none
MDM enrollment for Windows 10 - MS-WSTEP certificate enrollment RRS feed

  • Question

  • Hi,

    I am implementing my own MDM server using OMA-DM protocol, and am currently working on enrolling a windows 10 client to my server. I have successfully implemented the 'discovery service' and 'policy service' steps as mentioned in this link : https://msdn.microsoft.com/en-us/library/windows/hardware/dn925031(v=vs.85).aspx

    I am currently trying to complete the 3rd step i.e. the 'certificate enrollment'. As stated in the above link, the client sends me the Request Security Token (RST) message (which has a PKCS#10 certificate request)and from my understanding, I am supposed to send a root and client certificate back in a wap provisioning xml. However, on the windows 10 machine I get a message "Something went wrong...". The administrative logs in Event Viewer are of no use and have this message : "MDM Enroll: Failed to receive or parse certificate enroll response. Result: (Unknown Win32 Error code: 0x80180008)."

    I have the following questions:

    1) From reading around, i have understood that the client will send a hard-coded CN value in the PKCS#10 certificate request and it is the responsibility of the server to send a signed client certificate with this same CN. Am I right ? or is it up to the server to send ANY CN it seems fit provided that the wap has subject in the search criteria param ?

    2) The wap provisioning XML has a parameter called "SSLCLIENTCERTSEARCHCRITERIA". What should this value ideally be ? As per my understanding it should be the subject of the client certificate i.e CN.

    3) Any way I can see more detailed logs on the windows 10 client PC ??

    Here is my WAP :

    <?xml version="1.0" encoding="UTF-8"?>
    <wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="B8E6A72180B04F64CB594AEFBFDF2F0997DB6FD7">
                   <parm name="EncodedCertificate" value="MIIF+zCCA+OgAwIBAgIJAJE458QXNuiLMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTAeFw0xNTAxMjcxMjUxMjRaFw0xNzEwMjMxMjUxMjRaMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANJ756zjlkNKJf9O80qwFWxlwr4vOa80oaGXaO8Luj8ZNb7zyGATppTmZi2brRVfNPGHhN/0REb5+Gcf0xvk1b5Wp4E+JoDKfZMwOVQsMVmKYHqopgiiE28L/YoNd0XmZA0J03nfQ4rzYggwQX7oRsW/AptkdURV4i8xD3SsqDGDZyYxQVDkj55nrweEd5FWOnYvvpdbFJ4WanJmGe1WRtLMJ0jFi7tw9Wc7W/5+fvIA9bvHDHoG1VlfyjQUSvTLlAN7Ui0ztXTcOZuN3HI0putMQRyaAD7Ljl7E1ROiqMhN/z80Bck8Yi7ELOmq+cJOir/4CAamj8SugZ0iXo922slrSemWL9tjNT7MFmjFXmgIfVmaJF7OxKyxHhO8gJKTlU2KSJJH2CzMwnGdRFrDlsAotVjGLYFWHUN4HW2uA2crEEmk+UduwnVMazqUwBFxv+INf0U55bsXTv7C3L06IUaTBvxhxKQmzj9BeQGwWAC2Co4s5riT2ttivSRlXijPIEDTfmvE/fjj4KfQQOTY3+EejacMe6gb/qVsCZ1g9Tbk7WLgjYHBuOQSAz3lwPPqPY+6CakeL29wWyPg7pGzR6lMcYItUdHJuNsTijs0x6Xi1O5iIuL2o0vl8FRH+tZFm3ujtCIHprjUgcn6aOR9Ms/NkUJCziKKAb4KoohNFgr/AgMBAAGjYDBeMB0GA1UdDgQWBBSDhLDYVCYhJsxvK1ZNV05qGGVajjAfBgNVHSMEGDAWgBSDhLDYVCYhJsxvK1ZNV05qGGVajjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAykqOsxHV43Bx24+7DfxLNYyafBayHacQ4uwtldwexyQBfIyJKjhzZUSvl37zhFPhJRJHogFIds+FoqaQsF8PvI/YSKs3UYRhje2mJan79lEArCd+3zDGmzQhmutVo7C1bCQuujV8YLIJGvvcnMcHnMLpc5CfjzmI2C6qMZ5XgpHx/Mhindllqr0ZVvqRive0A2svW1k47XWB7BIfx/aoZ1viPHDNYVuYZ6j/NAFv8/Fu3n/TfYOJ5rz0NPGHYXnmFcgGxtYTu5u6Q9YVdDLZv9lqYbMRSdiQ8SVDzwxft9N5g6/VoXLoMpCS7/6jR3J0GbG2r/vr024QMOHDZHQDjkAVUBni6/bRHqj389RnOXhQ+TSlx/hGgtdTpZRv63PjAqTCdDAhazWAgG/W+dxUhAywiOYHeXincuuDER0ypkfGcaUvbN9/mWtGJvtW+L9OlTj3LQlXD2ORehz5itS3eV0DVkscCOLzzkVLtIJeew1oRmiADNOUe5A6V0cW5HIFi9F7Recqv9lGphwQeq+2cmvUKkSPcx+Z/SHTT/nIOioqxxafJhci5dAEsPgtzxnA6QqPQtxOj46aZxQh5+hzZ/1CQq3UThDdQreJL51c+NOSZFQh6YVpJH6ZdSldBJnHjbS7RL/bv2kl1Pmv808T+iG+GpDw2XljwsI6TL8ACok=" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="CertificateStore">
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="8C0765870005BC084563F0D359AE41177CEB4F1C">
                   <parm name="EncodedCertificate" value="MIIEazCCAlOgAwIBAgIGAVNVq4FVMA0GCSqGSIb3DQEBCwUAMIGLMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMRUwEwYDVQQDDAxXU08yIFJvb3QgQ0ExFjAUBgNVBAsMDVRlc3Qgb3JnIHVuaXQxETAPBgNVBAoMCFRlc3QgT3JnMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzAgFw0xNjAzMDYxMDAwMTZaGA8yMTE2MDMwODEwMDAxNlowSzFJMEcGA1UEAwxAMEM1OUJBQjAtQUU0Ny00NDlDLTkyQ0QtRTEyMjM2MyFEMzdCNzM1Nzc0MUVGNDRFQTI4NUQwRDYzNzFGNzBBQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF6TccENSlWosUpeh4ILwFu50vbvgYLoTgE1eVqP+SqPwdWAs9zfCexKqp0ySFV6lVvx8YRVgXpBpLV4Co6mqED18EqsS0OgpdiyowBhWh0yFwxXb7gVYmB+2s6vHoYTf2+mseWDMHiJbiZsJd+jep8+ZLUeMq2YZwz3uB8pbZ5v1AJjRs2kCOA99G8TKMF6kY0rlOaEIb4rhLolBOxgS8V7rhND6+e0ruTspLeoHKxUcw+Udh2jFA6uIkjWqdarFcx3a18a7JK8mCxY1bA5YrVDr+DCKgwFNwQYUW8n3y/REVSFaoKVjtZWdtCGx0NNTEgmg1Qilx0ckrStAwuFBkCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQBrpXVXQtx3DMzmNQBVcthaM7Tr7/EEmrqwkgwWlnPKVWPKgps+dPhulgQ9fNvcfiGrra6L6NYmU92g16G8DgmH7CCjwWsHWeETWjegcNMn4a0lX81HCS+8yb62+i5U3Jz5/eU4QL5iJZabT5iMfe7oE1enP+o5BzfKa4ce+gk2Id/WoIdTPmsTge+vPGXl8D0x+wk/AV/SzsFuv5u12K19H/3Sta0jjQl+VVLkwHiKxQ6SUmR+E4HIX+f9903fONYZGLXQJrVadG+lP2ydHOyYss8efbVNkTA3/VkUApG1Wx5P+WdFWtJBgZxajO5mosrNOJaCZ/5SVxmEf/7LH4I5JSfr4WXGponTw/TCWsdyklY3z18E4w+Go8KMseITGThtPhuZ9Uxg6LrE/SFSHqhEaMinbGW1LlvXXui6CqbHC6+ytQHzm40OAp1Wfp/+yyaegOxZTNePFKtzoQg/bJzgdHLEDU2L2fxHFPSNHGXpMKryCVGYta5Zapy4Mwa9fkA2vaSDq1FXW12wzPjal8pc4C0mBq5WAd/99u6xhsAHUrimIOzq92ifw9z9zVR37qYPi4tFuhyVvxRrblciGmS9/LWkDcYezrpBKnrSAo8qEySgJcoENlc3x906vh4TLrJdjjEIRSWiCrmTGP32o/cYIvZa8J5v0ysJzX4jaw769g==" />
                </characteristic>
                <characteristic type="PrivateKeyContainer" />
             </characteristic>
             <characteristic type="WSTEP">
                <characteristic type="Renew">
                   <parm datatype="boolean" name="ROBOSupport" value="true" />
                   <parm datatype="integer" name="RenewPeriod" value="60" />
                   <parm datatype="integer" name="RetryInterval" value="4" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7" />
          <parm name="PROVIDER-ID" value="MDMServer" />
          <parm name="NAME" value="test" />
          <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/ws/syncml/initialquery" />
          <parm name="CONNRETRYFREQ" value="6" />
          <parm name="INITIALBACKOFFTIME" value="30000" />
          <parm name="MAXBACKOFFTIME" value="120000" />
          <parm name="BACKCOMPATRETRYDISABLED" />
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D0C59BAB0-AE47-449C-92CD-E122363!D37B7357741EF44EA285D0D6371F70AC&amp;amp;Stores=My%5CUser" />
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHSECRET" value="password1" />
             <!-- Have a doubt about this field and the one below. Whose passwords and nonce do they mean? -->
             <parm name="AAUTHDATA" value="nonce" />
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV" />
             <parm name="AAUTHTYPE" value="BASIC" />
             <parm name="AAUTHNAME" value="abc@abc.com" />
             <!-- Have a doubt about this field and the one below. Whose username and passwords do they mean? -->
             <parm name="AAUTHSECRET" value="Computer@2" />
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <characteristic type="Provider">
             <characteristic type="MDMServer">
                <parm datatype="string" name="UPN" value="UserPrincipalName@contoso.com" />
                <!-- Doubt about this field too. What is expected ? -->
                <characteristic type="Poll">
                   <parm datatype="integer" name="NumberOfFirstRetries" value="8" />
                   <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15" />
                   <parm datatype="integer" name="NumberOfSecondRetries" value="5" />
                   <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3" />
                   <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0" />
                   <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560" />
                   <parm datatype="boolean" name="PollOnLogin" value="true" />
                </characteristic>
                <parm datatype="string" name="EntDeviceName" value="Administrator_Windows" />
             </characteristic>
          </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    Have a few doubts in the above wap too (have put comments there).

