none
Windows 8.1 Device Identity Certificate RRS feed

  • Question

  • I am implementing Windows 8.1 MDM and seems to be stuck on Certificate Enrollment web service step.

    I am sending the below response and Windows client seems to be proceeding further by sending DM Initialization and responding to SyncML requests from the server. 

    I also can see the certificate using certmgr under Certificate->Personal->Certificates, where the certificate is marked as "Valid" and notes that the device has a private key that corresponds to the certificate.

    The CA is a self-signed CA and CA certificate is placed under Root/System in wap-provisioning response (see it below)

    However, I was expected to see Client Identity certificate to be be a part of all SyncML requests coming from the client.

    Should the client send identity certificate with SynML messages? If yes, what could be wrong in the way I set the certificate?

    If no, what the right way to get device certificate?

     <wap-provisioningdoc version="1.1">
    	<!-- This contains information about issued and trusted certificates. -->
    	<characteristic type="CertificateStore">
    		<!-- This contains trust certificates. -->
    		<characteristic type="Root">
    			<characteristic type="System">
    				<!--The thumbprint of the certificate to be added to the trusted root store -->
    				<characteristic type="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2">
    					<!-- Base64 encoding of the trust root certificate -->
    					<parm name="EncodedCertificate" value="MIIDbzCCAlegAwIBAgIJAKZI3oplYTv2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTQwODE0MDU1NDE5WhcNMjUwNzI3MDU1NDE5WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyOxdnl8PEtvfyhPzj9ANeLKF3YR6nFvOuIKHW/HDXAMIodtcRSf2qyPEZ3+l5f2/TZojjX401AnQeBdSKijdkKWqLboxp6237ZVdlezT1Xw7c6dmxJUwDKekUhEHJd6Ru8Rsu7c0Bzn79F7LOEGkNkGGy+LG12xzwDwg+tx3GZwVRfoMZcjtJNM9vwZCxrkgjYvJPDUl2yIca7MTl61w1wSZaOpnd2xJNbsIC3myD6oXIJoeVTEQE+XXlZcKGYs1Puv0ekdZt4P2+XUj3grHD7+XTqu0oPLFQRw0mbjyFbw4c6/8HDOrHYXr1SkHL5rm21eaN84ssFzXdf0aF2RY3wIDAQABo1AwTjAdBgNVHQ4EFgQUJRCDC1HaVsVZF8uMeakHmBrDwEIwHwYDVR0jBBgwFoAUJRCDC1HaVsVZF8uMeakHmBrDwEIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAncr1ZHB6wuwGaQXGvdVXF22VVLU41ojkw4EcU6/5H+LiRwBGpgDSwPnssqia+/zNukEI8s1zxbo3UHOS29hGFwEPKlsYVzbCaAnXDtfmMrxG8FmoSCEmcoYbCg0nEGsQXPbdgbwsF7V2equclxouvAHs36j0qNoIqu2Mwmkf6XBaLKEFiJ4nX89AFqNLDq5TjrJ9lSG6WnM3l8Gn4c28FPsPnrvtuoNNX4nBTJOXe57h48raawvN3UAstSGsofgQV1rbHj+qZ9EnIdiaaUVZk54CVY8Ic+4Z/8v18Z06s/2bMwHEgd+tICHdCPL9cs4SJNZ2vTick93rtYtMNYE8cA==" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    		<!-- This contains intermediate certificates. -->
    		<!-- NOTE: WE DO NOT USE INTERMEDIATE CERTIFICATE
    		<characteristic type="CA">
    			<characteristic type="System">
    				<characteristic type="{thumbprint}">
    					<parm name="EncodedCertificate" value="{encoded intermediate cert inserted here}" />
    				</characteristic>
    			</characteristic>
    		</characteristic>
    		-->
    		<characteristic type="My" >
    			<characteristic type="User">
    				<!-- Client certificate thumbprint. -->
    				<characteristic type="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E">
    					<!-- Base64 encoding of the client certificate -->
    					<parm name="EncodedCertificate" value="MIID1jCCAr6gAwIBAgIGDOsyplYiMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTUwMTA1MDQwNDIwWhcNMzAwMTAxMDQwNDIwWjAvMS0wKwYDVQQDEyQ4NjRlNjk5NC04NzJlLTQzOGMtYWJjNy1kYmM2N2ZmZTI1NzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFYRQG+OnkHm+Zv9wNeTICnSSrkWVf50rRWb1OVSuMTHEgNfDMpdbjb3tZZucmo1WWcJHiMpMiFmSF1KfNVttIPZK0+pX3eqAwnTlt7YcdV3OhQShE9mh7caalUxQLBZNBeKjXzj0erQgzt1CleIDWGikg11iuGHSlwRyb7aRMvYsXOppfdH9vIebNznKavaRG0IPi4joOR161bmwQ4bPmMiYuQ49MEvSx92F/g+F2dI7bPeo6is7AqQO7iA1woVyGgeI0M0IpQDLftO0EwSXlLNFjDTBsqWH2PZrCkQNXPyuP1/vPiHuiYyBugdCpK1quc4HnMrXEuYBz+xqUV+1AgMBAAGjgdgwgdUwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0OBBYEFOySgxF+y4dZX5ilGJi0yi7n1NjCMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMH4GA1UdIwR3MHWAFCUQgwtR2lbFWRfLjHmpB5gaw8BCoVKkUDBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNggkApkjeimVhO/YwDQYJKoZIhvcNAQEFBQADggEBAD6ee4/RfIFddNmaY+Bw5KShe42mvDOoYeOxKbzA6S4qcMJxzfRMkXqtPxAqni7BdxxhIuVpBdfL3dEFWMyA6fRxX/mGo4cp4ZxdFhs5ADvTu51stRECVKo9LKoT2Y8NzQxc5th0GwXcCMKBm6iR1UV6DKhjFaLDNv8F2B+cOeSVaBrJdDBcokBkX/kPOWEzQHtMEMD3OBgLrJAW1Xv/OvBjE2KlhAfDWNImXT7DkUbaDmqbg25GO/qTkSCUspe978OTHrVkOy8n/sJLSkVn9VQe1HRVTZOo1XSZRFcz50OUI3lgetcDyQl/WWDJL6PLDDhNP+URq4mn/dGByN58NOk=" />
    					<characteristic type="PrivateKeyContainer">
    						<parm name="KeySpec" value="2"/>
    						<parm name="ContainerName" value="ConfigMgrEnrollment"/>
    						<parm name="ProviderType" value="1"/>
    					</characteristic>
    				</characteristic>
    			</characteristic>
    		</characteristic>
    	</characteristic>
    
