none
Enroll on behalf of RRS feed

  • Question

  • I am trying to set up the enroll on behalf protocol with my MDM server for windows 8.1 I have read all the documentation I can find looking for some kind of example or notes on how the response/request to or from the server is different than the standard enroll. I can find many examples on what the device should send to the server but nothing on what to send back. A standard enroll works currently but the EOB enrolls but never sends the first maintenance request.
    Monday, July 28, 2014 7:32 PM

All replies

  • Can you post an example of what you are currently sending back?


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, July 29, 2014 10:32 PM
    Moderator
  • <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <s:Header> 
    <Action s:mustUnderstand="1"> http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</Action> 
    <a:RelatesTo>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:RelatesTo> 
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
    </o:Security> 
    </s:Header> 
    <s:Body> 
    <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
    <RequestSecurityTokenResponse> 
    <TokenType> http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType> 
    <RequestedSecurityToken> 
    <BinarySecurityToken ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> PHd...bmdkb2M+Cg== </BinarySecurityToken> 
    </RequestedSecurityToken> 
    <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID> 
    </RequestSecurityTokenResponse> 
    </RequestSecurityTokenResponseCollection> 
    </s:Body> 
    </s:Envelope>
    Wednesday, July 30, 2014 4:34 PM
  • I did not find any examples of RequestSecurityTokenResponse specific to "Enroll on behalf of", but based on my search, your server should use the same response [RSTR] format for either request type.

    Is enrollment failing or reporting success?

    If it's reporting failure you might try using the same namespace aliases as in the request, i.e. 

    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd"
    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
    
    ...then
     
    <wst:RequestSecurityTokenResponseCollection ...>
      <wst:RequestSecurityToken...>
        <wst:RequestedSecurityToken...>
          <wsse:BinarySecurityToken...>
    


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, August 12, 2014 6:01 PM
    Moderator