    Really stuck here. Any help would really be appreciated :)


    Tuesday, March 8, 2016 9:24 AM

Answers

  • Hi guys,

    My issue got solved, it was actually related to the XML that was being sent as a response.

    Here is the XML response needed to the certificate enrollment step 

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
        <soap:Header>
            <Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep/RequestSecurityTokenResponse</Action>
            <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:697a173c-6237-45eb-9190-156bf8334df0</MessageID>
            <To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
            <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</RelatesTo>
            <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0">
                    <c:Created xmlns:c="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:29:57.707Z</c:Created>
                    <e:Expires xmlns:e="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:34:57.778Z</e:Expires>
                </Timestamp>
            </Security>
        </soap:Header>
        <soap:Body>
            <ns2:RequestSecurityTokenResponseCollection xmlns="http://www.w3.org/2003/05/soap-envelope" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:ns5="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
                <ns2:RequestSecurityTokenResponse>
                    <ns2:TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</ns2:TokenType>
                    <ns2:RequestedSecurityToken>
                        <ns3:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc">##MyBST##</ns3:BinarySecurityToken>
                    </ns2:RequestedSecurityToken>
                    <ns5:RequestID>0</ns5:RequestID>
                </ns2:RequestSecurityTokenResponse>
            </ns2:RequestSecurityTokenResponseCollection>
        </soap:Body>
    </soap:Envelope>

