none
Windows 8.1 Enrolment - WSTEP stage RRS feed

  • Question

  • Hi,

    I got stuck at the final step of windows device enrolment process (WSTEP).

    I have developed all other discoveryservice / enrolment certificate policy endpoints and the flow goes as expected upto the final step. In the final step, the service send the SOAP message with the wap-provisioning xml encoded within it, but the device doesn't show any successful enrolment. It prompts that, the phone wasn't able to setup this account ....

    Now Im in a really bad situation and I tried everything I can to figure this out. I've been spending more than 3 weeks only on this and right now I'm exhausted. 

    It would be a real help if someone can assist me here. I will put the wap-provisioning file here.

    <?xml version="1.0" encoding="UTF-8"?>
    <wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="321BAC26951AE3438626C9A9E3691B6AE4260570">
                   <parm name="EncodedCertificate" value="MIIF8TCCA9mgAwIBAgIJALRjUnmEIyfdMA0GCSqGSIb3DQEBBQUAMIGGMQswCQYDVQQGEwJMSzEQMA4GA1UECAwHV2VzdGVybjEQMA4GA1UEBwwHQ29sb21ibzENMAsGA1UECgwEV1NPMjEPMA0GA1UECwwGTW9iaWxlMRUwEwYDVQQDDAxXU08yIFJvb3QgQ0ExHDAaBgkqhkiG9w0BCQEWDXJvb3RAd3NvMi5jb20wHhcNMTUwMTExMDg1NzE5WhcNMTYwMTExMDg1NzE5WjCBhjELMAkGA1UEBhMCTEsxEDAOBgNVBAgMB1dlc3Rlcm4xEDAOBgNVBAcMB0NvbG9tYm8xDTALBgNVBAoMBFdTTzIxDzANBgNVBAsMBk1vYmlsZTEVMBMGA1UEAwwMV1NPMiBSb290IENBMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu5vx81BT1pVUWegJVOyVkQAiBRWYH5TmNXuuLm6cDzL0KURzS/ELGELNAK0m/hVwppqHlB7BPzBg4Klr2r6I26h7ElpvNiRal/k/EexVueU7QXqkgi0rJidot9SlvQzBzYYv7lKTzgsgUQzHKoiL+NxKP4eHrdP6s9OFkc1NECQ9FhQXqI9HMEB17nUJWUpkNFoRLta8D11nOuRG3t/c12+bGIGYddXFg/8pxn8q0FUCWibgKtVy6RwFKiM+tM4nfZxuNXGB4Mxx1Li7DJubdOSVZPJ9Cu7K/ni5Mdmfp72HqDEL1MqrTHRDh+iw7C8PqxAErpd51g9jWF525D/DqiYONvxi00EDisw0meaweTQs7iFeqPDOELIfOUlF79hfwUwjMgvD/prXSh7E1md/FgY7UjbOSyPm5eXgKYeUNbbPvTpMH2uEJE1OaI1NkzIfDnrwM2lg58mJA+33qPorhQpNg+ajmxX2HJo0+OgfEXDRmKH8YoIuFzVlAXIyZLBIBRMakAJKSLYHuwTB6hyFmhZnsZOl7TFeh28djtW4w2fX87KW1XwzI3J9XhS8Uoh2xXdXV0QUCXS++2yj9ZZudG6qiGv/RM/B3k2FK/o5VRy+wBbGugEFhxKAxMPEC325XHPlWLlCtSULkxL5xlaVTPg8LSEVCAvJfeZWxzR6ocsCAwEAAaNgMF4wHQYDVR0OBBYEFHHYHvF9YFPasPDj/nDv5q33DZ51MB8GA1UdIwQYMBaAFHHYHvF9YFPasPDj/nDv5q33DZ51MA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBBQUAA4ICAQAaHpVwcQrXJpVYjUWYJ6cyy1Taqdw/io81IcieFC2wnzUGOVLjvXJ1MRBmG5+TQG85vxaAeaJ4+ev+mnvcOjaFMogm0odhPkSKQUmKbw1OLG2FuNwHZWFz4Of4ojFpdMlIlxts3CVw+bKnVOd3NeU7R3aO4u7o0/1c396h9lS/wKZYBFJaNwbDibwUp6mJSrcOoWqt5ud4+q/gILr2ppkiXGKicvJo2vpqlBVN0U3/Gaz4m6/G2FuVxJM+C22J31de9FuWrF3RSeoUoUepqWXONNsHUmJnocvZVSpQh6G82kCTYUj0OSEzoIRPHhLc5jnOHtX/4U+vHOwgH1CLpKGZYCwIqhjOwGqjFvSz0wQass9lz1hUrmGSJ3e5TCi99G1aPILmeBAN+xt4AAnTLWWYi8RWXDJqBx9KOH2e5utikid8k5gCReoRDD2aV9xbbP5VSz2jZI6pAg850DOOoK6U/4khvtvKSK6hsCgkrL80ZEXNXIBu7fSzA8ggj6wQ5Po2f28R3UCvx+nC2YZyzo4D4ymvUH3h1gJjvjBSWH5NXB1wjeBxbfjnAnAgjYyiY2ZHK04mmdqLC5VexFXV17vq3FTHJnNV5fypHMYIx8/eFQ3k6xc05HSae7VuCnNQpXUx/ZcuqrEtel0Kb7mnrVrF8HAu9A1hHYPnQF/kMTy+Fg==" />
                </characteristic>
             </characteristic>
          </characteristic>
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="43D785B612991B2428D8A17555EAF5ECD9584505">
                   <parm name="EncodedCertificate" value="MIIEMjCCAhqgAwIBAgIEFO64njANBgkqhkiG9w0BAQUFADCBhjELMAkGA1UEBhMCTEsxEDAOBgNVBAgMB1dlc3Rlcm4xEDAOBgNVBAcMB0NvbG9tYm8xDTALBgNVBAoMBFdTTzIxDzANBgNVBAsMBk1vYmlsZTEVMBMGA1UEAwwMV1NPMiBSb290IENBMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMB4XDTE1MDEyMzExNDg0OVoXDTE1MTEyMjExNDg0OVowLzEtMCsGA1UEAwwkQjFDNDNDRDAtMTYyNC01RkJCLThFNTQtMzRDRjE3REZEM0ExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0+T+UA4S9iKRswm9pvNqkrImSoudpdabYW+c7pQ0K1dZ/1ZyFtu6YuqQhqz0FRwyJIQSHi1Vk0W6CLdtqGeNSNMb0wi8Bl3f8LRh+4tfzKX2ZwhVZmHJhlXBR4yHgZhLmG33Q0Vk/S9dvtzRutJHK+G9bOr6QbuibbioxNkGBIhGxqNwNVj64Yt2GLHLgC1c3DmnPNF1L/VAEXXCwNPcLRtx5bLa56PaGwtiiXIZ13R8eTXL+066yjKNzeK3Dajc/2OT5s/h4Mba6RGMwxyOrFDnQ4HN7uFdB/aGs0QlFN3qk8g50C5vwfP8OI9hoRjvlc0RB6lzXWcuarYZD1iCFwIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQC09KvoWOg0rjo93TgN5dMAobWWsj2iE6Nl/+Ru3ST5HdyMnVqjf8xcY7aZsbKLSSgvwyF16fMqhwoE2NdKIux75SdB0P/xEQwOmw9SHtcYJjMUm9cvJZBlhSj5FhIa6ssjCtQMTI8UZ7DnTAVoQ+sOy7n2A4kzoKuMr94XO5dV+T0rWLaEyvLXMH/hGjVZZF73cQBdibx0oDep5u8BNfAhnEJKDdy79Zd34mCErVVIU1LCygX2/tlD6OPXHYhKKQGhkbZ0uYurd2hGnMdM+GXK7DggoOgK06MQQAC5e4hv4C+sq7gxc6QbR61a8m5A6Nmk97jYCrEd78czYCpe8tdEPOkUJX1SoqTUrEZ11go3gzTQHfodjwZ6NPDVQiuBjdEHpXTDx8Q9yEiD4OLaNKMBGZ3TrtV9J0pmRUDni+t96fmMWHXupMniIhVeaH5QRqgp9h8A9GrpOea5eVXyIx4woR4V07fjqe4s1QlkQcl34huE73hCPAUCoFPJf4+a3cWFRedhcSbEjDAh6JQD7ztMcFgDOYdxWbuNGYdcavEnj3b/x6zfZBoQQ5YtejbNKekVhICg1cU0iNs/Fc3nmbNOsUlosB9dhvgJzrJ/5+mTSRSZYRustS1zsUm7D7/ktqCtBZY4ogrP8Q1RFxyq7RmRZRbWNszDARlkUahRonzrdw==" />
                </characteristic>
                <characteristic type="PrivateKeyContainer">
                   <parm name="KeySpec" value="2" />
                   <parm name="ContainerName" value="ConfigMgrEnrollment" />
                   <parm name="ProviderType" value="1" />
                </characteristic>
                <characteristic type="WSTEP">
                   <characteristic type="Renew">
                      <parm datatype="boolean" name="ROBOSupport" value="true" />
                      <parm datatype="integer" name="RenewPeriod" value="60" />
                      <parm datatype="integer" name="RetryInterval" value="4" />
                   </characteristic>
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7" />
          <parm name="PROVIDER-ID" value="MobiCDMServer" />
          <parm name="NAME" value="wso2" />
          <parm name="ADDR" value="https://EnterpriseEnrollment.wso2.com/" />
          <parm name="CONNRETRYFREQ" value="6" />
          <parm name="INITIALBACKOFFTIME" value="30000" />
          <parm name="MAXBACKOFFTIME" value="120000" />
          <parm name="BACKCOMPATRETRYDISABLED" />
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1&amp;Stores=My%5CUser" />
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="ZHVtbXl1c2Vybm9uY2U=" />
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHNAME" value="dummy" />
             <parm name="AAUTHSECRET" value="dummy" />
             <parm name="AAUTHDATA" value="ZHVtbXl1c2Vybm9uY2U=" />
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <!-- Staring with Windows Phone 8.1, an enrollment server should use DMClient CSP XML to configure DM polling schedules. The polling schedule regisitry keys will be deprecated after Windows Phone 8.1.-->
          <characteristic type="Provider">
             <!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
             <characteristic type="MobiCDMServer">
                <characteristic type="Poll">
                   <parm datatype="integer" name="NumberOfFirstRetries" value="8" />
                   <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15" />
                   <parm datatype="integer" name="NumberOfSecondRetries" value="5" />
                   <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3" />
                   <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0" />
                   <!-- In Windows Phone 8.1, MDM push is supported for real-time communication. The DM client long term polling schedule’s retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
                   <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560" />
                </characteristic>
                <parm datatype="string" name="EntDeviceName" value="AdministratorWindowsPhone" />
             </characteristic>
          </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    I used windows power tools for debugging and sorted out some issues I encountered previously. Now it shows some error of 0x80090016 - NCryptOpenKey. Just above that couple of error (I guess) codes 0x8018000E and 0x8000FFFF are shown.

