locked
Windows Phone 8.1 MDM Enrollment error 0x80070057 RRS feed

  • Question

  • Hi All, 

    Can someone help me with enrollment problem? I'll stuck with enrollment, and trying for a few weeks.... :(

    I'm have ROOT certificate (self-signed) -> MDMServer (issued by ROOT) for enrollment to device

    My issuer certificate stored in local computer store.

    I'm using BouncyCastle for create certificate:

            private CertResponse GenerateSignedCertificate(CertificationRequestInfo requestInfo)
            {
                var publicKeyStructure = RsaPublicKeyStructure.GetInstance(requestInfo.SubjectPublicKeyInfo.GetPublicKey());
                var subjectPublicKey = new RsaKeyParameters(false, publicKeyStructure.Modulus, publicKeyStructure.PublicExponent);
    
                X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
                store.Open(OpenFlags.MaxAllowed);
                var issuerCertificate = store.Certificates.Find(X509FindType.FindBySubjectDistinguishedName, "CN=MDMServer", true).Cast<X509Certificate2>().First();
    
                var issuerName = issuerCertificate.Subject;
                var issuerSerialNumber = new BigInteger(issuerCertificate.GetSerialNumber());
                var issuerKeyPair = DotNetUtilities.GetRsaKeyPair((RSACryptoServiceProvider)issuerCertificate.PrivateKey);
    
                var randomGenerator = new CryptoApiRandomGenerator();
                var random = new SecureRandom(randomGenerator);
    
                var serialNumber = BigIntegers.CreateRandomInRange(
                           BigInteger.One,
                           BigInteger.ValueOf(Int64.MaxValue),
                           random);
    
                var certificateGenerator = new X509V3CertificateGenerator();
    
                //var issuerDN = new X509Name(issuerName);
                certificateGenerator.SetIssuerDN(new X509Name(issuerName, new Core.PrintableStringEntryConverter()));
    
                certificateGenerator.SetSerialNumber(serialNumber);
                certificateGenerator.SetSignatureAlgorithm(signatureAlgorithm);
    
                certificateGenerator.SetSubjectDN(new X509Name("CN=MSMDMDevice", new Core.PrintableStringEntryConverter()));
                certificateGenerator.SetPublicKey(subjectPublicKey);
    
                certificateGenerator.AddExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.DigitalSignature | KeyUsage.KeyEncipherment));
                certificateGenerator.AddExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(new ArrayList() { KeyPurposeID.IdKPClientAuth, new DerObjectIdentifier("1.3.6.1.4.1.311.65.2.1") }.ToArray()));
    
                var notBefore = DateTime.UtcNow.Date;
                var notAfter = notBefore.AddYears(1);
    
                certificateGenerator.SetNotBefore(notBefore);
                certificateGenerator.SetNotAfter(notAfter);
    
                certificateGenerator.AddExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(DotNetUtilities.FromX509Certificate(issuerCertificate)));
                certificateGenerator.AddExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(subjectPublicKey));
    
                var certificate = certificateGenerator.Generate(issuerKeyPair.Private, random);
    
                certificate.Verify(issuerKeyPair.Public);
                certificate.Verify(rootKeyPair.Public);
                var msCert = DotNetUtilities.ToX509Certificate(certificate);
    
                string issuerBase64 = Convert.ToBase64String(issuerCertificate.Export(X509ContentType.Cert), Base64FormattingOptions.None);
                string issuerSerial = issuerCertificate.GetCertHashString();//.GetSerialNumberString();
    
                string certBase64 = Convert.ToBase64String(msCert.Export(X509ContentType.Cert), Base64FormattingOptions.None);
                string certSerial = msCert.GetCertHashString();//.GetSerialNumberString();
    
                System.IO.File.WriteAllText(@"d:\utils\openssl\certs\enroll-" + msCert.GetSerialNumberString() + ".cer", ExportToPEM(msCert));
    
                return new CertResponse(issuerBase64, issuerSerial, certBase64, certSerial);
            }

    I'll save generated certificate to local computer for testing and viewing... 

    and wap-provisioningdoc:

    <wap-provisioningdoc version=""1.1"">
                                      <characteristic type=""CertificateStore"">
                                          <characteristic type=""Root"">
                                              <characteristic type=""System"">
                                                  <characteristic type=""{0}"">
                                                      <parm name=""EncodedCertificate"" value=""{1}"" />
                                                  </characteristic>
                                              </characteristic>
                                          </characteristic>
                                      </characteristic>
                                      <characteristic type=""CertificateStore"">
                                          <characteristic type=""My"">
                                              <characteristic type=""User"">
                                                  <characteristic type=""{2}"">
                                                      <parm name=""EncodedCertificate"" value=""{3}"" />
                                                  </characteristic>
                                                  <characteristic type=""PrivateKeyContainer"" />
                                              </characteristic>
                                              <characteristic type=""WSTEP"">
                                                  <characteristic type=""Renew"">
                                                      <parm name=""ROBOSupport"" value=""true"" datatype=""boolean"" />
                                                       <parm name=""RenewPeriod"" value=""60"" datatype=""integer"" />
                                                      <parm name=""RetryInterval"" value=""4"" datatype=""integer"" />
                                                  </characteristic>
                                              </characteristic>
                                          </characteristic>
                                      </characteristic>
                                      <characteristic type=""APPLICATION"">
                                          <parm name=""APPID"" value=""w7"" />
                                          <parm name=""PROVIDER-ID"" value=""MDMServer"" />
                                          <parm name=""NAME"" value=""InITWeTrust"" />
                                          <parm name=""ADDR"" value=""{4}/EnrollmentServer/WindowsPhone.svc"" />
                                          <parm name=""CONNRETRYFREQ"" value=""6"" />
                                          <parm name=""INITIALBACKOFFTIME"" value=""30000"" />
                                          <parm name=""MAXBACKOFFTIME"" value=""120000"" />
                                          <parm name=""BACKCOMPATRETRYDISABLED"" />
                                          <parm name=""DEFAULTENCODING"" value=""application/vnd.syncml.dm+xml"" />
                                          <parm name=""SSLCLIENTCERTSEARCHCRITERIA"" value=""Subject=CN%3dMSMDMDevice&amp;Stores=My%5CUser"" />
                                          <characteristic type=""APPAUTH"">
                                              <parm name=""AAUTHLEVEL"" value=""CLIENT"" />
                                              <parm name=""AAUTHTYPE"" value=""DIGEST"" />
                                              <parm name=""AAUTHSECRET"" value=""password1"" />
                                              <parm name=""AAUTHDATA"" value=""ZHVtbXk="" />
                                          </characteristic>
                                          <characteristic type=""APPAUTH"">
                                              <parm name=""AAUTHLEVEL"" value=""APPSRV"" />
                                              <parm name=""AAUTHTYPE"" value=""BASIC"" />
                                              <parm name=""AAUTHNAME"" value=""testclient"" />
                                              <parm name=""AAUTHSECRET"" value=""password2"" />
                                          </characteristic>
                                      </characteristic>
                                      <characteristic type=""DMClient"">
                                          <characteristic type=""Provider"">
                                              <characteristic type=""MDMServer"">
                                                  <characteristic type=""Poll"">
                                                      <parm name=""NumberOfFirstRetries"" value=""8"" datatype=""integer"" />
                                                      <parm name=""IntervalForFirstSetOfRetries"" value=""15"" datatype=""integer"" />
                                                      <parm name=""NumberOfSecondRetries"" value=""5"" datatype=""integer"" />
                                                      <parm name=""IntervalForSecondSetOfRetries"" value=""3"" datatype=""integer"" />
                                                      <parm name=""NumberOfRemainingScheduledRetries"" value=""0"" datatype=""integer"" />
                                                      <parm name=""IntervalForRemainingScheduledRetries"" value=""1560"" datatype=""integer"" />
                                                      <parm name=""PollOnLogin"" value=""true"" datatype=""boolean"" />
                                                  </characteristic>
                                                  <parm name=""EntDeviceName"" value=""Administrator_Windows"" datatype=""string"" />
                                              </characteristic>
                                          </characteristic>
                                      </characteristic>
                                  </wap-provisioningdoc>


    Device call Discover.svc -> Policy.svc -> Enrollment.svc and got error 0x80070057

