none
MDM enrollment for Windows 10 - MS-WSTEP certificate enrollment RRS feed

  • Question

  • Hi,

    I am implementing my own MDM server using OMA-DM protocol, and am currently working on enrolling a windows 10 client to my server. I have successfully implemented the 'discovery service' and 'policy service' steps as mentioned in this link : https://msdn.microsoft.com/en-us/library/windows/hardware/dn925031(v=vs.85).aspx

    I am currently trying to complete the 3rd step i.e. the 'certificate enrollment'. As stated in the above link, the client sends me the Request Security Token (RST) message (which has a PKCS#10 certificate request)and from my understanding, I am supposed to send a root and client certificate back in a wap provisioning xml. However, on the windows 10 machine I get a message "Something went wrong...". The administrative logs in Event Viewer are of no use and have this message : "MDM Enroll: Failed to receive or parse certificate enroll response. Result: (Unknown Win32 Error code: 0x80180008)."

    I have the following questions:

    1) From reading around, i have understood that the client will send a hard-coded CN value in the PKCS#10 certificate request and it is the responsibility of the server to send a signed client certificate with this same CN. Am I right ? or is it up to the server to send ANY CN it seems fit provided that the wap has subject in the search criteria param ?

    2) The wap provisioning XML has a parameter called "SSLCLIENTCERTSEARCHCRITERIA". What should this value ideally be ? As per my understanding it should be the subject of the client certificate i.e CN.

    3) Any way I can see more detailed logs on the windows 10 client PC ??

    Here is my WAP :

