locked
Error: Failed to authenticate with the server RRS feed

  • Question

  • I'm attempting to create an DM Server to manage Windows Phone 8.1. So far my teammates and I have been able to enroll the device, but not execute any MDM commands like "./Vendor/MSFT/PolicyManager/My/RequireDeviceEncryption".

    Here's the scenario: The device successfully enrolls according to the Workplace app. When the sync button is pressed, it successfully sends a message to the MDM server (phone_check_in), when the server responds with just status messages acknowledging the commands enrollment reports as a success (successful_server_response).

    However, if another command is sent along with the <Status> commands, such as <Get> (send_command_workflow_1_of_3), the client responds with a <Chal> in the <SyncBody> with a nextNonce value (send_command_workflow_2_of_3). When responding with the digest composed of the ProviderID:Password+nextNonce all properly Base64 Encoded and MD5 digested (send_command_workflow_3_of_3), the server simply doesn't respond back and the error message on the phone states "Failed to authenticate the server".

    If you need anymore information that is not provided below, please let me know, I will happily provide it.

    Here, in all of it's detail, are the SOAP and SyncML Messages that are exchanged between the server 

    <!-- Enrollment Configuration -->
    <wap-provisioningdoc version="1.1">
    	<characteristic type="CertificateStore">
    		<characteristic type="Root">
    			<characteristic type="System">
    				<characteristic type="8EA43A9CE54AD059BBF5C54AF990C0ADD637">
    					<parm name="EncodedCertificate"
    						value="redacted" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    		<characteristic type="CA">
    			<characteristic type="System">
    				<characteristic type="8E4FBAA9CE54AD059BBF5C54AF990C0ADD637">
    					<parm name="EncodedCertificate"
    						value="redacted" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    		<characteristic type="My">
    			<characteristic type="User">
    				<characteristic type="193D3F1CF51F32E5D9CC1D4A666E9F9D52F1F">
    					<parm name="EncodedCertificate"
    						value="redacted" />
    				</characteristic>
    				<characteristic type="PrivateKeyContainer" />
    			</characteristic>
    			<characteristic type="WSTEP">
    				<characteristic type="Renew">
    					<parm name="ROBOSupport" value="false" datatype="boolean" />
    					<parm name="RenewPeriod" value="60" datatype="integer" />
    					<parm name="RetryInterval" value="4" datatype="integer" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    	</characteristic>
    	<characteristic type="APPLICATION">
    		<parm name="APPID" value="w7" />
    		<parm name="PROVIDER-ID" value="TestMDMServer" />
    		<parm name="NAME" value="company" />
    		<parm name="ADDR"
    			value="https://test-server.company.com:8443/omadm/WindowsPhone.ashx" />
    		<parm name="CONNRETRYFREQ" value="6" />
    		<parm name="INITIALBACKOFFTIME" value="30000" />
    		<parm name="MAXBACKOFFTIME" value="120000" />
    		<parm name="BACKCOMPATRETRYDISABLED" />
    		<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
    		<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3Dheadfones%40company.com&amp;Stores=My%5CUser" />
    		<parm name="USENONCERESYNC" />
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="CLIENT" />
    			<parm name="AAUTHTYPE" value="DIGEST" />
    			<parm name="AAUTHSECRET" value="password2" />
    			<parm name="AAUTHDATA" value="bm9uY2V2YWx1ZQ=" />
    		</characteristic>
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="APPSRV" />
    			<parm name="AAUTHTYPE" value="BASIC" />
    			<parm name="AAUTHNAME" value="headfones@company.com" />
    			<parm name="AAUTHSECRET" value="password1" />
    		</characteristic>
    	</characteristic>
    	<characteristic type="DMClient">
    		<characteristic type="Provider">
    			<characteristic type="TestMDMServer">
    				<characteristic type="Poll">
    					<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
    					<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
    					<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
    					<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
    					<parm name="NumberOfRemainingScheduledRetries" value="0"
    						datatype="integer" />
    					<parm name="IntervalForRemainingScheduledRetries" value="1560"
    						datatype="integer" />
    				</characteristic>
    				<parm name="EntDeviceName" value="WP8Device" datatype="string" />
    			</characteristic>
    		</characteristic>
    	</characteristic>
    </wap-provisioningdoc>