    Issuer certificate key usage:

    * DigitalSignature
    * KeyEncipherment
    * KeyCertSign
    * Server Auth
    * Client Auth
    * 1.3.6.1.4.1.311.65.2.1, 1.3.6.1.4.1.311.65.1.1, 1.3.6.1.4.1.311.21.5
    * BasicConstraints(0)
    * CRL Distribution = [0]

    Device Enrollment certificate usage:

    * DigitalSignature
    * KeyEncipherment
    * ClientAuth
    * 1.3.6.1.4.1.311.65.2.1

    Enrollment certificate CommonName in PRINTABLE_STRING:

             |  |        |     ; 2.5.4.3 Common Name (CN)
    0067:    |  |        13 0b                      ; PRINTABLE_STRING (b Bytes)
    0069:    |  |           4d 53 4d 44 4d 44 65 76  69 63 65                 ; MSMDMDevice
             |  |              ; "MSMDMDevice"


    Enrollment certificate issuer CommonName in certificate is UTF8 (tried PRINTABLE_STRING)

    Response to client

    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                                           <s:Header>
                                                             <Action s:mustUnderstand="1" >http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</Action>
                                                             <a:RelatesTo>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:RelatesTo>
                                                             <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                                                               <u:Timestamp u:Id="_0">
                                                                 <u:Created>2015-09-17T04:15:46.776Z</u:Created>
                                                                 <u:Expires>2015-09-17T04:20:46.776Z</u:Expires>
                                                               </u:Timestamp>
                                                             </o:Security>
                                                           </s:Header>
                                                           <s:Body>
                                                             <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                                               <RequestSecurityTokenResponse>
                                                                 <TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType>
                                                                   <RequestedSecurityToken>
                                                                     <BinarySecurityToken
                                                                       ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
                                                                       EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">PHdhcC1wcm92aXNpb25pbmdkb2MgdmVyc2lvbj0iMS4xIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iQ2VydGlmaWNhdGVTdG9yZSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJSb290Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJTeXN0ZW0iPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJBNUMyM0NBMDI0RjYwOEQ5NUU3N0YyMzVBOTFBRTFFMTdGODZGMEJDIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iRW5jb2RlZENlcnRpZmljYXRlIiB2YWx1ZT0iTUlJRGdUQ0NBbW1nQXdJQkFnSUlSUU1ocjd3VTFoUXdEUVlKS29aSWh2Y05BUUVMQlFBd0ZqRVVNQklHQTFVRUF3d0xTVzVKVkZkbFZISjFjM1F3SGhjTk1UVXdPVEUzTURBd01EQXdXaGNOTVRZd09URTNNREF3TURBd1dqQVVNUkl3RUFZRFZRUUREQWxOUkUxVFpYSjJaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ08xbmg4eXR2ZmdPS2tlZUliNFNyU2ppMm5UakduUVpYYmVGbnN3V2srN0t1RmlMbENhRUZUUitCNHpHWnh4eWYrSkg3MTIxZzhKZHZ5OUZjZTBhb3ovOVBZZ2hsSGZyNmJtYTY3QVNvZ0N6V0twenNSZjYyR0trYTZxWCtUVU5QM25SVm92K2NJKzVmSkhkeW9yZ1ZrdklqWUJ1d3ZrNFU3bW9ObjhhcDd3U3lZQ3BEWjFMYzV0WEJqZUJvNUZ4T1ltV0dMZnREYTVxcnJqV2J4WTN1b0dOdkdqUU5Neit2SGdQakVTOUpQTGRmdlZSU01FNytWK0h0djJxTzA1alVNdXBZT005Mms2V0Y3eE1RWXN2Yy9rWUpFaVdiMFVmK1B1OFZMVmhGVUEvQlpYT1l4bXdwaUZhcGYwck8vOW9OSmM3a3RXVUgvMnM0UGNobnhTVnhqQWdNQkFBR2pnZFF3Z2RFd0N3WURWUjBQQkFRREFnS2tNRUFHQTFVZEpRUTVNRGNHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWdZS0t3WUJCQUdDTjBFQ0FRWUtLd1lCQkFHQ04wRUJBUVlKS3dZQkJBR0NOeFVGTUE4R0ExVWRFd1FJTUFZQkFmOENBUUF3Q1FZRFZSMGZCQUl3QURCRkJnTlZIU01FUGpBOGdCU1B2a1UyTkxSSVNvekdPVmdTRlh4QVJEbjVHNkVhcEJnd0ZqRVVNQklHQTFVRUF3d0xTVzVKVkZkbFZISjFjM1NDQ01keUtNdGNMN1J3TUIwR0ExVWREZ1FXQkJRdjdpNlpDOE1BNGppYnBBbnU3RlFuY3VmbHl6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFqcWxkNkZ3NHNVclVuZUU5N3AvSjJCS0s4aFg4RmgxR0hyeDVrSndYYnFyeVcwV1JHOWJxVUhRZXJGZEFKcFFMZHhjWHdXUTZkSkhyVkNBVjZRTlZreU9DU3N6bDROdTFYblA4UTcrTHFnRnFiTTU0cDY2WmxPTWVZNjJNaitFQlFjckdqRlhXb3pIRTVGREJmNkcvcUNPMU1MN0toU05nNkt6Y21UQjl4QnFsMnRxdzhSM2FCZThMWTVLTU1LaEF6Tng2VUhHODNBc1ZRWmtvblBsNjBVQTFabmlLeDhmVjJrWDQwSFRVMnltY3FXaERrb0dSbEhQMjBZN09ublMvMS9sblJNNHZNeHJxYS94MHNPdzFYcnJsOUM5VXRob1B6YXZvZUpJRHpSM2ZDYXVVelZuaDdlaWQ2alZpZkNPNWZObW5zNDA0MjNBd3dQeFNwazdrRFE9PSIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJDZXJ0aWZpY2F0ZVN0b3JlIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9Ik15Ij4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJVc2VyIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iQTBGMzBEQzlBODc2REExNDM1ODFCRTE4QzlCQzUxRTcyNDRBMjk2OSI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkVuY29kZWRDZXJ0aWZpY2F0ZSIgdmFsdWU9Ik1JSURWVENDQWoyZ0F3SUJBZ0lJR0JCclZRYXNnZ1l3RFFZSktvWklodmNOQVFFTEJRQXdGREVTTUJBR0ExVUVBeE1KVFVSTlUyVnlkbVZ5TUI0WERURTFNRGt4TnpBd01EQXdNRm9YRFRFMk1Ea3hOekF3TURBd01Gb3dGakVVTUJJR0ExVUVBeE1MVFZOTlJFMUVaWFpwWTJVd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUM3dlZ1aXlkOW43YWVwUE1KTU83N2Jyd1prUFNZL1FXR2VEaTErTjZYTGJFRjM3NGtabFdDWVBaUEZTQmcvU0VaM0wrdktDV3cxZE96QTBlOFloOEU0T1M5N25Td0JJeXVKeDRHZ0xiSk4reUFGNmhONHMxY2ZuODBFaTdsLzlhbk9hby94dHVUcVhRdzNFYTZUclAzUnB0T2hmekR3T1Q5RmtjSlpLVUxrQjZaeWRvVDEraVdGTTFxOHRIUnhkNmFXMmFnYmxzeEpGQnRSVTVIaHZ4bHgvNEZTQjE4bjV4UVg0VDhLUDBKVDI0WXYwL05SdVBmNWlwZTVsUjNkVHEvcEF1SHEwSlRKQVRQUUZoOS8yRHo3WkFSd1B4MFlMUmRIQkdyU2xHcTY4Y2pxd3ZITGNsbVZseklxbGNFa2dEOXM1cXcxWDZiMTNnOEsvYlNBSitlL0FnTUJBQUdqZ2Fnd2dhVXdDd1lEVlIwUEJBUURBZ1dnTUI4R0ExVWRKUVFZTUJZR0NDc0dBUVVGQndNQ0Jnb3JCZ0VFQVlJM1FRSUJNQThHQTFVZEV3UUlNQVlCQWY4Q0FRQXdSUVlEVlIwakJENHdQSUFVTCs0dW1RdkRBT0k0bTZRSjd1eFVKM0xuNWN1aEdxUVlNQll4RkRBU0JnTlZCQU1NQzBsdVNWUlhaVlJ5ZFhOMGdnaEZBeUd2dkJUV0ZEQWRCZ05WSFE0RUZnUVVNZkQwYmUxcXk1SHdhd054dUJ1R2FaRUhWYzB3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUQyblR0WHl1aExOcFdDWHJMWVpHVnhUanNzblFYc0J6NTlPUVlEdmgvS2pXV2laZEtuWFlVMmlhdk5Dd2lTNmh5NkRiNUZBR3R0dUZlZDJsU2w2ZTN5SWp0cHhNb0VVSEZoeFcxbWFEaHZLWEh2TTRzanM3WUg0OGwzTzZPTE5zay8vMjJ2V1RLTzllUE9yU09IandNWWNVeVM2M2MxVzFPMzRoMFk4Qk5mNEQ2eTR1d0lMWFYrWEFFaFlQc1Z0b1NlNm5rWXVwcTdJVVI3dXpsQUNvZGYvSHZHZVpFVTZGV2RPcVNwcGV3bEpYK1pXaWUxYVQ1QUpvTVQ0NXFMenRXV1Q1TnVmRmVYVldDb0JxR2pZU0htUW8vZ1AzMGx3eVhOTXZ5c2VZT1FCWW9IZjVuNXEyU1JoZTVLMXlYNVRPSDBpRDV3V0J1aWFDOXNNZUxzUENCWT0iIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iUHJpdmF0ZUtleUNvbnRhaW5lciIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iV1NURVAiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJSZW5ldyI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IlJPQk9TdXBwb3J0IiB2YWx1ZT0idHJ1ZSIgZGF0YXR5cGU9ImJvb2xlYW4iIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJSZW5ld1BlcmlvZCIgdmFsdWU9IjYwIiBkYXRhdHlwZT0iaW50ZWdlciIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iUmV0cnlJbnRlcnZhbCIgdmFsdWU9IjQiIGRhdGF0eXBlPSJpbnRlZ2VyIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IkFQUExJQ0FUSU9OIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iQVBQSUQiIHZhbHVlPSJ3NyIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iUFJPVklERVItSUQiIHZhbHVlPSJNRE1TZXJ2ZXIiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9Ik5BTUUiIHZhbHVlPSJJbklUV2VUcnVzdCIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUREUiIgdmFsdWU9Imh0dHBzOi8vZW50ZXJwcmlzZWVucm9sbG1lbnQuaW5pdHdldHJ1c3QucnUvRW5yb2xsbWVudFNlcnZlci9XaW5kb3dzUGhvbmUuc3ZjIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJDT05OUkVUUllGUkVRIiB2YWx1ZT0iNiIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iSU5JVElBTEJBQ0tPRkZUSU1FIiB2YWx1ZT0iMzAwMDAiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9Ik1BWEJBQ0tPRkZUSU1FIiB2YWx1ZT0iMTIwMDAwIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJCQUNLQ09NUEFUUkVUUllESVNBQkxFRCIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iREVGQVVMVEVOQ09ESU5HIiB2YWx1ZT0iYXBwbGljYXRpb24vdm5kLnN5bmNtbC5kbSt4bWwiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IlNTTENMSUVOVENFUlRTRUFSQ0hDUklURVJJQSIgdmFsdWU9IlN1YmplY3Q9Q04lM2RNU01ETURldmljZSZhbXA7U3RvcmVzPU15JTVDVXNlciIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IkFQUEFVVEgiPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUFVVEhMRVZFTCIgdmFsdWU9IkNMSUVOVCIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIVFlQRSIgdmFsdWU9IkRJR0VTVCIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIU0VDUkVUIiB2YWx1ZT0icGFzc3dvcmQxIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUFVVEhEQVRBIiB2YWx1ZT0iWkhWdGJYaz0iIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJBUFBBVVRIIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRITEVWRUwiIHZhbHVlPSJBUFBTUlYiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJBQVVUSFRZUEUiIHZhbHVlPSJCQVNJQyIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRITkFNRSIgdmFsdWU9InRlc3RjbGllbnQiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJBQVVUSFNFQ1JFVCIgdmFsdWU9InBhc3N3b3JkMiIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJETUNsaWVudCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJQcm92aWRlciI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iTURNU2VydmVyIj4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iUG9sbCI+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9Ik51bWJlck9mRmlyc3RSZXRyaWVzIiB2YWx1ZT0iOCIgZGF0YXR5cGU9ImludGVnZXIiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IkludGVydmFsRm9yRmlyc3RTZXRPZlJldHJpZXMiIHZhbHVlPSIxNSIgZGF0YXR5cGU9ImludGVnZXIiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9Ik51bWJlck9mU2Vjb25kUmV0cmllcyIgdmFsdWU9IjUiIGRhdGF0eXBlPSJpbnRlZ2VyIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJJbnRlcnZhbEZvclNlY29uZFNldE9mUmV0cmllcyIgdmFsdWU9IjMiIGRhdGF0eXBlPSJpbnRlZ2VyIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJOdW1iZXJPZlJlbWFpbmluZ1NjaGVkdWxlZFJldHJpZXMiIHZhbHVlPSIwIiBkYXRhdHlwZT0iaW50ZWdlciIgLz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iSW50ZXJ2YWxGb3JSZW1haW5pbmdTY2hlZHVsZWRSZXRyaWVzIiB2YWx1ZT0iMTU2MCIgZGF0YXR5cGU9ImludGVnZXIiIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IlBvbGxPbkxvZ2luIiB2YWx1ZT0idHJ1ZSIgZGF0YXR5cGU9ImJvb2xlYW4iIC8+DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJFbnREZXZpY2VOYW1lIiB2YWx1ZT0iQWRtaW5pc3RyYXRvcl9XaW5kb3dzIiBkYXRhdHlwZT0ic3RyaW5nIiAvPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC93YXAtcHJvdmlzaW9uaW5nZG9jPg==</BinarySecurityToken>
                                                                   </RequestedSecurityToken>
                                                                 <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
                                                               </RequestSecurityTokenResponse>
                                                             </RequestSecurityTokenResponseCollection>
                                                           </s:Body>
                                                         </s:Envelope>