    And this is the WAP provisioning XML 

    <?xml version="1.0" encoding="UTF-8"?>
    <wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="E6E7F4391506104CC4B0557A244EF94F2FC67FBD">
                   <parm name="EncodedCertificate" value="MIIDazCCAlOgAwIBAgIEMSBY7DANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxEDAOBgNVBAcTB0hvdXN0b24xCzAJBgNVBAoTAkhQMRMwEQYDVQQLEwpMaWdodGhvdXNlMRIwEAYDVQQDEwlIUC1PTUEtRE0wIBcNMTYwMzEwMTMxODA1WhgPMjExNjAyMTUxMzE4MDVaMGUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4GA1UEBxMHSG91c3RvbjELMAkGA1UEChMCSFAxEzARBgNVBAsTCkxpZ2h0aG91c2UxEjAQBgNVBAMTCUhQLU9NQS1ETTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtFJlLSJYTn9Izpfz4kRdWzshZJ1aI2D5xtHwgvjFRsldVukRPhkxn1jW/+EsJ3EN4Sqo3kwm/T3KUQ1AHjaP1wPL9bfOlG4TpTVx8bcJ85olLeIB3aU8ERiw854c+bvtoZPVghxW61p9IQsF9XmxeWwUgY8u7XZ65XTyUGJHoeLIUfxX+1zwE1dDf1k1zuYHP8OwYjwdWUGkve64TCEUy3r2BKDxRiHe0GU3GEtQbWJAR+spneJTpJ0EBsOCYHDSnYjs/kArdIClcClq0YWu4oxPjH0yb3AxZJITa9wWdLFtWKXpYOS3Izfb4yOOG3nEGiyEUyZU26n1AHSDxq78sCAwEAAaMhMB8wHQYDVR0OBBYEFL0NOpkvwSyUe4SKQRJphPkQv+HAMA0GCSqGSIb3DQEBBQUAA4IBAQCkgQezTQ5Mq+WYpmutyM/FRY38bDBlr5+Js2hrfzETLU3GXD5sY28XTO3hDqinyNOYMfxpmmSwCraZY8pRUFF0Sk4tQEm11KT/22oNgDRggEIEo8A9QBoSU9RF6ZrhXBSLVjdmfM+gHEga/3kSEHXmDs0R3hzIf0HxfQiBuSoGe/ux78fJGLizs8GfYTEBh77YP1mWWPCdS+OdmgYFztaVvH4U2HKw9t3RfcVzdDjN7jATXUIyEkEABk6zsbxpZY5Jzv2J2m/Y0/ITyvWIy+2c/b6Pr/govR78ksK2dsqCl0TCYBAwaVpJ9+w4hSYF9PJbjfR3KL9ZykNmW5mSEgNa" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="CertificateStore">
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="88FA7FD0A4844CCCF1F778BCD43A584DC456E6E5">
                   <parm name="EncodedCertificate" value="MIIDEzCCAfugAwIBAgIGAVN42HeoMA0GCSqGSIb3DQEBCwUAMGUxEjAQBgNVBAMMCUhQLU9NQS1ETTETMBEGA1UECwwKTGlnaHRob3VzZTELMAkGA1UECgwCSFAxEDAOBgNVBAcMB0hvdXN0b24xDjAMBgNVBAgMBVRleGFzMQswCQYDVQQGEwJVUzAgFw0xNjAzMTMwNTU2MDVaGA8yMTE2MDMxNTA1NTYwNVowGjEYMBYGA1UEAxMPSFAuT01BRE0uQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+zQVcs9MDFqkjsVvvG0CrfvnFutEo7+vEhfs9EzUgGjavv/VonL3S+gNJ/aHEkCLdh4mZOuQQFjp/JrJiHs1BpoPPat2g2NA6nrg3fsmyiXnbTvOB1onOaqMA4ACv7lm8zDHEBOwbzy5dGpUmEBFdarmofvpQsojvwHSfqglgZxg1BvtRH3JMV6Pk8OpNBjDQbv65+/7qq1JORqGTeOJhCznZDPDReAAnWfCvrL8CqPYdu2j3eg1ppwpeIiadZQwIpjsYyjvK9jh0RIT/3fWChpFRDDSRdBuFzUF1Y7jVXWsMQqHRPSQ0plp6x+ct6qgp424CWrY6zJ31KmJfx0CKQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAFpbdaiNA3v1tC7YB+GS4NrxE2EH2/ABwWQC9bVgS+D/IINDjcgaUoWXDIPii9OTCEA++65fF2tR5QRIBdGthpuCwsctiV8YUzMPhP23D7utlV72c2lKg/QeGSpmqU4zIaydSVidfBI+UVfoiE6c21cnQ79lGfEjbT9VjPAumWmd5PEuHw3PNKFd2+aPtuyqKGr0h9p64BtPA66gAzPQNVT8yiK4moCEkCIfkyhynbdzaNlZZpWMP44qy3fUstBxFfyEOVtNldWz9aVgQ6pvp1vH/p9Km8Pe/7baVt55yhL+tKoMNAtnrDwxZOiEPUcV2IndEECMG+qWWJ45KpjCOPQ=" />
                </characteristic>
                <characteristic type="PrivateKeyContainer" />
             </characteristic>
             <characteristic type="WSTEP">
                <characteristic type="Renew">
                   <parm datatype="boolean" name="ROBOSupport" value="true" />
                   <parm datatype="integer" name="RenewPeriod" value="60" />
                   <parm datatype="integer" name="RetryInterval" value="4" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7" />
          <parm name="PROVIDER-ID" value="MDMServer" />
          <parm name="NAME" value="HP TouchPoint Manager" />
          <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/rs/syncml" />
          <parm name="CONNRETRYFREQ" value="6" />
          <parm name="INITIALBACKOFFTIME" value="30000" />
          <parm name="MAXBACKOFFTIME" value="120000" />
          <parm name="BACKCOMPATRETRYDISABLED" />
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DHP.OMADM.Client&amp;Stores=My%5CUser" />
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="MTIzNDU=" />
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV" />
             <parm name="AAUTHTYPE" value="BASIC" />
             <parm name="AAUTHNAME" value="dummy" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="MTIzNDU=" />
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <characteristic type="Provider">
             <characteristic type="MDMServer">
                <characteristic type="Poll">
                   <parm datatype="integer" name="NumberOfFirstRetries" value="8" />
                   <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15" />
                   <parm datatype="integer" name="NumberOfSecondRetries" value="5" />
                   <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3" />
                   <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0" />
                   <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560" />
                   <parm datatype="boolean" name="PollOnLogin" value="true" />
                </characteristic>
                <parm datatype="string" name="EntDeviceName" value="Administrator_Windows" />
             </characteristic>
          </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    The enrollment now succeeds and the client sends me the first SyncML message. Thanks Stephen and Obaid for your insights. Really appreciate the help :)

    Tuesday, March 15, 2016 6:19 AM

All replies

  • How are you signing the request? I have found with both Active Directory Certificate Services and Open SSL that simply enrolling the request and returning the resulting certificate chain is enough.

    The Auth Secret is what the client will later use during OMA DM sessions to authenticate the server.

    For Auth name, simply place in their the identifying credential you wish to use to identify requests from the client. In our case we use email address or username so that we can identify who the request is from.

    I don't think you need UPN but I wouild suggest at that point instead setting the EntDMID as that is required before ROBO or manual renewal of the enrollment will be triggered later on.

    Tuesday, March 8, 2016 11:34 AM
  • Oh, I have just double checked and the Auth Name is also used during authentication of the OMA DM sessions.
    Tuesday, March 8, 2016 11:36 AM
  • Hi, thanks for you prompt reply..

    The signed request, is coming directly from the windows 10 client after the "policy service".

    This link - https://msdn.microsoft.com/en-us/library/windows/hardware/dn925031(v=vs.85).aspx mentioned that it will be a PKCS#10 certificate request.