    I still couldn't come out of this. Assuming this is something to do with certificates, I tried verifying my certificates with certutil as well, and it is verified. 

    Can someone help me in this ? I'm really really stuck here 

    BR

    Monday, January 26, 2015 12:05 PM

Answers

  • Hi Eric,

    Finally I was able to get the enrolment done successfully !!!!

    The issue was with SSLCLIENTCERTSEARCHCRITERIA - the value in the wap-provisioning file was wrong.

    Thank you for your comments and suggestions !!!

    As a side note, I think debugging options such as Windows power tools should provide specific error codes/messages, so the developers will be able to identify them and fix the issues quickly. And it would have been much easier if the windows MDM document has descriptive information as well. 

    BR

    Monday, February 9, 2015 6:08 AM

All replies

  • One problem I see is that the common name (CN) for your client certificate is UTF8 encoded instead of PRINTABLE STRING:

    00cb:    |  30 2f                               ; SEQUENCE (2f Bytes)
    00cd:    |  |  31 2d                            ; SET (2d Bytes)
    00cf:    |  |     30 2b                         ; SEQUENCE (2b Bytes)
    00d1:    |  |        06 03                      ; OBJECT_ID (3 Bytes)
    00d3:    |  |        |  55 04 03
             |  |        |     ; 2.5.4.3 Common Name (CN)
    00d6:    |  |        0c 24                      ; UTF8_STRING (24 Bytes)
    00d8:    |  |           42 31 43 34 33 43 44 30  2d 31 36 32 34 2d 35 46  ; B1C43CD0-1624-5F
    00e8:    |  |           42 42 2d 38 45 35 34 2d  33 34 43 46 31 37 44 46  ; BB-8E54-34CF17DF
    00f8:    |  |           44 33 41 31                                       ; D3A1
             |  |              ; "B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1"

    For more information see my blog post: http://blogs.msdn.com/b/wsdevsol/archive/2013/10/03/troubleshooting-your-windows-phone-8-enterprise-mobile-device-management-implementation.aspx


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Monday, January 26, 2015 10:24 PM
    Moderator
  • Hi Eric,

    Thank you for your reply !

