characteristic> </characteristic> <characteristic type="DMClient"> <characteristic type="Provider"> <characteristic type="MDMServer"> <characteristic type="Poll"> <parm datatype="integer" name="NumberOfFirstRetries" value="8"/> <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/> <parm datatype="integer" name="NumberOfSecondRetries" value="5"/> <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/> <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/> <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/> <parm datatype="boolean" name="PollOnLogin" value="true"/> </characteristic> <parm datatype="string" name="EntDeviceName" value="Administrator_Windows"/> </characteristic> </characteristic> </characteristic> </wap-provisioningdoc>

    However, the first SyncML message that the client sends me is as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <SyncML xmlns="SYNCML:SYNCML1.2">
       <SyncHdr>
          <VerDTD>1.2</VerDTD>
          <VerProto>DM/1.2</VerProto>
          <SessionID>1</SessionID>
          <MsgID>1</MsgID>
          <Target>
             <LocURI>https://dhruvesh.auth.hpicorp.net/services/oma-dm/rs/syncml</LocURI>
          </Target>
          <Source>
             <LocURI>D37B7357741EF44EA285D0D6371F70AC</LocURI>
          </Source>
       </SyncHdr>
       <SyncBody>
          <Alert>
             <CmdID>2</CmdID>
             <Data>1201</Data>
          </Alert>
          <Alert>
             <CmdID>3</CmdID>
             <Data>1224</Data>
             <Item>
                <Meta>
                   <Type xmlns="syncml:metinf">com.microsoft/MDM/LoginStatus</Type>
                </Meta>
                <Data>user</Data>
             </Item>
          </Alert>
          <Replace>
             <CmdID>4</CmdID>
             <Item>
                <Source>
                   <LocURI>./DevInfo/DevId</LocURI>
                </Source>
                <Data>D37B7357741EF44EA285D0D6371F70AC</Data>
             </Item>
             <Item>
                <Source>
                   <LocURI>./DevInfo/Man</LocURI>
                </Source>
                <Data>Unknown</Data>
             </Item>
             <Item>
                <Source>
                   <LocURI>./DevInfo/Mod</LocURI>
                </Source>
                <Data>Unknown</Data>
             </Item>
             <Item>
                <Source>
                   <LocURI>./DevInfo/DmV</LocURI>
                </Source>
                <Data>1.3</Data>
             </Item>
             <Item>
                <Source>
                   <LocURI>./DevInfo/Lang</LocURI>
                </Source>
                <Data>en-US</Data>
             </Item>
          </Replace>
          <Final />
       </SyncBody>
    </SyncML>

    As per threads and documentations I believe that the client is to send me a <Cred> element in the <SyncHdr>. I have also kept the AUTHTYPE as BASIC for the server (highlighted in my provisioning XML).

    However, as you can see above that did not come in the client SyncML message. Is there anything that I missed in the provisioning XML ? Any help would really be appreciated :)

    Thursday, March 17, 2016 11:37 AM

Answers

  • Hi Dhruvesh:

    I have been supporting MDM in Windows since it first appeared in Windows 8. I do not recall the presence of Cred element in the syncML. But this is based on memory so I may have missed it.

    As per OMA Device Management Protocol

    ( http://technical.openmobilealliance.org/Technical/release_program/docs/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf ):

    "  The Cred element MAY be included in the authentication message from the Device Management client to
    Device Management server as specified in Section 9. "

    This means that the Cred element is optional. Moreover, in section "9. Authentication", it is mentioned that:

    "If the server challenged the client in Pkg 2, the client MUST revert to pkg 1 and MUST resend the
    Alert and DevInfo along with the credentials requested by the server.

    "

    In Windows, the authentication of client takes place by using the certificate that was issued by the server at the initial enrollment phase. This is the cert used to setup the SSL/TLS connection. It is stated in the MS-MDM document in section "2.1 Transpoet":

    "....The MDM server can identify a connecting device
    by examining the device client identity certificate issued earlier at MDM
    enrollment time. The device client identity certificate is used to establish
    the SSL/TLS connection to the MDM server."

    As per above info, you can challenge the client in Package 2 if you want to receive the Cred element.