    <!-- Security Token that includes Enrollment Configuration above -->
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
    	xmlns:a="http://www.w3.org/2005/08/addressing"
    	xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    	<s:Header>
    		<a:Action s:mustUnderstand="1">
    			http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
    		</a:Action>
    		<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab
    		</a:RelatesTo>
    		<o:Security s:mustUnderstand="1"
    			xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    			<u:Timestamp u:Id="_0">
    				<u:Created>2014-09-02T00:32:59.420Z</u:Created>
    				<u:Expires>2014-09-20T00:37:59.420Z</u:Expires>
    			</u:Timestamp>
    		</o:Security>
    	</s:Header>
    	<s:Body>
    		<RequestSecurityTokenResponseCollection
    			xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    			<RequestSecurityTokenResponse>
    				<TokenType>
    					http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
    				</TokenType>
    				<RequestedSecurityToken>
    					<BinarySecurityToken
    						ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
    						EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
    						xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    						base54EncodedEnrollmentConfigFromAbove
    					</BinarySecurityToken>
    				</RequestedSecurityToken>
    				<RequestID
    					xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
    				</RequestID>
    			</RequestSecurityTokenResponse>
    		</RequestSecurityTokenResponseCollection>
    	</s:Body>
    </s:Envelope>
    


    Content length: 1051

    Content Type:

    application/vnd.syncml.dm+xml

    Context request URI:

    /omadm/WindowsPhone.ashx

    Header:User-Agent: MSFT OMA DM Client/1.2.0.1

    Header:Host: test-server.company.com:8443

    Method: POST

    Received

    Request at: Thu Sep 18 12:50:14 CDT 2014

    <!-- Message sent from device when sync button is pushed in "Workplace" app -->
    <SyncML xmlns="SYNCML:SYNCML1.2">
    	<SyncHdr>
    		<VerDTD>1.2</VerDTD>
    		<VerProto>DM/1.2</VerProto>
    		<SessionID>1</SessionID>
    		<MsgID>1</MsgID>
    		<Target>
    			<LocURI>https://test-server.company.com:8443/omadm/WindowsPhone.ashx</LocURI>
    		</Target>
    		<Source>
    			<LocURI>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</LocURI>
    		</Source>
    		<Cred>
    			<Meta>
    				<Format xmlns="syncml:metinf">b64</Format>
    				<Type xmlns="syncml:metinf">syncml:auth-basic</Type>
    			</Meta>
    			<Data>aGVhZGZvbmVzQGNvbXBhbnkuY29tOnBhc3N3b3JkMQ==</Data>
    		</Cred>
    	</SyncHdr>
    	<SyncBody>
    		<Alert>
    			<CmdID>2</CmdID>
    			<Data>1201</Data>
    		</Alert>
    		<Replace>
    			<CmdID>3</CmdID>
    			<Item>
    				<Source>
    					<LocURI>./DevInfo/DevId</LocURI>
    				</Source>
    				<Data>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</Data>
    			</Item>
    			<Item>
    				<Source>
    					<LocURI>./DevInfo/Man</LocURI>
    				</Source>
    				<Data>NOKIA</Data>
    			</Item>
    			<Item>
    				<Source>
    					<LocURI>./DevInfo/Mod</LocURI>
    				</Source>
    				<Data>Lumia 520</Data>
    			</Item>
    			<Item>
    				<Source>
    					<LocURI>./DevInfo/DmV</LocURI>
    				</Source>
    				<Data>1.3</Data>
    			</Item>
    			<Item>
    				<Source>
    					<LocURI>./DevInfo/Lang</LocURI>
    				</Source>
    				<Data>en-US</Data>
    			</Item>
    		</Replace>
    		<Final />
    	</SyncBody>
    </SyncML>