    I'm using Java bouncycastle for this implementation and it uses UTF8 for CN encoding by default. I understand that I need to change this to PRINTABLE_STRING somehow. In one of your previous answers for such a question, you have mentioned that PRINTABLE_STRING wouldn't affect enrolment process, but will cause problems after the enrolment. 

    So can I assume that my wap-provisioning.xml has some other issue which causes error for enrolment process ?

    Could you kindly have another look and tell me if you can find any other problem there ? 
    (Actually my first milestone is finishing successful enrolment, and afterwards I can fully focus on the CN issue. That is the reason I would prefer to avoid it for now)

    Once again, your advice on this will be really helpful for me to sort out this issue

    BR

    Tuesday, January 27, 2015 9:50 AM
  • One other thing I see is that your "WSTEP" characteristic is in the User node (.../My/User/WSTEP... ) but it should be up one level in the My node (.../My/WSTEP...)

    You should also verify that the public key in the client certificate response matches the public key from the corresponding certificate request. 

    Also make sure your RequestSecurityTokenResponse payload is formatted correctly.  I usually use the following code to sanity check the RSTR payload:

            private string ProcessRSTRPayload(String szXMLPayload)
            {
                string szRet = "could not find node";
                NameTable nt = new NameTable();
                XmlNamespaceManager nsm = new XmlNamespaceManager(nt);
    
                nsm.AddNamespace("u", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
                nsm.AddNamespace("wst", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
                nsm.AddNamespace("wsse", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
    
                XmlDocument xd = new XmlDocument(nsm.NameTable);
                xd.LoadXml(szXMLPayload);
    
                XmlNode node = xd.SelectSingleNode(@"//wst:RequestSecurityTokenResponseCollection//wst:RequestSecurityTokenResponse//wst:RequestedSecurityToken//wsse:BinarySecurityToken", nsm);
    
                if (null != node)
                {
                    szRet = node.InnerText;
                }
    
                return szRet;
            }


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, January 27, 2015 3:32 PM
    Moderator
  • Hi Eric,

    1.I rearranged the wap-provisioning xml as you suggested (..My/WSTEP) and checked, but no luck.

    2.Public keys of signed certificate and CSR are also matching. 

    PUBLIC KEY OF SIGNED CERT :RSA Public Key - modulus: d2103e2657d159d410e3f079ae95963f88e0fad31340c249bf7aab216af75f0b9fd6d49f0d513d11435db65c88743df9eedf23348b1a8348628c8ba2129dadcb1444370576f4c16cb61edc148ab533254d06b169960b5b82dab0f4116dac290fd65d6be486b35859bb993de3105138656b410f66920d46a354b88def3dce15a9278ba7ffbc58d04223f1b6dc61d8020634af6342c9591bf7f9af8ec0d013ce62799bd6df5ce074906a1d75fc8e4e5d17bea1d79761811c0a1d1a20ff6e6a9c41aa6c5ed89a3213d6498adc569bfd445010890aadc038699edbd2459cdbdd86679a088ebf268636a32fbd7b3d5d0012468acf64ed3ddbd442dcf76f813f70cb41

        public exponent: 10001

    PUBLIC KEY OF CSR :RSA Public Key - modulus: d2103e2657d159d410e3f079ae95963f88e0fad31340c249bf7aab216af75f0b9fd6d49f0d513d11435db65c88743df9eedf23348b1a8348628c8ba2129dadcb1444370576f4c16cb61edc148ab533254d06b169960b5b82dab0f4116dac290fd65d6be486b35859bb993de3105138656b410f66920d46a354b88def3dce15a9278ba7ffbc58d04223f1b6dc61d8020634af6342c9591bf7f9af8ec0d013ce62799bd6df5ce074906a1d75fc8e4e5d17bea1d79761811c0a1d1a20ff6e6a9c41aa6c5ed89a3213d6498adc569bfd445010890aadc038699edbd2459cdbdd86679a088ebf268636a32fbd7b3d5d0012468acf64ed3ddbd442dcf76f813f70cb41

        public exponent: 10001

    3. Regarding the SOAP message, I used standard annotation for preparing it. Namespaces of the SOAP body are according to the document. Just for ensuring this, I have put my SOAP response below.