    My web-server certificate is third certificate issued by ROOT (self-signed)

    I'll tried add to device ROOT Certificate and MDMServer certificate, checking by 'Certificate' app by Microsoft.

    my ROOT certificate (self-signed) is placed in Trusted Root certificates and MDMServer in Intermediate

    Windows Phone log:

    [MDM Enroll Start] emailaddress: ggg@initwetrust.ru; servername: ; password: Given; domainusername: NULL. 
    Sending empty discovery request to server (EnterpriseEnrollment.initwetrust.ru). 
    Pinging server (EnterpriseEnrollment.initwetrust.ru). 
    We have been asked to redirect server. 
    Successfully discovered server (EnterpriseEnrollment.initwetrust.ru). 
    Processing successful response from discovery enpoint callback. 
    GetEndpointsFromResponse() uses authentication mode (OnPremise). 
    OnPremise authentication mode is used. 
    Policy service URL (https://enterpriseenrollment.initwetrust.ru/EnrollmentServer/EnrollmentPolicy.svc) and  enrollment service URL (https://enterpriseenrollment.initwetrust.ru/EnrollmentServer/EnrollmentService.svc) are used. 
    GetPolicyFromResponse() uses hash algorithm (1.3.14.3.2.29). 
    Function NCryptOpenKey failed with result (0x80090016). 
    Soap Request Message: ...
    Soap Response Message: ...
    Enrollment succeeded with server (enterpriseenrollment.initwetrust.ru). 
    [MDM Cert Installer Start] Install cert in app container. 
    [MDM Cert Installer] Uninstalling enrollment cert for OMADM session. 
    [MDM Cert Installer End] Success 
    [MDM Enroll End] Error HRESULT: 0x80070057 



    • Edited by Alexey.U Thursday, September 17, 2015 1:45 PM
    Thursday, September 17, 2015 1:17 PM

All replies

  • Tried add SubjectAlternateName (with enterpriseenrollment.domain.name) to MDMServer certificate... did not help...
    Thursday, September 17, 2015 2:02 PM