    	<!-- Contains information about the management service and configuration
    		 for the management agent -->
    	<characteristic type="APPLICATION">
    		<parm name="APPID" value="w7"/>
    		<!-- Management Service Name. -->
    		<parm name="PROVIDER-ID" value="TestMDM"/>
    		<parm name="NAME" value="TestMDM"/>
    		<!-- Link to an application that the management service may provide
    			 eg a Windows Store application link.
    			 The Enrollment Client may show this link in its UX.-->
    		<!--
    		<parm name="SSPHyperlink" value="http://go.microsoft.com/fwlink/?LinkId=255310" />
    		-->
    		<parm name="SSPHyperlink" value="https://192.168.1.121:8080" />
    		<!-- Management Service URL. -->
    		<parm name="ADDR" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
    		<parm name="ServerList" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
    		<parm name="ROLE" value="4294967295"/>
    		<!-- Discriminator to set whether the client should do Certificate Revocation List
    			 checking. -->
    		<parm name="CRLCheck" value="0"/>
    		<parm name="CONNRETRYFREQ" value="6" />
    		<parm name="INITIALBACKOFFTIME" value="30000" />
    		<parm name="MAXBACKOFFTIME" value="120000" />
    		<parm name="BACKCOMPATRETRYDISABLED" />
    		<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
    		<!-- Search criteria for client to find the client certificate using subject name of the
    			 certificate -->
    		<!-- <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d%s&amp;Stores=My%5CUser" /> -->
    		<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d864e6994-872e-438c-abc7-dbc67ffe2576&amp;Stores=MY%5CSystem%EF%80%80MY%5CUser" />
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="CLIENT"/>
    			<parm name="AAUTHTYPE" value="DIGEST"/>
    			<parm name="AAUTHSECRET" value="dummy"/>
    			<!-- Windows Phone 8.1 documentaion on page 21 says that AUTHDATA is base64 encoded -->
    			<parm name="AAUTHDATA" value="bm9uY2UK"/>
    			<!-- <parm name="AAUTHDATA" value="nonce"/> -->
    		</characteristic>
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="APPSRV"/>
    			<parm name="AAUTHTYPE" value="DIGEST"/>
    			<!-- <parm name="AAUTHNAME" value="dummy"/> -->
    			<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
    			<parm name="AAUTHSECRET" value="dummy"/>
    			<parm name="AAUTHDATA" value="nonce"/>
    		</characteristic>
    	</characteristic>
    	<!-- Extra Information to seed the management agent's behavior . -->
    	<characteristic type="Registry">
    		<characteristic type="HKLM\Security\MachineEnrollment">
    			<parm name="RenewalPeriod" value="90" datatype="integer" />
    		</characteristic>
    		<characteristic type="HKLM\Security\MachineEnrollment\OmaDmRetry">
    			<!-- Number of retries if client fails to connect to the management service. -->
    			<parm name="NumRetries" value="8" datatype="integer" />
    			<!--Interval in minutes between retries. -->
    			<parm name="RetryInterval" value="15" datatype="integer" />
    			<parm name="AuxNumRetries" value="5" datatype="integer" />
    			<parm name="AuxRetryInterval" value="3" datatype="integer" />
    			<parm name="Aux2NumRetries" value="0" datatype="integer" />
    			<parm name="Aux2RetryInterval" value="480" datatype="integer" />
    		</characteristic>
    	</characteristic>
    	<!-- Extra Information about where to find device identity information. This is redundant
    		 in that it is duplicative to what is here, but it is required in the current version of the
    		 protocol. -->
    	<characteristic type="Registry">
    		<characteristic type="HKLM\Software\Windows\CurrentVersion\MDM\MachineEnrollment">
    			<parm name="DeviceName" value="" datatype="string" />
    		</characteristic>
    	</characteristic>
    	<characteristic type="Registry">
    		<characteristic type="HKLM\SOFTWARE\Windows\CurrentVersion\MDM\MachineEnrollment">
    			<!--Thumbprint of root certificate. -->
    			<parm name="SslServerRootCertHash" value="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2" datatype="string" />
    			<!-- Store for device certificate. -->
    			<parm name="SslClientCertStore" value="My%5CSystem" datatype="string" />
    			<!-- Common name of issued certificate. -->
    			<parm name="SslClientCertSubjectName" value="CN=864e6994-872e-438c-abc7-dbc67ffe2576" datatype="string" />
    			<!--Thumbprint of issued certificate. -->
    			<parm name="SslClientCertHash" value="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
    		</characteristic>
    		<nocharacteristic type="HKLM\Security\Provisioning\OMADM\Accounts" />
    		<characteristic type="HKLM\Security\Provisioning\OMADM\Accounts\037B1F0D3842015588E753CDE76EC724">
    			<parm name="SslClientCertReference" value="My;System;4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
    		</characteristic>
    	</characteristic>
    </wap-provisioningdoc>