    <?xml version="1.0" encoding="UTF-8"?>
    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
       <soap:Header>
          <Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep/RequestSecurityTokenResponse</Action>
          <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:a05c0f21-5538-4146-a9e9-00bb696ffbe6</MessageID>
          <To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
          <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</RelatesTo>
          <Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
             <Timestamp xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" u:Id="_0">
                <Created>2015-01-28T12:58:14.509Z</Created>
                <Expires>2015-01-28T13:03:14.509Z</Expires>
             </Timestamp>
          </Security>
       </soap:Header>
       <soap:Body>
          <RequestSecurityTokenResponseCollection xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns3="http://schemas.xmlsoap.org/ws/2006/12/authorization" xmlns:ns4="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">
             <RequestSecurityTokenResponse>
                <TokenType>http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken</TokenType>
                <RequestedSecurityToken>
                   <ns2:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc">PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48d2FwLXByb3Zpc2lvbmluZ2Rv
    YyB2ZXJzaW9uPSIxLjEiPgogICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IkNlcnRpZmljYXRlU3Rv
    cmUiPgogICAgICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJSb290Ij4KICAgICAgICAgICAgPGNo
    YXJhY3RlcmlzdGljIHR5cGU9IlN5c3RlbSI+CiAgICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0
    aWMgdHlwZT0iMzIxQkFDMjY5NTFBRTM0Mzg2MjZDOUE5RTM2OTFCNkFFNDI2MDU3MCI+CiAgICAg
    ICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iRW5jb2RlZENlcnRpZmljYXRlIiB2YWx1ZT0iTUlJ
    RjhUQ0NBOW1nQXdJQkFnSUpBTFJqVW5tRUl5ZmRNQTBHQ1NxR1NJYjNEUUVCQlFVQU1JR0dNUXN3
    Q1FZRFZRUUdFd0pNU3pFUU1BNEdBMVVFQ0F3SFYyVnpkR1Z5YmpFUU1BNEdBMVVFQnd3SFEyOXNi
    MjFpYnpFTk1Bc0dBMVVFQ2d3RVYxTlBNakVQTUEwR0ExVUVDd3dHVFc5aWFXeGxNUlV3RXdZRFZR
    UUREQXhYVTA4eUlGSnZiM1FnUTBFeEhEQWFCZ2txaGtpRzl3MEJDUUVXRFhKdmIzUkFkM052TWk1
    amIyMHdIaGNOTVRVd01URXhNRGcxTnpFNVdoY05NVFl3TVRFeE1EZzFOekU1V2pDQmhqRUxNQWtH
    QTFVRUJoTUNURXN4RURBT0JnTlZCQWdNQjFkbGMzUmxjbTR4RURBT0JnTlZCQWNNQjBOdmJHOXRZ
    bTh4RFRBTEJnTlZCQW9NQkZkVFR6SXhEekFOQmdOVkJBc01CazF2WW1sc1pURVZNQk1HQTFVRUF3
    d01WMU5QTWlCU2IyOTBJRU5CTVJ3d0dnWUpLb1pJaHZjTkFRa0JGZzF5YjI5MFFIZHpiekl1WTI5
    dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBdTV2eDgxQlQxcFZV
    V2VnSlZPeVZrUUFpQlJXWUg1VG1OWHV1TG02Y0R6TDBLVVJ6Uy9FTEdFTE5BSzBtL2hWd3BwcUhs
    QjdCUHpCZzRLbHIycjZJMjZoN0VscHZOaVJhbC9rL0VleFZ1ZVU3UVhxa2dpMHJKaWRvdDlTbHZR
    ekJ6WVl2N2xLVHpnc2dVUXpIS29pTCtOeEtQNGVIcmRQNnM5T0ZrYzFORUNROUZoUVhxSTlITUVC
    MTduVUpXVXBrTkZvUkx0YThEMTFuT3VSRzN0L2MxMitiR0lHWWRkWEZnLzhweG44cTBGVUNXaWJn
    S3RWeTZSd0ZLaU0rdE00bmZaeHVOWEdCNE14eDFMaTdESnViZE9TVlpQSjlDdTdLL25pNU1kbWZw
    NzJIcURFTDFNcXJUSFJEaCtpdzdDOFBxeEFFcnBkNTFnOWpXRjUyNUQvRHFpWU9OdnhpMDBFRGlz
    dzBtZWF3ZVRRczdpRmVxUERPRUxJZk9VbEY3OWhmd1V3ak1ndkQvcHJYU2g3RTFtZC9GZ1k3VWpi
    T1N5UG01ZVhnS1llVU5iYlB2VHBNSDJ1RUpFMU9hSTFOa3pJZkRucndNMmxnNThtSkErMzNxUG9y
    aFFwTmcrYWpteFgySEpvMCtPZ2ZFWERSbUtIOFlvSXVGelZsQVhJeVpMQklCUk1ha0FKS1NMWUh1
    d1RCNmh5Rm1oWm5zWk9sN1RGZWgyOGRqdFc0dzJmWDg3S1cxWHd6STNKOVhoUzhVb2gyeFhkWFYw
    UVVDWFMrKzJ5ajlaWnVkRzZxaUd2L1JNL0IzazJGSy9vNVZSeSt3QmJHdWdFRmh4S0F4TVBFQzMy
    NVhIUGxXTGxDdFNVTGt4TDV4bGFWVFBnOExTRVZDQXZKZmVaV3h6UjZvY3NDQXdFQUFhTmdNRjR3
    SFFZRFZSME9CQllFRkhIWUh2RjlZRlBhc1BEai9uRHY1cTMzRFo1MU1COEdBMVVkSXdRWU1CYUFG
    SEhZSHZGOVlGUGFzUERqL25EdjVxMzNEWjUxTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3Q3dZRFZS
    MFBCQVFEQWdHR01BMEdDU3FHU0liM0RRRUJCUVVBQTRJQ0FRQWFIcFZ3Y1FyWEpwVllqVVdZSjZj
    eXkxVGFxZHcvaW84MUljaWVGQzJ3bnpVR09WTGp2WEoxTVJCbUc1K1RRRzg1dnhhQWVhSjQrZXYr
    bW52Y09qYUZNb2dtMG9kaFBrU0tRVW1LYncxT0xHMkZ1TndIWldGejRPZjRvakZwZE1sSWx4dHMz
    Q1Z3K2JLblZPZDNOZVU3UjNhTzR1N28wLzFjMzk2aDlsUy93S1pZQkZKYU53YkRpYndVcDZtSlNy
    Y09vV3F0NXVkNCtxL2dJTHIycHBraVhHS2ljdkpvMnZwcWxCVk4wVTMvR2F6NG02L0cyRnVWeEpN
    K0MyMkozMWRlOUZ1V3JGM1JTZW9Vb1VlcHFXWE9OTnNIVW1Kbm9jdlpWU3BRaDZHODJrQ1RZVWow
    T1NFem9JUlBIaExjNWpuT0h0WC80VSt2SE93Z0gxQ0xwS0daWUN3SXFoak93R3FqRnZTejB3UWFz