    <?xml version="1.0" encoding="UTF-8" standalone="no"?><wap-provisioningdoc version="1.1">
    <characteristic type="CertificateStore">
    <characteristic type="Root">
    <characteristic type="System">
    <characteristic type="B8E6A72180B04F64CB594AEFBFDF2F0997DB6FD7">
    <parm name="EncodedCertificate" value="MIIF+zCCA+OgAwIBAgIJAJE458QXNuiLMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTAeFw0xNTAxMjcxMjUxMjRaFw0xNzEwMjMxMjUxMjRaMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANJ756zjlkNKJf9O80qwFWxlwr4vOa80oaGXaO8Luj8ZNb7zyGATppTmZi2brRVfNPGHhN/0REb5+Gcf0xvk1b5Wp4E+JoDKfZMwOVQsMVmKYHqopgiiE28L/YoNd0XmZA0J03nfQ4rzYggwQX7oRsW/AptkdURV4i8xD3SsqDGDZyYxQVDkj55nrweEd5FWOnYvvpdbFJ4WanJmGe1WRtLMJ0jFi7tw9Wc7W/5+fvIA9bvHDHoG1VlfyjQUSvTLlAN7Ui0ztXTcOZuN3HI0putMQRyaAD7Ljl7E1ROiqMhN/z80Bck8Yi7ELOmq+cJOir/4CAamj8SugZ0iXo922slrSemWL9tjNT7MFmjFXmgIfVmaJF7OxKyxHhO8gJKTlU2KSJJH2CzMwnGdRFrDlsAotVjGLYFWHUN4HW2uA2crEEmk+UduwnVMazqUwBFxv+INf0U55bsXTv7C3L06IUaTBvxhxKQmzj9BeQGwWAC2Co4s5riT2ttivSRlXijPIEDTfmvE/fjj4KfQQOTY3+EejacMe6gb/qVsCZ1g9Tbk7WLgjYHBuOQSAz3lwPPqPY+6CakeL29wWyPg7pGzR6lMcYItUdHJuNsTijs0x6Xi1O5iIuL2o0vl8FRH+tZFm3ujtCIHprjUgcn6aOR9Ms/NkUJCziKKAb4KoohNFgr/AgMBAAGjYDBeMB0GA1UdDgQWBBSDhLDYVCYhJsxvK1ZNV05qGGVajjAfBgNVHSMEGDAWgBSDhLDYVCYhJsxvK1ZNV05qGGVajjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAykqOsxHV43Bx24+7DfxLNYyafBayHacQ4uwtldwexyQBfIyJKjhzZUSvl37zhFPhJRJHogFIds+FoqaQsF8PvI/YSKs3UYRhje2mJan79lEArCd+3zDGmzQhmutVo7C1bCQuujV8YLIJGvvcnMcHnMLpc5CfjzmI2C6qMZ5XgpHx/Mhindllqr0ZVvqRive0A2svW1k47XWB7BIfx/aoZ1viPHDNYVuYZ6j/NAFv8/Fu3n/TfYOJ5rz0NPGHYXnmFcgGxtYTu5u6Q9YVdDLZv9lqYbMRSdiQ8SVDzwxft9N5g6/VoXLoMpCS7/6jR3J0GbG2r/vr024QMOHDZHQDjkAVUBni6/bRHqj389RnOXhQ+TSlx/hGgtdTpZRv63PjAqTCdDAhazWAgG/W+dxUhAywiOYHeXincuuDER0ypkfGcaUvbN9/mWtGJvtW+L9OlTj3LQlXD2ORehz5itS3eV0DVkscCOLzzkVLtIJeew1oRmiADNOUe5A6V0cW5HIFi9F7Recqv9lGphwQeq+2cmvUKkSPcx+Z/SHTT/nIOioqxxafJhci5dAEsPgtzxnA6QqPQtxOj46aZxQh5+hzZ/1CQq3UThDdQreJL51c+NOSZFQh6YVpJH6ZdSldBJnHjbS7RL/bv2kl1Pmv808T+iG+GpDw2XljwsI6TL8ACok="/>
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="CertificateStore">
    <characteristic type="My">      
    <characteristic type="User">
    <characteristic type="8C0765870005BC084563F0D359AE41177CEB4F1C">
    <parm name="EncodedCertificate" value="MIIEazCCAlOgAwIBAgIGAVNVq4FVMA0GCSqGSIb3DQEBCwUAMIGLMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMRUwEwYDVQQDDAxXU08yIFJvb3QgQ0ExFjAUBgNVBAsMDVRlc3Qgb3JnIHVuaXQxETAPBgNVBAoMCFRlc3QgT3JnMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzAgFw0xNjAzMDYxMDAwMTZaGA8yMTE2MDMwODEwMDAxNlowSzFJMEcGA1UEAwxAMEM1OUJBQjAtQUU0Ny00NDlDLTkyQ0QtRTEyMjM2MyFEMzdCNzM1Nzc0MUVGNDRFQTI4NUQwRDYzNzFGNzBBQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF6TccENSlWosUpeh4ILwFu50vbvgYLoTgE1eVqP+SqPwdWAs9zfCexKqp0ySFV6lVvx8YRVgXpBpLV4Co6mqED18EqsS0OgpdiyowBhWh0yFwxXb7gVYmB+2s6vHoYTf2+mseWDMHiJbiZsJd+jep8+ZLUeMq2YZwz3uB8pbZ5v1AJjRs2kCOA99G8TKMF6kY0rlOaEIb4rhLolBOxgS8V7rhND6+e0ruTspLeoHKxUcw+Udh2jFA6uIkjWqdarFcx3a18a7JK8mCxY1bA5YrVDr+DCKgwFNwQYUW8n3y/REVSFaoKVjtZWdtCGx0NNTEgmg1Qilx0ckrStAwuFBkCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQBrpXVXQtx3DMzmNQBVcthaM7Tr7/EEmrqwkgwWlnPKVWPKgps+dPhulgQ9fNvcfiGrra6L6NYmU92g16G8DgmH7CCjwWsHWeETWjegcNMn4a0lX81HCS+8yb62+i5U3Jz5/eU4QL5iJZabT5iMfe7oE1enP+o5BzfKa4ce+gk2Id/WoIdTPmsTge+vPGXl8D0x+wk/AV/SzsFuv5u12K19H/3Sta0jjQl+VVLkwHiKxQ6SUmR+E4HIX+f9903fONYZGLXQJrVadG+lP2ydHOyYss8efbVNkTA3/VkUApG1Wx5P+WdFWtJBgZxajO5mosrNOJaCZ/5SVxmEf/7LH4I5JSfr4WXGponTw/TCWsdyklY3z18E4w+Go8KMseITGThtPhuZ9Uxg6LrE/SFSHqhEaMinbGW1LlvXXui6CqbHC6+ytQHzm40OAp1Wfp/+yyaegOxZTNePFKtzoQg/bJzgdHLEDU2L2fxHFPSNHGXpMKryCVGYta5Zapy4Mwa9fkA2vaSDq1FXW12wzPjal8pc4C0mBq5WAd/99u6xhsAHUrimIOzq92ifw9z9zVR37qYPi4tFuhyVvxRrblciGmS9/LWkDcYezrpBKnrSAo8qEySgJcoENlc3x906vh4TLrJdjjEIRSWiCrmTGP32o/cYIvZa8J5v0ysJzX4jaw769g=="/>