    In my custom MDM server, I have used java bouncy castle APIs to help create the certificates respectively. So while creating the client certificate i simply use the above CSR received from device.

    Attaching the PKCS#10 certificate request received from client, on the basis of which the above provisioning xml was created: 

    MIICzjCCAboCAQAwSzFJMEcGA1UEAxNAMEM1OUJBQjAtQUU0Ny00NDlDLTkyQ0QtRTEyMjM2MyFEMzdCNzM1Nzc0MUVGNDRFQTI4NUQwRDYzNzFGNzBBQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF6TccENSlWosUpeh4ILwFu50vbvgYLoTgE1eVqP+SqPwdWAs9zfCexKqp0ySFV6lVvx8YRVgXpBpLV4Co6mqED18EqsS0OgpdiyowBhWh0yFwxXb7gVYmB+2s6vHoYTf2+mseWDMHiJbiZsJd+jep8+ZLUeMq2YZwz3uB8pbZ5v1AJjRs2kCOA99G8TKMF6kY0rlOaEIb4rhLolBOxgS8V7rhND6+e0ruTspLeoHKxUcw+Udh2jFA6uIkjWqdarFcx3a18a7JK8mCxY1bA5YrVDr+DCKgwFNwQYUW8n3y/REVSFaoKVjtZWdtCGx0NNTEgmg1Qilx0ckrStAwuFBkCAwEAAaBCMEAGCSqGSIb3DQEJDjEzMDEwLwYKKwYBBAGCN0IBAAQhRDM3QjczNTc3NDFFRjQ0RUEyODVEMEQ2MzcxRjcwQUMAMAkGBSsOAwIdBQADggEBAKKNX5TxdPpnKjJoWyMKOpblnV12gOY78GytTJGz/81ndVX5+ul6nAFOrQBm5aNDcXrMpkNibMDGp2zyPPrPQdaJdHt7sX5nI99fkRdPlqj0/BhZrNLPmm9ey/0mGwjVuJ2JjZXIebZvmXdl0ZIxjhOX/vnad4UNw5AkHk2mjGHjCbH1u6tFBFJsmoB0UH6ZsEHR2OP9tKYbtjutTqzvwiXHjF3SU1UXiIOaAvYIgsNjmkHDIlt3cmqOwgontqouwq0nkO3JJzY66GsbPeOUO28MRIjTK6uLwNeTgxKFvNXfQYO+6PMDtYzyYgzEFnjGRcnT5iAgWlTzVJGXTOYnHf8=

    Also could you please clear my doubt related to CN (Question 1 & 2 in the initial message) :)

    Thanks


    Tuesday, March 8, 2016 12:03 PM
  • OK, we haven't implemented the federated enrollment but it looks like it is mostly the same. The device discovers the services, the device then requests any certificate policy (optional) then the device enrols the certificate. In our case, we ignored the policy service as we didn't have any special requirements for the certificate request. After the policy step, your server will receive the request for the security token from the client and you need to forward the PKCS#10 (public key) to your Certificte Authority/PKI for signing. You then return the resulting signed public key to the client.

    Have a look here regarding the certificate requirements around the subject name: http://blogs.msdn.com/b/wsdevsol/archive/2013/10/03/troubleshooting-your-windows-phone-8-enterprise-mobile-device-management-implementation.aspx

    Does that help? Or have I misunderstood something?

    Cheers,

    Tuesday, March 8, 2016 12:17 PM
  • I should add that the devices expects the public key of the resulting certificate to match the public key it sends in the request but the subject/common name (CN) of the resulting certificate will almost always be different and this is OK.

    Tuesday, March 8, 2016 12:19 PM
  • Hi Dhruvesh:

    I'll help you with this issue and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Tuesday, March 8, 2016 5:47 PM
    Owner
  • Hi Dhruvesh:

    The following document describes the MDM enrollment protocol for Windows 10:

    [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

    https://msdn.microsoft.com/en-us/library/mt221945.aspx

    The stage you are at is described in section "3.4 Interaction with WS-Trust X.509v3 Token Enrollment"

    Please consult this document and if you still have questions, please feel free to post here or send an email to dochelp at Microsoft dot com.


    Regards, Obaid Farooqi

    Wednesday, March 9, 2016 12:29 AM
    Owner
  • Hi Stephen,

    I made sure that I am following all the above pointers you mentioned. But, still no success...

    Following is a summary of what I've made sure is present after your comments:

    1) The client certificate I'm sending in response to the PKCS#10 request (from client) has the same public key value as specified in the PKCS#10 request. (Used a tool : https://certlogik.com/decoder/ to validate)

    2) Refered this blog http://blogs.msdn.com/b/wsdevsol/archive/2013/10/03/troubleshooting-your-windows-phone-8-enterprise-mobile-device-management-implementation.aspx
    It says "The value of SSLCLIENTCERTSEARCHCRITERIA must begin with "Subject=" as plain text followed by the URL encoded contents of the Subject property and should end with "&amp;Stores=My%5CUser"."
    Hence,
    The CN of my client certificate is : dhruvesh.auth.hpicorp.net
    So, I now have this: <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3Ddhruvesh.auth.hpicorp.net&amp;Stores=My%5CUser"/>
    (Note i have added my own custom CN and not the CN that came from device)

    3) APPAUTH settings for CLIENT and APPSRV are a valid Binary64 encoded numeric value (1234 so value is MTIzNDU=)

    PKCS#10 from client :

    MIICzjCCAboCAQAwSzFJMEcGA1UEAxNAMkM2OTVEQ0QtNDNERi00MTI2LTk0M0EtQkVCMTRCQyFEMzdCNzM1Nzc0MUVGNDRFQTI4NUQwRDYzNzFGNzBBQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwvLfCq+dPQVyYQP/JQGzLYrhidzJsUp03RJbiB/+VuiuVkSJd+fmqDE4cJqcgpDdd7teLDauG9+kAYUFlsE5+0K1qbQYOKOGGlTzFEfuW/RknHp6lTJG2BvDIv745LuxORuBDF4AfNh4QsucsGtmPVxeG4luQ+GIorNZdNO59z38GMeazejOrNpki9O1X5illZZ/TXBHjIxvgu1fCimpwcfO2i4GbuFyjRmZVRqjC3X2XGyFnUtwgsukyfAznddKhy+ymw11Dsbl8/tXqmJM4oU5whk/39ij/NS5XmUR+rqbLlgyql11DWb1OmdCWZ71PlftuI94DNoDmybztYSrUCAwEAAaBCMEAGCSqGSIb3DQEJDjEzMDEwLwYKKwYBBAGCN0IBAAQhRDM3QjczNTc3NDFFRjQ0RUEyODVEMEQ2MzcxRjcwQUMAMAkGBSsOAwIdBQADggEBAJljOe40NXzzjgihP2CEsL40ppjf5nfyWV1yUHn6yb+ZaRAs7+NGJp+UPYA1Me5W9U/U1D0hVn2i9a9PiJeS6hw1A5lQjFDdiiEl0WRZIu6tkhKPAaAW57HnB4vqy4pXlLdSqE1uzrrO3oUlC5cIQPcL0+7DwHj7/gSb5eKyNH/QCrc/P/TUfRzkCQtAPiAJt0FeBIerCs2B4A9fStRdXjoXeRmvxWVwxdg5jDDBWvNWWWLyw9llPGZcKMCdPCq8HsztvOf/DIh4x6u7q9DPUQ/cGXFawFiza2lGP0nju5uW8e0DHDEdjKkRUfMfdR0szzedvTZrT9YWe6HHOq2MbhA=