    czlsejFoVXJtR1NKM2U1VENpOTlHMWFQSUxtZUJBTit4dDRBQW5UTFdXWWk4UldYREpxQng5S09I
    MmU1dXRpa2lkOGs1Z0NSZW9SREQyYVY5eGJiUDVWU3oyalpJNnBBZzg1MERPT29LNlUvNGtodnR2
    S1NLNmhzQ2drckw4MFpFWE5YSUJ1N2ZTekE4Z2dqNndRNVBvMmYyOFIzVUN2eCtuQzJZWnl6bzRE
    NHltdlVIM2gxZ0pqdmpCU1dINU5YQjF3amVCeGJmam5BbkFnall5aVkyWkhLMDRtbWRxTEM1VmV4
    RlhWMTd2cTNGVEhKbk5WNWZ5cEhNWUl4OC9lRlEzazZ4YzA1SFNhZTdWdUNuTlFwWFV4L1pjdXFy
    RXRlbDBLYjdtbnJWckY4SEF1OUExaEhZUG5RRi9rTVR5K0ZnPT0iLz4KICAgICAgICAgICAgICAg
    IDwvY2hhcmFjdGVyaXN0aWM+CiAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+CiAgICAgICAg
    PC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iTXkiPgogICAg
    ICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iVXNlciI+CiAgICAgICAgICAgICAgICA8Y2hh
    cmFjdGVyaXN0aWMgdHlwZT0iMDM0QTNGNTVGQjA2RjkxOUJDMDNBQzU0RjBBNUQyNTA3QTUwMThB
    MyI+CiAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iRW5jb2RlZENlcnRpZmljYXRlIiB2
    YWx1ZT0iTUlJRU1qQ0NBaHFnQXdJQkFnSUVORUZwMmpBTkJna3Foa2lHOXcwQkFRVUZBRENCaGpF
    TE1Ba0dBMVVFQmhNQ1RFc3hFREFPQmdOVkJBZ01CMWRsYzNSbGNtNHhFREFPQmdOVkJBY01CME52
    Ykc5dFltOHhEVEFMQmdOVkJBb01CRmRUVHpJeER6QU5CZ05WQkFzTUJrMXZZbWxzWlRFVk1CTUdB
    MVVFQXd3TVYxTlBNaUJTYjI5MElFTkJNUnd3R2dZSktvWklodmNOQVFrQkZnMXliMjkwUUhkemJ6
    SXVZMjl0TUI0WERURTFNREV5TlRBM01qZ3hORm9YRFRFMU1URXlOREEzTWpneE5Gb3dMekV0TUNz
    R0ExVUVBd3drUWpGRE5ETkRSREF0TVRZeU5DMDFSa0pDTFRoRk5UUXRNelJEUmpFM1JFWkVNMEV4
    TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEwaEErSmxmUldkUVE0
    L0I1cnBXV1A0amcrdE1UUU1KSnYzcXJJV3IzWHd1ZjF0U2ZEVkU5RVVOZHRseUlkRDM1N3Q4ak5J
    c2FnMGhpakl1aUVwMnR5eFJFTndWMjlNRnN0aDdjRklxMU15Vk5CckZwbGd0Ymd0cXc5QkZ0ckNr
    UDFsMXI1SWF6V0ZtN21UM2pFRkU0Wld0QkQyYVNEVWFqVkxpTjd6M09GYWtuaTZmL3ZGalFRaVB4
    dHR4aDJBSUdOSzlqUXNsWkcvZjVyNDdBMEJQT1lubWIxdDljNEhTUWFoMTEvSTVPWFJlK29kZVhZ
    WUVjQ2gwYUlQOXVhcHhCcW14ZTJKb3lFOVpKaXR4V20vMUVVQkNKQ3EzQU9HbWUyOUpGbk52ZGht
    ZWFDSTYvSm9ZMm95KzllejFkQUJKR2lzOWs3VDNiMUVMYzkyK0JQM0RMUVFJREFRQUJNQTBHQ1Nx
    R1NJYjNEUUVCQlFVQUE0SUNBUUF3aHVIQ0ZPb2E4R2ZQQkx1Njhudkw0bnVlWVdEeGVucituaW9v
    TktLK0s1aUZqM2t0NU1SNE5QTlB1RGFHSDEzVXhzdFRVVG9oak1pcEo5QUhDamwrUlZ1RzZkZU9B
    Zk9KczdvQTJzUU9iNk9uUkNIaWUvSml4ZXJNNUx0S1ZJTnQ0aS9zYlNIalhIYjVNN3pSa1RhMmk2
    YWJwSmZLYXVSUUJTaTFxTHc4dGRoSlZBUExFdEg0NDFzYkxiWjBNOVNmV2VjVWJLWXI0bXBHTHls
    UkF0NmRWL1NTdEF2ay8rRGtoZHRKU05sR0RtQVIrc2pyZUg1NUYwOU1DTXRCUGFMREdqVTF0ZGdw
    UE1reGx2QVBEbml0ZUtNNlV0WnkwcUdoSzhEMGpSRXlzMytaNXc4TE5wTkNSekxsSVN5RE4xN25R
    dlFnMWo2ZnhwNzh3dnkzc1ZNTzBWYmNaYWttQTRxcW85Z2RpZjlGbTdGbkhsWW5sWjlEb1lIc2xZ
    aXJHNzBxcGMvRytwbEwzdVo5b2ZnaW54L3JrR08yeUdjVHFQdE00YmlkZ1YvTHZ1MjdMQUdWME5G
    VmZiUDRubmVZWWxYbXdaMlBqblF1dTFaUzRZdE1yQzFXcVhHNEJBWGZqNzk3OFZMM3FKbTEwOWpv
    WExBaXJ6bVNUU3JHK1djWHNnNTB2M2llSVNtSzVRMTNPNU9GUHhBYUtZOHFCQys5TjFvdUhrcEsx
    SVVGRFhDV0o2cEdBMnFwNnpTZytHcHN3MkIxaUdzbmFQS3FjanhxV3o3SUhFOWJzUWF1ZHVzUHYw
    ZVF3ejRoN3lzSG5wZTVjTEZlZDFVTDdobnhIK01oYXg1d20vaEdKdEF4NHRIVS9xUnJGVmRRQzc5
    Z3p4bUZ5b2ZRTzhmYy9MR3FyUT09Ii8+CiAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGlj
    PgogICAgICAgICAgICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IlByaXZhdGVLZXlDb250YWlu
    ZXIiPgogICAgICAgICAgICAgICAgICAgIDxwYXJtIG5hbWU9IktleVNwZWMiIHZhbHVlPSIyIi8+
    CiAgICAgICAgICAgICAgICAgICAgPHBhcm0gbmFtZT0iQ29udGFpbmVyTmFtZSIgdmFsdWU9IkNv
    bmZpZ01nckVucm9sbG1lbnQiLz4KICAgICAgICAgICAgICAgICAgICA8cGFybSBuYW1lPSJQcm92
    aWRlclR5cGUiIHZhbHVlPSIxIi8+CiAgICAgICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgog
    ICAgICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMg
    dHlwZT0iV1NURVAiPgogICAgICAgICAgICAgICAgPGNoYXJhY3RlcmlzdGljIHR5cGU9IlJlbmV3
    Ij4KICAgICAgICAgICAgICAgICAgICA8cGFybSBkYXRhdHlwZT0iYm9vbGVhbiIgbmFtZT0iUk9C
    T1N1cHBvcnQiIHZhbHVlPSJ0cnVlIi8+CiAgICAgICAgICAgICAgICAgICAgPHBhcm0gZGF0YXR5
    cGU9ImludGVnZXIiIG5hbWU9IlJlbmV3UGVyaW9kIiB2YWx1ZT0iNjAiLz4KICAgICAgICAgICAg
    ICAgICAgICA8cGFybSBkYXRhdHlwZT0iaW50ZWdlciIgbmFtZT0iUmV0cnlJbnRlcnZhbCIgdmFs
    dWU9IjQiLz4KICAgICAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+CiAgICAgICAgICAgIDwv
    Y2hhcmFjdGVyaXN0aWM+CiAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgIDwvY2hhcmFjdGVy
    aXN0aWM+CiAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iQVBQTElDQVRJT04iPgogICAgICAgIDxw
    YXJtIG5hbWU9IkFQUElEIiB2YWx1ZT0idzciLz4KICAgICAgICA8cGFybSBuYW1lPSJQUk9WSURF
    Ui1JRCIgdmFsdWU9Ik1vYmlDRE1TZXJ2ZXIiLz4KICAgICAgICA8cGFybSBuYW1lPSJOQU1FIiB2