    • Edited by olegromg Monday, January 5, 2015 4:52 AM typo
    Monday, January 5, 2015 4:49 AM

All replies

  • The certificate should be used for SSL/TLS Negotiation of the SyncML session?

    Is your server set to ignore, accept, or require, client certificate for your SyncML service endpoint?


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Monday, January 5, 2015 6:59 PM
    Moderator
  • Eric,

    Thanks for reply.

    I use one CA for Web Server and a different CA to sign Client Identity CSR. I put the CA certificate that I use to sign CSR under Root->System in wap-provisioningdoc (as shown in my initial message). I also can see that CA's  certificate using "certmgr"

    After, presumably "successful" enrollment, the client establishes HTTPS connection to the Web server and sends DM Initialization SyncML. At that point I was expecting to see client to present the Client Identity certificate

    I've looked to the network trace and do not see client presenting Identity certificate.

    How it should work? How to force the client to present Identity certificate during SyncML conversation?

    Regards,
    Oleg 

    Tuesday, January 6, 2015 10:19 PM
  • The certificate is used in the HTTP layer for SSL/TLS negotiation.  (...not in the SyncML layer.)

    For SyncML layer the supported authentication types are basic or digest.  This is configured through the APPAUTH nodes of the w7 APPLICATION CSP during initial enrollment.  (Windows Phone 8.1 'Enterprise' MDM client implementation does not currently support any of the optional SyncML authentication methods.)


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, January 6, 2015 10:50 PM
    Moderator
  • Eric,

    I do have APPAUTH portion in the  wap-provisioningdoc

    <characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="CLIENT"/>
    			<parm name="AAUTHTYPE" value="DIGEST"/>
    			<parm name="AAUTHSECRET" value="dummy"/>
    			<!-- Windows Phone 8.1 documentaion on page 21 says that AUTHDATA is base64 encoded -->
    			<parm name="AAUTHDATA" value="bm9uY2UK"/>
    			<!-- <parm name="AAUTHDATA" value="nonce"/> -->
    		</characteristic>
    		<characteristic type="APPAUTH">
    			<parm name="AAUTHLEVEL" value="APPSRV"/>
    			<parm name="AAUTHTYPE" value="DIGEST"/>
    			<!-- <parm name="AAUTHNAME" value="dummy"/> -->
    			<parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
    			<parm name="AAUTHSECRET" value="dummy"/>
    			<parm name="AAUTHDATA" value="nonce"/>
    		</characteristic>

    My Windows 8.1 (tablet, not a phone) does not send SyncML DM Auth Request. I.e. it sends session initialization, then I send a <get> command to which client responds appropriately. But no <Cred> is sent.

    I also do not see any connection attempts to the server name (https://192.168.1.121:8080/test)

    Oleg


    • Edited by olegromg Wednesday, January 7, 2015 12:24 AM update
    Wednesday, January 7, 2015 12:08 AM
  • Eric,

    Do you know what is the way to ask Windows 8.1 to perform APPAUTH to the server?

    Regards,
    Oleg

    Thursday, January 8, 2015 5:15 PM
  • Sorry about the confusion...

    For Windows 8.1 (i.e. not phone) APPAUTH characteristic is not used. (...although you still need to include this in your payload.)

    Windows 8.1 does not implement any SyncML layer authentication mechanisms, only HTTP/SSL layer certificate based authentication.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Friday, January 9, 2015 10:43 PM
    Moderator