    My WAP provisioning XML now:

    <?xml version="1.0" encoding="UTF-8" standalone="no"?><wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="B8E6A72180B04F64CB594AEFBFDF2F0997DB6FD7">
                   <parm name="EncodedCertificate" value="MIIF+zCCA+OgAwIBAgIJAJE458QXNuiLMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTAeFw0xNTAxMjcxMjUxMjRaFw0xNzEwMjMxMjUxMjRaMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANJ756zjlkNKJf9O80qwFWxlwr4vOa80oaGXaO8Luj8ZNb7zyGATppTmZi2brRVfNPGHhN/0REb5+Gcf0xvk1b5Wp4E+JoDKfZMwOVQsMVmKYHqopgiiE28L/YoNd0XmZA0J03nfQ4rzYggwQX7oRsW/AptkdURV4i8xD3SsqDGDZyYxQVDkj55nrweEd5FWOnYvvpdbFJ4WanJmGe1WRtLMJ0jFi7tw9Wc7W/5+fvIA9bvHDHoG1VlfyjQUSvTLlAN7Ui0ztXTcOZuN3HI0putMQRyaAD7Ljl7E1ROiqMhN/z80Bck8Yi7ELOmq+cJOir/4CAamj8SugZ0iXo922slrSemWL9tjNT7MFmjFXmgIfVmaJF7OxKyxHhO8gJKTlU2KSJJH2CzMwnGdRFrDlsAotVjGLYFWHUN4HW2uA2crEEmk+UduwnVMazqUwBFxv+INf0U55bsXTv7C3L06IUaTBvxhxKQmzj9BeQGwWAC2Co4s5riT2ttivSRlXijPIEDTfmvE/fjj4KfQQOTY3+EejacMe6gb/qVsCZ1g9Tbk7WLgjYHBuOQSAz3lwPPqPY+6CakeL29wWyPg7pGzR6lMcYItUdHJuNsTijs0x6Xi1O5iIuL2o0vl8FRH+tZFm3ujtCIHprjUgcn6aOR9Ms/NkUJCziKKAb4KoohNFgr/AgMBAAGjYDBeMB0GA1UdDgQWBBSDhLDYVCYhJsxvK1ZNV05qGGVajjAfBgNVHSMEGDAWgBSDhLDYVCYhJsxvK1ZNV05qGGVajjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAykqOsxHV43Bx24+7DfxLNYyafBayHacQ4uwtldwexyQBfIyJKjhzZUSvl37zhFPhJRJHogFIds+FoqaQsF8PvI/YSKs3UYRhje2mJan79lEArCd+3zDGmzQhmutVo7C1bCQuujV8YLIJGvvcnMcHnMLpc5CfjzmI2C6qMZ5XgpHx/Mhindllqr0ZVvqRive0A2svW1k47XWB7BIfx/aoZ1viPHDNYVuYZ6j/NAFv8/Fu3n/TfYOJ5rz0NPGHYXnmFcgGxtYTu5u6Q9YVdDLZv9lqYbMRSdiQ8SVDzwxft9N5g6/VoXLoMpCS7/6jR3J0GbG2r/vr024QMOHDZHQDjkAVUBni6/bRHqj389RnOXhQ+TSlx/hGgtdTpZRv63PjAqTCdDAhazWAgG/W+dxUhAywiOYHeXincuuDER0ypkfGcaUvbN9/mWtGJvtW+L9OlTj3LQlXD2ORehz5itS3eV0DVkscCOLzzkVLtIJeew1oRmiADNOUe5A6V0cW5HIFi9F7Recqv9lGphwQeq+2cmvUKkSPcx+Z/SHTT/nIOioqxxafJhci5dAEsPgtzxnA6QqPQtxOj46aZxQh5+hzZ/1CQq3UThDdQreJL51c+NOSZFQh6YVpJH6ZdSldBJnHjbS7RL/bv2kl1Pmv808T+iG+GpDw2XljwsI6TL8ACok="/>
              </characteristic>
             </characteristic>
          </characteristic>
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="5044DA3266DD459A9DBD463E765726985FE1CB94">
                   <parm name="EncodedCertificate" value="MIIERDCCAiygAwIBAgIGAVNaCGSBMA0GCSqGSIb3DQEBCwUAMIGLMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMRUwEwYDVQQDDAxXU08yIFJvb3QgQ0ExFjAUBgNVBAsMDVRlc3Qgb3JnIHVuaXQxETAPBgNVBAoMCFRlc3QgT3JnMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzAgFw0xNjAzMDcwNjIwMTJaGA8yMTE2MDMwOTA2MjAxMlowJDEiMCAGA1UEAwwZZGhydXZlc2guYXV0aC5ocGljb3JwLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKwvLfCq+dPQVyYQP/JQGzLYrhidzJsUp03RJbiB/+VuiuVkSJd+fmqDE4cJqcgpDdd7teLDauG9+kAYUFlsE5+0K1qbQYOKOGGlTzFEfuW/RknHp6lTJG2BvDIv745LuxORuBDF4AfNh4QsucsGtmPVxeG4luQ+GIorNZdNO59z38GMeazejOrNpki9O1X5illZZ/TXBHjIxvgu1fCimpwcfO2i4GbuFyjRmZVRqjC3X2XGyFnUtwgsukyfAznddKhy+ymw11Dsbl8/tXqmJM4oU5whk/39ij/NS5XmUR+rqbLlgyql11DWb1OmdCWZ71PlftuI94DNoDmybztYSrUCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQBXK7Nz5Lyd8SvsW6xonC1IhDZttC2LIQiaE27x5vMEZgTB91y8tCKdOQWue83ybNylhJ9Dp+Qxsm3Z/GeB7eRl1ktiWLVhW5PKkEF6tVDasVcTv64DHYmWlyrpGug8hHrRd8fH3uxdSMBjNiMIgam1EscfYUh6/CoxBJa5yLT5zvSrfe1HyWt2v2NXgSKTCDwJAYc03FEQ5EoY3MJf/UEpzFCUjFBYwYzU5UHS8OVz2iDEgzi7w71Ky3lWvN/KafmSa3MmYJlZGFtvh59I5TBsLEOiVdp4fSXVstJLf5Q2L0mk3yQgz8CqhwTh7OzTi5cwdXlblS4PfQiAKp+N4wtpazkKxMR1O+JqvhbdP8luInxjvP0Vm9Vlli3P3aNRrziTnyvxOvQgpregqzKzQnxKyOb+bV4wlg+GRdDJDW8nqjc6DdJZ2ZKuodNU8Eg7dz2IrbAcHzAP2OnJod9FDTryTfMEbQxmyZ41gRODUOiiBM7khbD9j/K7rcq8Ai+mmsmtVEjbi/1owjcYIiSS40N83TXlC52QdPI5rPYVRX4v72ZWWB8RE0tTXY1TQ+/ZwNHLk9X1qQDNVAXFGpZ6iwxDfoWZuqQMKOYd9dEgolxXn+NKjCaxrKyAr5trHAt1qBU6jb8Fx+CeC+XI5piKGt15CV/JJNOtSR5FAqziuvLlBg=="/>
                </characteristic>
                <characteristic type="PrivateKeyContainer"/> 
             </characteristic>
             <characteristic type="WSTEP">
                <characteristic type="Renew">
                   <parm datatype="boolean" name="ROBOSupport" value="true"/>
                   <parm datatype="integer" name="RenewPeriod" value="60"/>
                   <parm datatype="integer" name="RetryInterval" value="4"/>
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7"/>
          <parm name="PROVIDER-ID" value="MDMServer"/>
          <parm name="NAME" value="Test"/>
          <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/ws/syncml/initialquery"/>
          <parm name="CONNRETRYFREQ" value="6"/>
          <parm name="INITIALBACKOFFTIME" value="30000"/>
          <parm name="MAXBACKOFFTIME" value="120000"/>
          <parm name="BACKCOMPATRETRYDISABLED"/>
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3Ddhruvesh.auth.hpicorp.net&amp;Stores=My%5CUser"/>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT"/>
             <parm name="AAUTHTYPE" value="DIGEST"/>
             <parm name="AAUTHSECRET" value="dummy"/>
             <parm name="AAUTHDATA" value="MTIzNDU="/>
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV"/>
             <parm name="AAUTHTYPE" value="BASIC"/>
             <parm name="AAUTHNAME" value="dummy"/>
             <parm name="AAUTHSECRET" value="dummy"/>
             <parm name="AAUTHDATA" value="MTIzNDU="/>
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <characteristic type="Provider">
       	  <characteristic type="MDMServer">
                 <characteristic type="Poll">
                    <parm datatype="integer" name="NumberOfFirstRetries" value="8"/>
                    <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/>
                    <parm datatype="integer" name="NumberOfSecondRetries" value="5"/>
                    <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/>
                    <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/>
                    <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/>
                    <parm datatype="boolean" name="PollOnLogin" value="true"/>
                 </characteristic>
         <parm datatype="string" name="EntDeviceName" value="Administrator_Windows"/>
         </characteristic>
         </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    Could you please tell me if anything is missing in the above provisioning XML, because that seems like the only reason for failed enrollment ?

    P.S: Event Viewer in win10 simply says "MDM Enroll: Failed to recieve or parse certificate enroll response". Any way i can see more logs about this issue on win10 client ?

    Thanks

    Wednesday, March 9, 2016 6:26 AM
  • Hi Obaid,

    Thanks for your response and the theory links surrounding this step, have gone through it thoroughly :)

    I would really appreciate, if you could go through the above response that I sent to Stephen. Would help to have your views on it too..

    Thanks.

    Wednesday, March 9, 2016 6:31 AM
  • Hhhmmm... That all looks fine to me so I can only assume that there must be an issue with the certificate that has been issued.

    For reference, here is a capture I have just taken from a successful enrolment of a Windows 10 Mobile device. Ignore the second User certificate, this is something we install so we can detect if the client is enrolled from a client UWP app:

    <wap-provisioningdoc version="1.1">
      <characteristic type="CertificateStore">
        <characteristic type="Root">
          <characteristic type="System">
            <characteristic type="801C0A429DD9A40368A7DD812221166CDC13998A">
              <parm name="EncodedCertificate" value="MII..." />
            </characteristic>
          </characteristic>
        </characteristic>
        <characteristic type="My">
          <characteristic type="User">
            <characteristic type="024F788018948D2BB513E449D721ACF8979AD62C">
              <parm name="EncodedCertificate" value="MII..." />
            </characteristic>
            <characteristic type="D5C2CC61D6ABC5799D15A46E1136EF1A3234F085">
              <parm name="EncodedCertificate" value="MII..." />
            </characteristic>
            <characteristic type="PrivateKeyContainer" />
          </characteristic>
          <characteristic type="WSTEP">
            <characteristic type="Renew">
              <parm name="ROBOSupport" value="false" datatype="boolean" />
              <parm name="RenewPeriod" value="60" datatype="integer" />
              <parm name="RetryInterval" value="3" datatype="integer" />
            </characteristic>
          </characteristic>
        </characteristic>
      </characteristic>
      <characteristic type="APPLICATION">
        <parm name="APPID" value="w7" />
        <parm name="PROVIDER-ID" value="uk.co.company.mdmserver" />
        <parm name="NAME" value="Company EMM Solution" />
        <parm name="ADDR" value="https://dev-vm02.company.local/EnrollmentServer/MdmWindows/DMSync" />
        <parm name="CONNRETRYFREQ" value="6" />
        <parm name="INITIALBACKOFFTIME" value="30000" />
        <parm name="MAXBACKOFFTIME" value="120000" />
        <parm name="BACKCOMPATRETRYDISABLED" />
        <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
        <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DCertificateAuthority%2C%20DC%3Dcompany%2C%20DC%3Dlocal&amp;Stores=My%5CUser" />
        <characteristic type="APPAUTH">
          <parm name="AAUTHLEVEL" value="CLIENT" />
          <parm name="AAUTHTYPE" value="DIGEST" />
          <parm name="AAUTHSECRET" value="JhYU6qPVNhpQp3wRVKfU6rAtNSRfPQDOPmgtFg13iSrfabdkZBQbfnCWHLsUcDig" />
          <parm name="AAUTHDATA" value="w8H96u7CyIKkA7GN4B777TY6t4WkcAlRr7naxWzWnmdWzRKYv70B+LiIevdC+6a2SH2J3TZ+ZX/iD90TA8MO7A==" />
        </characteristic>
        <characteristic type="APPAUTH">
          <parm name="AAUTHLEVEL" value="APPSRV" />
          <parm name="AAUTHTYPE" value="DIGEST" />
          <parm name="AAUTHNAME" value="user.name@company.com" />
          <parm name="AAUTHSECRET" value="z3RrXClxW2F75JEzbZUVq5F3qog5RsOYFGS2xwoRkNozLJyHadfmjPHEicPjhSFy" />
          <parm name="AAUTHDATA" value="+TrA3Yqjp/sUEIihhVsJVYy+b35/WQowfPfN4GfKmXjg0503i72FFNFjfChiy4egMCU1IWN1rOV8lH8qn8XuCw==" />
        </characteristic>
      </characteristic>
      <characteristic type="DMClient">
        <characteristic type="Provider">
          <characteristic type="uk.co.company.mdmserver">
            <parm name="EntDMID" value="1" datatype="string" />
            <characteristic type="Poll">
              <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
              <parm name="IntervalForFirstSetOfRetries" value="1440" datatype="integer" />
              <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
              <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
              <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
              <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
            </characteristic>
          </characteristic>
        </characteristic>
      </characteristic>
    </wap-provisioningdoc>