    YWx1ZT0id3NvMiIvPgogICAgICAgIDxwYXJtIG5hbWU9IkFERFIiIHZhbHVlPSJodHRwczovL0Vu
    dGVycHJpc2VFbnJvbGxtZW50LndzbzIuY29tLyIvPgogICAgICAgIDxwYXJtIG5hbWU9IkNPTk5S
    RVRSWUZSRVEiIHZhbHVlPSI2Ii8+CiAgICAgICAgPHBhcm0gbmFtZT0iSU5JVElBTEJBQ0tPRkZU
    SU1FIiB2YWx1ZT0iMzAwMDAiLz4KICAgICAgICA8cGFybSBuYW1lPSJNQVhCQUNLT0ZGVElNRSIg
    dmFsdWU9IjEyMDAwMCIvPgogICAgICAgIDxwYXJtIG5hbWU9IkJBQ0tDT01QQVRSRVRSWURJU0FC
    TEVEIi8+CiAgICAgICAgPHBhcm0gbmFtZT0iREVGQVVMVEVOQ09ESU5HIiB2YWx1ZT0iYXBwbGlj
    YXRpb24vdm5kLnN5bmNtbC5kbSt3YnhtbCIvPgogICAgICAgIDxwYXJtIG5hbWU9IlNTTENMSUVO
    VENFUlRTRUFSQ0hDUklURVJJQSIgdmFsdWU9IkNOJTNEQjFDNDNDRDAtMTYyNC01RkJCLThFNTQt
    MzRDRjE3REZEM0ExJmFtcDtTdG9yZXM9TXklNUNVc2VyIi8+CiAgICAgICAgPGNoYXJhY3Rlcmlz
    dGljIHR5cGU9IkFQUEFVVEgiPgogICAgICAgICAgICA8cGFybSBuYW1lPSJBQVVUSExFVkVMIiB2
    YWx1ZT0iQ0xJRU5UIi8+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIVFlQRSIgdmFsdWU9
    IkRJR0VTVCIvPgogICAgICAgICAgICA8cGFybSBuYW1lPSJBQVVUSFNFQ1JFVCIgdmFsdWU9ImR1
    bW15Ii8+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIREFUQSIgdmFsdWU9IlpIVnRiWGwx
    YzJWeWJtOXVZMlU9Ii8+CiAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICA8Y2hhcmFj
    dGVyaXN0aWMgdHlwZT0iQVBQQVVUSCI+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRITEVW
    RUwiIHZhbHVlPSJBUFBTUlYiLz4KICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUFVVEhUWVBFIiB2
    YWx1ZT0iRElHRVNUIi8+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRITkFNRSIgdmFsdWU9
    ImR1bW15Ii8+CiAgICAgICAgICAgIDxwYXJtIG5hbWU9IkFBVVRIU0VDUkVUIiB2YWx1ZT0iZHVt
    bXkiLz4KICAgICAgICAgICAgPHBhcm0gbmFtZT0iQUFVVEhEQVRBIiB2YWx1ZT0iWkhWdGJYbDFj
    MlZ5Ym05dVkyVT0iLz4KICAgICAgICA8L2NoYXJhY3RlcmlzdGljPgogICAgPC9jaGFyYWN0ZXJp
    c3RpYz4KICAgIDxjaGFyYWN0ZXJpc3RpYyB0eXBlPSJETUNsaWVudCI+CiAgICAgICAgPCEtLSBT
    dGFyaW5nIHdpdGggV2luZG93cyBQaG9uZSA4LjEsIGFuIGVucm9sbG1lbnQgc2VydmVyIHNob3Vs
    ZCB1c2UgRE1DbGllbnQgQ1NQIFhNTCB0byBjb25maWd1cmUgRE0gcG9sbGluZyBzY2hlZHVsZXMu
    IFRoZSBwb2xsaW5nIHNjaGVkdWxlIHJlZ2lzaXRyeSBrZXlzIHdpbGwgYmUgZGVwcmVjYXRlZCBh
    ZnRlciBXaW5kb3dzIFBob25lIDguMS4tLT4KICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0i
    UHJvdmlkZXIiPgogICAgICAgICAgICA8IS0tIFByb3ZpZGVySUQgaW4gRE1DbGllbnQgQ1NQIG11
    c3QgbWF0Y2ggdG8gUFJPVklERVItSUQgaW4gdzcgQVBQTElDQVRJT04gY2hhcmFjdGVyaXN0aWNz
    IC0tPgogICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iTW9iaUNETVNlcnZlciI+CiAg
    ICAgICAgICAgICAgICA8Y2hhcmFjdGVyaXN0aWMgdHlwZT0iUG9sbCI+CiAgICAgICAgICAgICAg
    ICAgICAgPHBhcm0gZGF0YXR5cGU9ImludGVnZXIiIG5hbWU9Ik51bWJlck9mRmlyc3RSZXRyaWVz
    IiB2YWx1ZT0iOCIvPgogICAgICAgICAgICAgICAgICAgIDxwYXJtIGRhdGF0eXBlPSJpbnRlZ2Vy
    IiBuYW1lPSJJbnRlcnZhbEZvckZpcnN0U2V0T2ZSZXRyaWVzIiB2YWx1ZT0iMTUiLz4KICAgICAg
    ICAgICAgICAgICAgICA8cGFybSBkYXRhdHlwZT0iaW50ZWdlciIgbmFtZT0iTnVtYmVyT2ZTZWNv
    bmRSZXRyaWVzIiB2YWx1ZT0iNSIvPgogICAgICAgICAgICAgICAgICAgIDxwYXJtIGRhdGF0eXBl
    PSJpbnRlZ2VyIiBuYW1lPSJJbnRlcnZhbEZvclNlY29uZFNldE9mUmV0cmllcyIgdmFsdWU9IjMi
    Lz4KICAgICAgICAgICAgICAgICAgICA8cGFybSBkYXRhdHlwZT0iaW50ZWdlciIgbmFtZT0iTnVt
    YmVyT2ZSZW1haW5pbmdTY2hlZHVsZWRSZXRyaWVzIiB2YWx1ZT0iMCIvPgogICAgICAgICAgICAg
    ICAgICAgIDwhLS0gSW4gV2luZG93cyBQaG9uZSA4LjEsIE1ETSBwdXNoIGlzIHN1cHBvcnRlZCBm
    b3IgcmVhbC10aW1lIGNvbW11bmljYXRpb24uIFRoZSBETSBjbGllbnQgbG9uZyB0ZXJtIHBvbGxp
    bmcgc2NoZWR1bGXigJlzIHJldHJ5IHdhaXRpbmcgaW50ZXJ2YWwgc2hvdWxkIGJlIG1vcmUgdGhh
    biAyNCBob3VycyAoMTQ0MCkgdG8gcmVkdWNlIHRoZSBpbXBhY3QgdG8gZGF0YSBjb25zdW1wdGlv
    biBhbmQgYmF0dGVyeSBsaWZlLiBSZWZlciB0byB0aGUgRE1DbGllbnQgQ29uZmlndXJhdGlvbiBT
    ZXJ2aWNlIFByb3ZpZGVyIHNlY3Rpb24gZm9yIGluZm9ybWF0aW9uIGFib3V0IHBvbGxpbmcgc2No
    ZWR1bGUgcGFyYW1ldGVycy4tLT4KICAgICAgICAgICAgICAgICAgICA8cGFybSBkYXRhdHlwZT0i
    aW50ZWdlciIgbmFtZT0iSW50ZXJ2YWxGb3JSZW1haW5pbmdTY2hlZHVsZWRSZXRyaWVzIiB2YWx1
    ZT0iMTU2MCIvPgogICAgICAgICAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgICAgICAgICAg
    ICAgIDxwYXJtIGRhdGF0eXBlPSJzdHJpbmciIG5hbWU9IkVudERldmljZU5hbWUiIHZhbHVlPSJB
    ZG1pbmlzdHJhdG9yV2luZG93c1Bob25lIi8+CiAgICAgICAgICAgIDwvY2hhcmFjdGVyaXN0aWM+
    CiAgICAgICAgPC9jaGFyYWN0ZXJpc3RpYz4KICAgIDwvY2hhcmFjdGVyaXN0aWM+Cjwvd2FwLXBy
    b3Zpc2lvbmluZ2RvYz4=</ns2:BinarySecurityToken>
                </RequestedSecurityToken>
                <ns4:RequestID>0</ns4:RequestID>
             </RequestSecurityTokenResponse>
          </RequestSecurityTokenResponseCollection>
       </soap:Body>
    </soap:Envelope>