    </characteristic>
    <characteristic type="PrivateKeyContainer"/> 
    </characteristic>
    <characteristic type="WSTEP">
    <characteristic type="Renew">
    <parm datatype="boolean" name="ROBOSupport" value="true"/>
    <parm datatype="integer" name="RenewPeriod" value="60"/>
    <parm datatype="integer" name="RetryInterval" value="4"/>
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="APPLICATION">
    <parm name="APPID" value="w7"/>
    <parm name="PROVIDER-ID" value="MDMServer"/>
    <parm name="NAME" value="test"/>
    <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/ws/syncml/initialquery"/>
    <parm name="CONNRETRYFREQ" value="6"/>
    <parm name="INITIALBACKOFFTIME" value="30000"/>
    <parm name="MAXBACKOFFTIME" value="120000"/>
    <parm name="BACKCOMPATRETRYDISABLED"/>
    <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
    <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D0C59BAB0-AE47-449C-92CD-E122363!D37B7357741EF44EA285D0D6371F70AC&amp;amp;Stores=My%5CUser"/>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="CLIENT"/>
    <parm name="AAUTHTYPE" value="DIGEST"/>
    <parm name="AAUTHSECRET" value="password1"/>  <!-- Have a doubt about this field and the one below. Whose passwords and nonce do they mean? -->
    <parm name="AAUTHDATA" value="nonce"/>
    </characteristic>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="APPSRV"/>
    <parm name="AAUTHTYPE" value="BASIC"/>
    <parm name="AAUTHNAME" value="abc@abc.com"/> <!-- Have a doubt about this field and the one below. Whose username and passwords do they mean? -->
    <parm name="AAUTHSECRET" value="Computer@2"/>
    </characteristic>
    </characteristic>
    <characteristic type="DMClient">
    <characteristic type="Provider">
    <characteristic type="MDMServer">
    <parm datatype="string" name="UPN" value="UserPrincipalName@contoso.com"/> <!-- Doubt about this field too. What is expected ? -->
    <characteristic type="Poll">
    <parm datatype="integer" name="NumberOfFirstRetries" value="8"/>
    <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/>
    <parm datatype="integer" name="NumberOfSecondRetries" value="5"/>
    <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/>
    <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/>
    <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/>
    <parm datatype="boolean" name="PollOnLogin" value="true"/>
    </characteristic>
    <parm datatype="string" name="EntDeviceName" value="Administrator_Windows"/>
    </characteristic>
    </characteristic>
    </characteristic>
    </wap-provisioningdoc>

    Have a few doubts in the above wap too (have put comments there).

    Really stuck here. Any help would really be appreciated :)

    Tuesday, March 8, 2016 10:41 AM

Answers

All replies

  • Might be a problem with a Windows 10 patch. I had something similar that did not occur on an unpatched OS. Check what patches were applied on your system and if possible uninstall and try again. 

    • Edited by P.G.Petrov Sunday, March 27, 2016 8:04 PM
    Sunday, March 27, 2016 8:04 PM
  • Turned out the issue was resolved in new Windows 10 insider preview builds that I tested with.
    Sunday, July 17, 2016 12:24 PM