locked
Federated Policy RRS feed

  • Question

  • Hi,

    I am developing a windows Phone 8.1 MDM solution. When the policy is "OnPremise", it works fine. However, for "Federated" policy, the authentication url is not getting hit from the device. Here are the logs:

    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, GetEndpointsFromResponse() uses authentication mode (Federated)
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, FederatedAuthenticationURL:https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentServiceAuth.svc

    https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentServiceAuth.svc
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Policy service URL (https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentPolicyService.svc) and  enrollment service URL (https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentService.svc) are used https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentPolicyService.svc, https://enterpriseenrollment.Test.in/DeviceEnrollment/WinDeviceEnrollmentService.svc
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Success
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll Resume] HRESULT: 0x00000000 
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, WAB control returned HRESULT:2148270105 WebAuthenticationStatus:1(Expect 0=WebAuthenticationStatus_Success) 
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Failed to authenticate federated user
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x8018000F 

    Please let me know, if I am missing something.. 

    Thanks

    Wednesday, July 23, 2014 9:41 AM

Answers

  • Is your server providing an EnrollmentPolicyServiceUrl in the discovery response?

    This is supposed to be optional but there is a coding error in current Windows Phone 8.1 client versions which causes Federated auth to fail when processing the token response.  The response to this failure is to retry enrollment ...starting at the Discovery step.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by Eric Fleck Monday, October 20, 2014 4:13 PM
    Thursday, October 16, 2014 2:06 PM

All replies

  • The error returned from WAB control indicates that the server SSL certificate is not trusted. 

    ( 2148270105 -> 0x800c0019 == INET_E_INVALID_CERTIFICATE )

    Make sure your identity servers SSL certificate was issued by one of the Trusted Root Authorities for Windows Phone 8

    If your are using a self-signed test certificate or Enterprise issued certificate then you need to manually install the appropriate root certificate on the phone prior to testing.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by sonali patwe Monday, July 28, 2014 9:18 AM
    • Unmarked as answer by sonali patwe Wednesday, July 30, 2014 11:13 AM
    Friday, July 25, 2014 8:03 PM
  • Hi,

    Thanks for your reply. I could resolve the SSL certificate related issue and could proceed with management service. However, when I hit this url, it returns blank HTML form (without submit button) in response on the device. This is a HTML code which I am passing.

    <!DOCTYPE>
    <html>
    <head>
    <title>Working...</title>
    <script>
    function formSubmit() {
    document.forms[0].submit();
    }
    window.onload=formSubmit;
    </script>
    </head>
    <body>
    <!-- appid below in post command must be same as appid in previous client https request. -
    ->
    <form method="post" action="ms-app://appid">
    <p><input type="hidden" name="wresult" value="token value"/></p>
    <input type="submit"/>
    </form>
    </body>
    </html>

    Please let me if I missed something.

    Thanks.

    Wednesday, July 30, 2014 11:22 AM
  • Any Updates on this?
    Thursday, August 7, 2014 10:59 AM
  • That looks like the response you are supposed to send after authentication is complete.

    Have you already completed WAB authentication or are you trying to send this without authenticating?

    Did you replace 'ms-app://appid' with the 'appru=' value from the request?


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Thursday, August 7, 2014 3:00 PM
  • Hi,

    I am also facing issue in Federated auth policy. For me, when I send HTML redirect form with token value and aapid from the 'appru' request url, Device is sending discovery request again and opening authentication page again.

    Captured device logs:

    Line #, Provider Name, Task Name, Opcode Name, Id, Process, Event Name, Message, Cpu, ThreadId, ReturnCode (Field 1), Field 2, Field 3, Field 4, Count, Time (s)
    18, , , , 72, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll End] Error HRESULT: 0x80072EE7 , 2, 2696, 0x80072EE7, , , , 1, 11.499064375
    19, , , , 116, Unknown, Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, [MDM Enroll Resume] HRESULT: 0x80070002 , 3, 2352, 0x80070002, , , , 1, 59.958141093

    0x80072EE7 translates to a WinINet name resolution error which looks like its not able to resolve url from tag <EnrollmentServiceUrl>. But same url(with ipaddress and port number) is getting resolved for OnPremise auth policy and i am able to enroll successfully.

    Let me know if anyone has any idea on this issue. Thanks in advance.

    Regards,

    Ganesh Shinde

    Thursday, October 16, 2014 7:22 AM
  • Is your server providing an EnrollmentPolicyServiceUrl in the discovery response?

    This is supposed to be optional but there is a coding error in current Windows Phone 8.1 client versions which causes Federated auth to fail when processing the token response.  The response to this failure is to retry enrollment ...starting at the Discovery step.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by Eric Fleck Monday, October 20, 2014 4:13 PM
    Thursday, October 16, 2014 2:06 PM
  • Hi Eric,

    I am not providing an EnrollmentPolicyServiceUrl in the discovery response. So do you mean this issue will only come in picture only if EnrollmentPolicyServiceUrl is not provided?

    I will try with EnrollmentPolicyServiceUrl as well and will see if it works that way.

    Regards,

    Ganesh Shinde

    Friday, October 17, 2014 10:45 AM
  • Hi Eric,

    It works when we provide EnrollmentPolicyServiceUrl in discovery response. Thanks.

    Regards,

    Ganesh Shinde

    Monday, October 20, 2014 9:09 AM
  • Hi,

    Im facing difficulties in certificate service step for Federated enrollment.

    https://social.msdn.microsoft.com/Forums/en-US/os_windowsprotocols/thread/cecd9d35-d8d0-48d9-a058-29fbe78bef7d/#cecd9d35-d8d0-48d9-a058-29fbe78bef7d

    Any help would be appreciated :)

    Tuesday, March 8, 2016 11:03 AM