    Im still getting 0x80090016 error (NCryptOpenKey). What this might really mean ?
    I found in the internet this is 'keyset doesnt not exist', what might be the reason for this ? Can this be somehow related with deny access permission to private key within the device (This is very unlikely, isnt it ?) ? 

    Eagerly Waiting for your reply...

    BR

    Wednesday, January 28, 2015 7:58 AM
  • To clarify... Are you testing enrollment with a Windows Phone 8.1 device or Windows 8.1 PC/tablet?

    Your title says Windows 8.1 but I was assuming Windows Phone 8.1 since you appear to be using the wap-provisioningdoc example for Windows Phone 8.1...

    Reading the trace logs can be a bit tricky...
    The 0x80090016 error log entry you're seeing might be from activity before the sending the RST... When preparing the RST the code checks to see if any previous key-pair was generated and deletes it, then it generates a new key-pair which is used in the RST.

    It helps if you sync up the clocks on your device and server or at least get a good estimate of the time difference between the two so that you can more easily match up event logs from each side.  (Also, if you use fiddler or network tracing on a different PC then make sure that PC clock is in sync also.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Wednesday, January 28, 2015 5:18 PM
    Moderator
  • Hi Eric,

    Sorry I couldn't mention before, I'm working on Windows phone 8.1 enrolment, not PC/Tablet. 

    I added message entry to logs, and I shows me some descriptive log data now. I'm seeing below.

    [MDM Enroll End] Error HRESULT : 0x8018000E

    [MDM Enroll End] Error HRESULT : 0x86000009

    Failed to get enrollment policy. Using default policy to enrol.

    GetPolicyFromResponse() uses hash algorithm (1.3.14.3.2.29)

    Function NCrypthOpenKey failed with result (0x80090016)

    And after some other few messages it shows,

    Enrollment succeeded with server (EnterpriseEnrollment.wso2.com)

    [MDM Cert Installer Start] Install cert in app container

    [MDM Cert Installer] Uninstalling enrollment cert for OMADM session

    [MDM Cert Installer End] Success

    Please find the link for complete log below,

    https://www.dropbox.com/s/b0c8pys19xklndw/WpPerfRecorder_200.etl?dl=0

    This is strange, why does it say enrollment succeeded with server , even when the phone shows that the enrollment is not success ??