    sending checkIn

    <!-- Server's 1st response to client -->
    <SyncML xmlns="SYNCML:SYNCML1.2">
    	<SyncHdr>
    		<VerDTD>1.2</VerDTD>
    		<VerProto>DM/1.2</VerProto>
    		<SessionID>1</SessionID>
    		<MsgID>1</MsgID>
    		<Source>
    			<LocURI>https://test-server.company.com:8443/omadm/WindowsPhone.ashx</LocURI>
    			<LocName>TestMDMServer</LocName>
    		</Source>
    		<Target>
    			<LocURI>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</LocURI>
    		</Target>
    	</SyncHdr>
    	<SyncBody>
    		<Status>
    			<MsgRef>1</MsgRef>
    			<CmdRef>0</CmdRef>
    			<CmdID>1</CmdID>
    			<Cmd>SyncHdr</Cmd>
    			<TargetRef>https://test-server.company.com:8443/omadm/WindowsPhone.ashx
    			</TargetRef>
    			<SourceRef>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</SourceRef>
    			<Data>212</Data>
    		</Status>
    		<Status>
    			<MsgRef>1</MsgRef>
    			<CmdRef>2</CmdRef>
    			<CmdID>2</CmdID>
    			<Cmd>Alert</Cmd>
    			<TargetRef>https://test-server.company.com:8443/omadm/WindowsPhone.ashx
    			</TargetRef>
    			<SourceRef>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</SourceRef>
    			<Data>200</Data>
    		</Status>
    		<Status>
    			<MsgRef>1</MsgRef>
    			<CmdRef>3</CmdRef>
    			<CmdID>3</CmdID>
    			<Cmd>Replace</Cmd>
    			<TargetRef>https://test-server.company.com:8443/omadm/WindowsPhone.ashx
    			</TargetRef>
    			<SourceRef>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</SourceRef>
    			<Data>200</Data>
    		</Status>
    		<Get>
    			<CmdID>4</CmdID>
    			<Item>
    				<Target>
    					<LocURI>./Vendor/MSFT/PolicyManager/Device/Security/RequireDevicEncryption
    					</LocURI>
    				</Target>
    			</Item>
    		</Get>
    		<Final />
    	</SyncBody>
    </SyncML>


    Content length: 769

    Content Type:

    application/vnd.syncml.dm+xml

    Context request URI:

    /omadm/WindowsPhone.ashx

    Header:User-Agent: MSFT OMA DM Client/1.2.0.1

    Header:Host: test-server.company.com:8443

    Method: POST

    Received

    Request at: Thu Sep 18 12:50:14 CDT 2014

    <!-- Client's response with Chal and NextNonce for server's md5 authentication -->
    <SyncML xmlns="SYNCML:SYNCML1.2">
    	<SyncHdr>
    		<VerDTD>1.2</VerDTD>
    		<VerProto>DM/1.2</VerProto>
    		<SessionID>1</SessionID>
    		<MsgID>2</MsgID>
    		<Target>
    			<LocURI>https://test-server.company.com:8443/omadm/WindowsPhone.ashx</LocURI>
    		</Target>
    		<Source>
    			<LocURI>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</LocURI>
    		</Source>
    	</SyncHdr>
    	<SyncBody>
    		<Status>
    			<CmdID>1</CmdID>
    			<MsgRef>1</MsgRef>
    			<CmdRef>0</CmdRef>
    			<Cmd>SyncHdr</Cmd>
    			<Chal>
    				<Meta>
    					<Format xmlns="syncml:metinf">b64</Format>
    					<Type xmlns="syncml:metinf">syncml:auth-md5</Type>
    					<NextNonce xmlns="syncml:metinf">13UBuoYDUVAPwU/fVoUDZEnZGCLUUjzXXHTXrMsFRTQ=
    					</NextNonce>
    				</Meta>
    			</Chal>
    			<Data>200</Data>
    		</Status>
    		<Status>
    			<CmdID>2</CmdID>
    			<MsgRef>1</MsgRef>
    			<CmdRef>4</CmdRef>
    			<Cmd>Get</Cmd>
    			<Data>500</Data>
    		</Status>
    		<Final />
    	</SyncBody>
    </SyncML>

    sending creds

    sent: 

