locked
Windows phone 8.1 enrollment failure RRS feed

  • Question

  • Hi Guys,

    Having issues getting windows phone 8.1 enrolled. 

    Here are the logs

    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Provider Id is TestMDM 
    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Enrollment succeeded with server (enterpriseenrollment.test.com)

    [MDM Cert Installer Start] Install cert in app container.
    [MDM Cert Installer] Uninstalling enrollment cert for OMADM session
    [MDM Cert Installer End] Success

    [MDM Enroll End] Error HRESULT: 0x80042009 got this error in between.

    Any idea what is going wrong?

    Friday, July 25, 2014 10:22 AM

Answers

  • The error 0x80042009 in this context indicates that the configuration (wap-provisioningdoc) the device received was invalid.

    Given that this is returned during enrollment my first guess would be that the hash of one of the certificates you included did not match the hash value you specified in the parent node but there are a lot of other reasons why you might get this error.

    Make sure that your server code is not putting non-UTF8 characters into the XML.  Also make sure that the certificate blobs contain only valid Binary64 encoded characters.  (There should be no UTF-8 character substitutions within the Binary64 encoded string.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by winvil Tuesday, July 29, 2014 5:45 PM
    Friday, July 25, 2014 8:25 PM

All replies

  • Moving this to MDM forum.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Friday, July 25, 2014 7:07 PM
  • The error 0x80042009 in this context indicates that the configuration (wap-provisioningdoc) the device received was invalid.

    Given that this is returned during enrollment my first guess would be that the hash of one of the certificates you included did not match the hash value you specified in the parent node but there are a lot of other reasons why you might get this error.

    Make sure that your server code is not putting non-UTF8 characters into the XML.  Also make sure that the certificate blobs contain only valid Binary64 encoded characters.  (There should be no UTF-8 character substitutions within the Binary64 encoded string.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by winvil Tuesday, July 29, 2014 5:45 PM
    Friday, July 25, 2014 8:25 PM
  • Thanks Eric for quick reply.

    After making few changes in WAP xml with correct cert thumbprint I could enroll WP8.1

    Your answer and few points from your blog "Common issues in WP8 MDM" was really helpful.

    Tuesday, July 29, 2014 5:49 PM
  • I'm getting the same error code returned.  Here is my doc content, any idea?  (base 64 cert data removed in post FYI)


    <wap-provisioningdoc version="1.1">
    	<characteristic type="CertificateStore">
    		<characteristic type="Root">
    			<characteristic type="System">
    				<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
    					<parm name="EncodedCertificate" value="MIIB   C/ruNFzh” />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    		<characteristic type="My">
    			<characteristic type="User">
    				<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
    					<parm name="EncodedCertificate" value="MII    jw==" />
    				</characteristic>
    				<characteristic type="PrivateKeyContainer" />
    			</characteristic>
    			<characteristic type="WSTEP">
    				<characteristic type="Renew">
    					<parm name="ROBOSupport" value="true" datatype="boolean" />
    					<parm name="RenewPeriod" value="60" datatype="integer" />
    					<parm name="RetryInterval" value="4" datatype="integer" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    	</characteristic>
    	<characteristic type="APPLICATION">
    		<parm name="APPID" value="w7" />
    		<parm name="PROVIDER-ID" value="com.mydomain.mgmt" />
    		<parm name="NAME" value=“My “Company />
    		<parm name="ADDR" value="https://mytest.mydomain.com/EnrollmentServer/MDMServer.svc" />
    		<parm name="CONNRETRYFREQ" value="6" />
    		<parm name="INITIALBACKOFFTIME" value="30000" />
    		<parm name="MAXBACKOFFTIME" value="120000" />
    		<parm name="BACKCOMPATRETRYDISABLED" />
    		<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
    		<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=O%3DMYCompanyLLC%2COU%3DDevices%2CCN%3D100000&amp;Stores=My%5CUser" />
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="CLIENT" />
    			<parm name="AAUTHTYPE" value="DIGEST" />
    			<parm name="AAUTHSECRET" value="password1" />
    			<parm name="AAUTHDATA" value="MTQxMDU0Nzc2NTY0MQ==" />
    		</characteristic>
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="APPSRV" />
    			<parm name="AAUTHTYPE" value="BASIC" />
    			<parm name="AAUTHNAME" value="testclient" />
    			<parm name="AAUTHSECRET" value="password" />
    		</characteristic>
    	</characteristic>
    	<characteristic type="DMClient">
    		<characteristic type="Provider">
    			<characteristic type="TestMDMServer">
    				<characteristic type="Poll">
    					<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
    					<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
    					<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
    					<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
    					<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
    					<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
    				</characteristic>
    				<parm name="EntDeviceName" value="Administrator_WindowsPhone" datatype="string" />
    			</characteristic>
    		</characteristic>
    	</characteristic>
    </wap-provisioningdoc>

    Friday, September 12, 2014 7:06 PM
  • As Eric said please check the fingerprint of certificates in your case root and user. Mine was failing due to certhash(sha-1 fingerprint) values were mismatching. You could easily varify these values using openssl command.just remove "-" from fingerprint you get from this command. I also used DER formated Root and User certificate. Please give it a try with DER format as well.

    one more point looks like provider id is mismatching in given WAP profile 

    TestMDMServer in DM client tag 

    com.mydomain.mgmt in Application tag

    I think both these values should be matched. Please refer DM client CSP for more details from protocol document

    let me know your results


    • Edited by winvil Monday, September 15, 2014 9:35 AM
    Monday, September 15, 2014 9:33 AM