    You are going to have to hunt through the client log files to find any errors relating to this phase of the enrollment. I assume you'll already have followed this: https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120(v=vs.85).aspx

    I have found that common errors here are due to the certificate validation failing. For example, if Windows cannot find the CRL defined in the certificate or if the root is not trusted then it will fail. What happens if you save the DER/B64 content (i.e. the content starting with: MIIF+zCCA+OgAwIBAgIJAJE458QXNuiLMA0G) of the root certificate to a .cer file and try to install it manually on the Windows client? You may need to format it to the PEM format with line feeds and the appropriate header/footer for this to work (see here for a tool that can help: https://www.sslshopper.com/ssl-converter.html)

    Thanks,


    Thursday, March 10, 2016 10:01 AM
  • Hi guys,

    My issue got solved, it was actually related to the XML that was being sent as a response.

    Here is the XML response needed to the certificate enrollment step 

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
        <soap:Header>
            <Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep/RequestSecurityTokenResponse</Action>
            <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:697a173c-6237-45eb-9190-156bf8334df0</MessageID>
            <To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
            <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</RelatesTo>
            <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0">
                    <c:Created xmlns:c="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:29:57.707Z</c:Created>
                    <e:Expires xmlns:e="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:34:57.778Z</e:Expires>
                </Timestamp>
            </Security>
        </soap:Header>
        <soap:Body>
            <ns2:RequestSecurityTokenResponseCollection xmlns="http://www.w3.org/2003/05/soap-envelope" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns4="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:ns5="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
                <ns2:RequestSecurityTokenResponse>
                    <ns2:TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</ns2:TokenType>
                    <ns2:RequestedSecurityToken>
                        <ns3:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc">##MyBST##</ns3:BinarySecurityToken>
                    </ns2:RequestedSecurityToken>
                    <ns5:RequestID>0</ns5:RequestID>
                </ns2:RequestSecurityTokenResponse>
            </ns2:RequestSecurityTokenResponseCollection>
        </soap:Body>
    </soap:Envelope>