    Please let me know if this does not answer your question.


    Regards, Obaid Farooqi


    Monday, March 21, 2016 10:33 PM
    Owner

All replies

  • Hello Dhruvesh :

    Thankyou for contacting Microsoft Support. A support engineer will be in touch to assist further.

    Regards


    Tarun Chopra | Escalation Engineer | Open Specifications Support Team

    Thursday, March 17, 2016 3:23 PM
  • Hi Tarun,

    Would appreciate an update on the above question :)

    Friday, March 18, 2016 8:49 AM
  • Hi Dhruvesh:

    As per the MS-MDM document section "4 Protocol Examples" (https://msdn.microsoft.com/en-us/library/dn392664.aspx ), this is the correct SyncML that client sends as the first message. Where did you find the information that the client should send a <Cred> elements?


    Regards, Obaid Farooqi

    Friday, March 18, 2016 5:20 PM
    Owner
  • Hi Obaid,

    The syntax of the first SyncML message from client seems to be correct, however for security I was under the impression that the originator of the message(client/server) encapsulates authentication information in the <Cred> element (I maybe wrong).

    1. http://technical.openmobilealliance.org/Technical/release_program/docs/Common/V1_2_1-20070813-A/OMA-TS-SyncML_RepPro-V1_2_1-20070813-A.pdf [Section 5.3]
    2. https://blogs.msdn.microsoft.com/wsdevsol/2013/10/03/common-issues-when-implementing-windows-phone-8-enterprise-mobile-device-management/ [SyncML section]
    3. http://stackoverflow.com/questions/14895883/syncml-protocol-in-wp8-client-stops-responding [Just the question part]

    I know that the above links are old :P 

    So my question really is that, as per new specifications has the <Cred> tag handling been removed from Windows 10 clients ? If so how is the <Cred> and <Chal> handled during communication sessions then.

    FYI - Session 1 Message 1 client message sent to server had no <Cred>, in response I put a <Cred> in server message sent back to client. Session 2 Message 1 client message sent to server had no <Cred> or <Chal>.

    Just looking for information about security handling / authentication during SyncML sessions :)

    Thanks

    Friday, March 18, 2016 6:09 PM
  • Hi Dhruvesh:

    I have been supporting MDM in Windows since it first appeared in Windows 8. I do not recall the presence of Cred element in the syncML. But this is based on memory so I may have missed it.

    As per OMA Device Management Protocol

    ( http://technical.openmobilealliance.org/Technical/release_program/docs/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf ):

    "  The Cred element MAY be included in the authentication message from the Device Management client to
    Device Management server as specified in Section 9. "

    This means that the Cred element is optional. Moreover, in section "9. Authentication", it is mentioned that:

    "If the server challenged the client in Pkg 2, the client MUST revert to pkg 1 and MUST resend the
    Alert and DevInfo along with the credentials requested by the server.

    "

    In Windows, the authentication of client takes place by using the certificate that was issued by the server at the initial enrollment phase. This is the cert used to setup the SSL/TLS connection. It is stated in the MS-MDM document in section "2.1 Transpoet":

    "....The MDM server can identify a connecting device
    by examining the device client identity certificate issued earlier at MDM
    enrollment time. The device client identity certificate is used to establish
    the SSL/TLS connection to the MDM server."

    As per above info, you can challenge the client in Package 2 if you want to receive the Cred element.

    Please let me know if this does not answer your question.


    Regards, Obaid Farooqi


    Monday, March 21, 2016 10:33 PM
    Owner
  • Hi Obaid,

    Understood.. Thanks :)

    But my problem is still hanging... I want the device to give me the auth token my server provided it, during enrollment i.e the Binary Security Token (BST). Is there any way I can get it, say with a CSP ?

    Really stuck here.. As this has been marked as closed by you, raised a new question 

    https://social.msdn.microsoft.com/Forums/en-US/3af397f9-847d-41a9-bc84-32c74a39490d/fetch-the-binary-security-token-bst-provided-to-client-during-enrollment-in-syncml-sessions?forum=os_windowsprotocols

    Can someone please help ?

    Wednesday, March 30, 2016 12:52 PM