    <!-- Server's 2nd response with md5 creds using the NextNonce specified in last client message -->
    <SyncML xmlns="SYNCML:SYNCML1.2">
    	<SyncHdr>
    		<VerDTD>1.2</VerDTD>
    		<VerProto>DM/1.2</VerProto>
    		<SessionID>1</SessionID>
    		<MsgID>2</MsgID>
    		<Source>
    			<LocURI>https://test-server.company.com:8443/omadm/WindowsPhone.ashx</LocURI>
    			<LocName>TestMDMServer</LocName>
    		</Source>
    		<Target>
    			<LocURI>urn:uuid:0A8B3B69-1D33-556E-868E-0559880B13D5</LocURI>
    		</Target>
       		<Cred>
    			<Meta>
    				<Format xmlns="syncml:metinf">b64</Format>
    				<Type xmlns="syncml:metinf">syncml:auth-md5</Type>
    			</Meta>
    			<Data>ZLgal1soJDMFVQ1a0CefVA==</Data>
    		</Cred>
    	</SyncHdr>
    	<SyncBody>
    		<Get>
    			<CmdID>2</CmdID>
    			<Item>
    				<Target>
    					<LocURI>./Vendor/MSFT/PolicyManager/Device/Security/RequireDevicEncryption</LocURI>
    				</Target>
    			</Item>
    		</Get>
    		<Final />
    	</SyncBody>
    </SyncML>


    No further messages are received from client at this point.

    When recording during the sync process which is initiated by the workplace app the phone logs show the following messages:

    -New trigger notification process.ing

    -Client is now set to user protocol version 1.2

    -OMA-DM session is saving next nonce. Nonce=

    -VerifyServerCreds uses primary nonce. Nonce=

    -VerifyServerCreds uses secondary nonce. Nonce=

    -Failed to authenticate the server

    Other messages include (these always show up in pairs of 2):

    -Attempting to find referenced cert.

    -Referenced cert not found (which is OK)

    -OMA-DM session is using Data Sense hresult (0), Initiation origin (5), data sense plan usage state (4)

    -OMA-DM session is using Data Sense hresult (0), Initiation origin (5), data sense plan usage state (4)

    -Server returned success HTTP status code (200)

    -Package successfully sent

    -Successfully parsed server's SyncHdr

    -Successfully parsed server's SyncBody

    Thursday, September 18, 2014 6:51 PM

Answers

  • The above reported issue has been resolved. To anyone else who is encountering this issue, here is the root cause and the resolution:

    The client was failing to authenticate the server due to the below reasons:

    a.) The AAUTHDATA value that the server was sending back during the initial enrollment was not correctly encoded in Base-64 format so the MDM Client was working with garbage value of the initial nonce
    b.) The <Data> value for the credential hash that the server was sending not calculated using the same nonce used during enrollment, due to which the initial authentication failed and the client requested the server to authenticate itself again.

    After successful authentication, the "Last successful attempt to connect to the server" was not getting updated because the Phone did not find the <Status> to the SyncHdr element in the HTTP response,

    The issue was resolved by ensuring that the server calculates the credential hash using the same initial nonce used during enrollment and ensured that the server responded with a <Status> response to the SyncHdr element of the request with a 212/200 status to update the Last Successful sync time.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Wednesday, October 22, 2014 7:13 PM

All replies

  • I have also been seeing this issue with the same error messages and have been stuck there for the past week. Has anyone else experienced this or know of a resolution? 
    Thursday, September 18, 2014 7:42 PM
  • The above reported issue has been resolved. To anyone else who is encountering this issue, here is the root cause and the resolution:

    The client was failing to authenticate the server due to the below reasons:

    a.) The AAUTHDATA value that the server was sending back during the initial enrollment was not correctly encoded in Base-64 format so the MDM Client was working with garbage value of the initial nonce
    b.) The <Data> value for the credential hash that the server was sending not calculated using the same nonce used during enrollment, due to which the initial authentication failed and the client requested the server to authenticate itself again.

    After successful authentication, the "Last successful attempt to connect to the server" was not getting updated because the Phone did not find the <Status> to the SyncHdr element in the HTTP response,

    The issue was resolved by ensuring that the server calculates the credential hash using the same initial nonce used during enrollment and ensured that the server responded with a <Status> response to the SyncHdr element of the request with a 212/200 status to update the Last Successful sync time.


    Windows Store Developer Solutions, follow us on Twitter: @WSDevSol|| Want more solutions? See our blog

    Wednesday, October 22, 2014 7:13 PM