    And this is the WAP provisioning XML 

    <?xml version="1.0" encoding="UTF-8"?>
    <wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="E6E7F4391506104CC4B0557A244EF94F2FC67FBD">
                   <parm name="EncodedCertificate" value="MIIDazCCAlOgAwIBAgIEMSBY7DANBgkqhkiG9w0BAQUFADBlMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVGV4YXMxEDAOBgNVBAcTB0hvdXN0b24xCzAJBgNVBAoTAkhQMRMwEQYDVQQLEwpMaWdodGhvdXNlMRIwEAYDVQQDEwlIUC1PTUEtRE0wIBcNMTYwMzEwMTMxODA1WhgPMjExNjAyMTUxMzE4MDVaMGUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVUZXhhczEQMA4GA1UEBxMHSG91c3RvbjELMAkGA1UEChMCSFAxEzARBgNVBAsTCkxpZ2h0aG91c2UxEjAQBgNVBAMTCUhQLU9NQS1ETTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKtFJlLSJYTn9Izpfz4kRdWzshZJ1aI2D5xtHwgvjFRsldVukRPhkxn1jW/+EsJ3EN4Sqo3kwm/T3KUQ1AHjaP1wPL9bfOlG4TpTVx8bcJ85olLeIB3aU8ERiw854c+bvtoZPVghxW61p9IQsF9XmxeWwUgY8u7XZ65XTyUGJHoeLIUfxX+1zwE1dDf1k1zuYHP8OwYjwdWUGkve64TCEUy3r2BKDxRiHe0GU3GEtQbWJAR+spneJTpJ0EBsOCYHDSnYjs/kArdIClcClq0YWu4oxPjH0yb3AxZJITa9wWdLFtWKXpYOS3Izfb4yOOG3nEGiyEUyZU26n1AHSDxq78sCAwEAAaMhMB8wHQYDVR0OBBYEFL0NOpkvwSyUe4SKQRJphPkQv+HAMA0GCSqGSIb3DQEBBQUAA4IBAQCkgQezTQ5Mq+WYpmutyM/FRY38bDBlr5+Js2hrfzETLU3GXD5sY28XTO3hDqinyNOYMfxpmmSwCraZY8pRUFF0Sk4tQEm11KT/22oNgDRggEIEo8A9QBoSU9RF6ZrhXBSLVjdmfM+gHEga/3kSEHXmDs0R3hzIf0HxfQiBuSoGe/ux78fJGLizs8GfYTEBh77YP1mWWPCdS+OdmgYFztaVvH4U2HKw9t3RfcVzdDjN7jATXUIyEkEABk6zsbxpZY5Jzv2J2m/Y0/ITyvWIy+2c/b6Pr/govR78ksK2dsqCl0TCYBAwaVpJ9+w4hSYF9PJbjfR3KL9ZykNmW5mSEgNa" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="CertificateStore">
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="88FA7FD0A4844CCCF1F778BCD43A584DC456E6E5">
                   <parm name="EncodedCertificate" value="MIIDEzCCAfugAwIBAgIGAVN42HeoMA0GCSqGSIb3DQEBCwUAMGUxEjAQBgNVBAMMCUhQLU9NQS1ETTETMBEGA1UECwwKTGlnaHRob3VzZTELMAkGA1UECgwCSFAxEDAOBgNVBAcMB0hvdXN0b24xDjAMBgNVBAgMBVRleGFzMQswCQYDVQQGEwJVUzAgFw0xNjAzMTMwNTU2MDVaGA8yMTE2MDMxNTA1NTYwNVowGjEYMBYGA1UEAxMPSFAuT01BRE0uQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+zQVcs9MDFqkjsVvvG0CrfvnFutEo7+vEhfs9EzUgGjavv/VonL3S+gNJ/aHEkCLdh4mZOuQQFjp/JrJiHs1BpoPPat2g2NA6nrg3fsmyiXnbTvOB1onOaqMA4ACv7lm8zDHEBOwbzy5dGpUmEBFdarmofvpQsojvwHSfqglgZxg1BvtRH3JMV6Pk8OpNBjDQbv65+/7qq1JORqGTeOJhCznZDPDReAAnWfCvrL8CqPYdu2j3eg1ppwpeIiadZQwIpjsYyjvK9jh0RIT/3fWChpFRDDSRdBuFzUF1Y7jVXWsMQqHRPSQ0plp6x+ct6qgp424CWrY6zJ31KmJfx0CKQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAFpbdaiNA3v1tC7YB+GS4NrxE2EH2/ABwWQC9bVgS+D/IINDjcgaUoWXDIPii9OTCEA++65fF2tR5QRIBdGthpuCwsctiV8YUzMPhP23D7utlV72c2lKg/QeGSpmqU4zIaydSVidfBI+UVfoiE6c21cnQ79lGfEjbT9VjPAumWmd5PEuHw3PNKFd2+aPtuyqKGr0h9p64BtPA66gAzPQNVT8yiK4moCEkCIfkyhynbdzaNlZZpWMP44qy3fUstBxFfyEOVtNldWz9aVgQ6pvp1vH/p9Km8Pe/7baVt55yhL+tKoMNAtnrDwxZOiEPUcV2IndEECMG+qWWJ45KpjCOPQ=" />
                </characteristic>
                <characteristic type="PrivateKeyContainer" />
             </characteristic>
             <characteristic type="WSTEP">
                <characteristic type="Renew">
                   <parm datatype="boolean" name="ROBOSupport" value="true" />
                   <parm datatype="integer" name="RenewPeriod" value="60" />
                   <parm datatype="integer" name="RetryInterval" value="4" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7" />
          <parm name="PROVIDER-ID" value="MDMServer" />
          <parm name="NAME" value="HP TouchPoint Manager" />
          <parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/rs/syncml" />
          <parm name="CONNRETRYFREQ" value="6" />
          <parm name="INITIALBACKOFFTIME" value="30000" />
          <parm name="MAXBACKOFFTIME" value="120000" />
          <parm name="BACKCOMPATRETRYDISABLED" />
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DHP.OMADM.Client&amp;Stores=My%5CUser" />
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="MTIzNDU=" />
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV" />
             <parm name="AAUTHTYPE" value="BASIC" />
             <parm name="AAUTHNAME" value="dummy" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="MTIzNDU=" />
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <characteristic type="Provider">
             <characteristic type="MDMServer">
                <characteristic type="Poll">
                   <parm datatype="integer" name="NumberOfFirstRetries" value="8" />
                   <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15" />
                   <parm datatype="integer" name="NumberOfSecondRetries" value="5" />
                   <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3" />
                   <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0" />
                   <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560" />
                   <parm datatype="boolean" name="PollOnLogin" value="true" />
                </characteristic>
                <parm datatype="string" name="EntDeviceName" value="Administrator_Windows" />
             </characteristic>
          </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    The enrollment now succeeds and the client sends me the first SyncML message. Thanks Stephen and Obaid for your insights. Really appreciate the help :)

    Tuesday, March 15, 2016 6:19 AM
  • Hi Dhruvesh,

    What was the issue with XML?

    In our case the enrollment succeeds but the user certificate is never installed.

    Saturday, July 14, 2018 2:20 PM
  • Hi Sriram, 

    Thanks for following up with this thread. One of our Open Specifications team members will respond shortly to review the previous findings and work with you.


    Best regards,
    Tom Jebo
    Sr Escalation Engineer
    Microsoft Open Specifications

    Monday, July 16, 2018 7:28 AM
    Moderator
  • Thanks Tom. Eagerly awaiting for the reply. I have raised a new issue with more/complete details.

    Please have a look at https://social.msdn.microsoft.com/Forums/en-US/10980d57-2cc4-4b69-a33e-c654885504f9/mdm-client-certificate-not-getting-installed-error-0x82ac0201?forum=developingmdmsolutions for all the details, but in essence the issue is same.


    Monday, July 16, 2018 10:00 AM
  • Hi Sriram:

    I'll help you with this issue.

    Can you please send an email to my attention at dochelp <at> Microsoft <dot> com so that I could send you tools to collect traces for me?


    Regards, Obaid Farooqi

    Monday, July 16, 2018 7:02 PM
    Owner
  • Thank you Obaidi. I did email you but it bounced.

    To elaborate on the question

    1. What should be the values of soap:headers attributes? Currently we are just using, the hardcoded values that we see in the documentation. Precisely, what should be the values of below - we somehow think it is connected to them. Do we get these values from the Windows device prior to this request and should we be sending them back?

    <Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep/RequestSecurityTokenResponse</Action>
            <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:697a173c-6237-45eb-9190-156bf8334df0</MessageID>
            <To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
            <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</RelatesTo>
            <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0">
                    <c:Created xmlns:c="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:29:57.707Z</c:Created>
                    <e:Expires xmlns:e="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-03-10T18:34:57.778Z</e:Expires>
                </Timestamp>
            </Security>

    2. Also once the device is enrolled, in the sync command that is send from device, what is the way to authenticate the device (apart from the mdm_config url that we give)? Like is the certificate sent in every request OR do we get device id or some solid way to prevent spoofing?

    Thank you.

    Monday, July 16, 2018 7:10 PM
  • Hi Sriram:

    The reason for you getting error 0x82ac0201 is because the client can not determine the encoding of the data. That's just by looking at code.

    I am sure you figured it out but just in case, the email address that I gave in my previous reply, I deliberately replaced @ with <at> and . with <dot>.

    I am looking into it and will be in touch as soon as I have an answer.


    Regards, Obaid Farooqi

    Tuesday, July 17, 2018 5:37 PM
    Owner
  • Hi Obaidi,

    I did replace the at and . but made mistook the email id, sorry my bad.

    Coming to the issue on hand, as mentioned we do see that the Root certificate does get installed , it is the client cert that does not.

    Upon some hit & trial we realized it was the SOAP Headers related to MessageId and Security. They were supposed to be sent exactly the same as received from client. Now we are little unsure if that is the issue.

    Also what is the standard way to authenticate a DM Client sync request? Is the client cert sent back in some format?

    Tuesday, July 17, 2018 6:11 PM