    (Sure I will re-check the time synch between server and the device as well)

    BR


    Thursday, January 29, 2015 4:26 AM
  • I'm facing the same problem, NCryptOpenKey returns 0x80090016, but I get the "Enrollment succeeded" message in the logs (but the device is showing that it's not registered).

    I've reviewed many times the wap (and calculated carefully the hashes of CA and client cert) but I'm unable to detect the root of the problem. The server cert is also signed by the same CA (private).

    At the end I get 0x86000009 as result, shown in the logs as [MDM Enroll End] Error HRESULT: 0x86000009

    I've found no information about this code. Eric, any tips?

    Thanks in advance!
    Thursday, January 29, 2015 8:20 PM
  • As I suspected the 0x80090016 error is from before the RST is sent to the server so this is probably not related to the enrollment failure.

    Error 0x86000009 is a 'rollback failure' but the logs don't appear to show what triggered the rollback.

    It's possible that the device you are using for this test is in a bad state from earlier failures... I would recommend resetting the device to factory defaults and re-testing ...If you're testing on a personal device then you might want to consider getting a second device to test with.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Thursday, January 29, 2015 11:16 PM
    Moderator
  • Hi Eric,

    Thanks for the suggestions.

    I just checked the timestamps of final events and errors, so what you say about 0x80090016 makes sense perfectly. 0x86000009 error seems to be the one appears at last, so from what you have told also I think this is what causes the enrolment failure ?

    In the logs it shows, the device installs the cert and immediately uninstalls it (I assume this is why Rollback failure appears). Can this be some issue with certificates ?

    I did the resetting of the device as you suggested and tested again, but still the same issue appears (I'm using a secondary device for this, so resetting is not a problem).

    Another thing I need to know is, do I need to manually install the CA root certificate (Which also sends via wap-provisioning) in the phone Before starting of enrolment process ? 

    Anyway assuming the above case, I manually installed the root cert and started the enrolment process, but even it didn't work.

    I have no clue at all what is wrong here. I checked every critical step several times, but still cannot figure out the problem. 
    What might be wrong here ??

    BR

    Friday, January 30, 2015 7:00 AM
  • You do NOT need to manually install the CA root certificate; however, if your discovery service uses an SSL certificate issued by this CA then the user will get a warning and be asked if they want to continue.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Friday, January 30, 2015 10:08 PM
    Moderator
  • Hi Eric,

    If this is the case, then what causes the issue ?

    I have used Digicert signed SSL certificate and my own CA certificate at the WSTEP stage. 

    But still I'm unable to get the enrolment done. With the error logs , what are the possible causes of error as you see ?

    BR

    Sunday, February 1, 2015 1:09 PM
  • Unfortunately the logs you posted do not provide enough detail to know why it's failing.

    However, one other thing I do notice is that the client certificate does not have any Key Usage or Extended Key Usage. 

    This certificate is intended to be used as a client certificate so it should at least have these properties:

    Key Usage:
    Digital Signature

    Enhanced Key Usage:
    Client Authentication (1.3.6.1.5.5.7.3.2)

    Basic Constraints:
    Subject Type=End Entity

    FYI: If that still does not solve the enrollment problem then you might consider opening a support request and we can try to get better diagnostic logs.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.


    Monday, February 2, 2015 10:00 PM
    Moderator
  • Hi Eric,

    Thanks for the suggestions !

    I fixed what you have mentioned above and changed the signed cert's CN encoding to 'Printable_String'.

    But unfortunately I' stuck in the same place. 

    Before opening any ticket, can I assume this issue is related with certificates for sure ?
    I've been stuck in this for so long and desperate about solving this single enrolment problem first.

    Searching throughout internet, I found this is a very common problem most of the developers are facing.

    I'm almost loosing faith that one would be able to implement a complete MDM solution for windows devices, given that enrolment process is this hard.

    BR

    Sunday, February 8, 2015 3:34 PM
  • Hi Eric,

    Finally I was able to get the enrolment done successfully !!!!

    The issue was with SSLCLIENTCERTSEARCHCRITERIA - the value in the wap-provisioning file was wrong.

    Thank you for your comments and suggestions !!!

    As a side note, I think debugging options such as Windows power tools should provide specific error codes/messages, so the developers will be able to identify them and fix the issues quickly. And it would have been much easier if the windows MDM document has descriptive information as well. 

    BR

    Monday, February 9, 2015 6:08 AM
  • What was the specific issue with SSLCLIENTCERTSEARCHCRITERIA? From pulling apart your SOAP response above, I can see that the Subject of your cert does match the SSLCLIENTCERTSEARCHCRITERIA. I assume that was pasted into this thread when you were still receiving the issue.

    Certificate parsed from OpenSSL:

    Certificate: Data: Version: 3 (0x2) Serial Number: 876702170 (0x344169da) Signature Algorithm: sha1WithRSAEncryption Validity Not Before: Jan 25 07:28:14 2015 GMT Not After : Nov 24 07:28:14 2015 GMT Subject: CN=B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1

    Relevant XML:

    <characteristic type="APPLICATION">
    		<parm name="APPID" value="w7"/>
    		<parm name="CONNRETRYFREQ" value="6"/>
    		<parm name="INITIALBACKOFFTIME" value="30000"/>
    		<parm name="MAXBACKOFFTIME" value="120000"/>
    		<parm name="BACKCOMPATRETRYDISABLED"/>
    		<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
    		<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1&amp;Stores=My%5CUser"/>
    	</characteristic>

    It appears as B1C43CD0-1624-5FBB-8E54-34CF17DFD3A1 in both places. The only issue I could imagine would be with the NULL at the end of the common name, from the device's default certificate request. Though without going back over notes, I'm not sure if that GUID is actually the default or not.

    I'm experiencing the same issue initially reported in this thread, but I have replaced the common name for the certificate. I didn't want to use the default, so I use information about the user enrolling. Was there something specific about the SSLCLIENTCERTSEARCHCRITERIA that you learned? Could you please share?

    EDIT:

    It may be worth noting that I only experience this issue when using the Federated enrollment scheme. I use the same process to generate certificates and create the provisioning XML when using OnPremise enrollment. The process and values work correctly for OnPrem, but they fail for Federated. Any help would be appreciated.

    • Edited by slwheat Tuesday, August 4, 2015 8:29 PM More information
    Tuesday, August 4, 2015 5:43 PM