locked
[WP 8.1] SCEP Enrollment Issues RRS feed

  • Question

  • I am currently running into an issue with the SCEP Enrollment process where the device fails to respond after the GetCACaps request. Polling the SCEP command for an error returns the CRYPT_E_ASN1_BADTAG error code. It is unclear what would be causing this as the cert the SCEP server is handing the device is the same cert that works with iOS. Any information or ideas as to what is causing this error would be extremely helpful.

    Thumbprint generation:

    Digest::SHA1.hexdigest(ssl_ca_cert.to_der)

    Cert sent during GetCACert:

    -----BEGIN CERTIFICATE----- MIIC/jCCAeagAwIBAgIEU/4/MDANBgkqhkiG9w0BAQsFADAtMRswGQYDVQQDDBJT Q0VQIENBIGZvciBFcmljIFcxDjAMBgNVBAsMBTUyNjA3MB4XDTE0MDgyNzIwMjIy OFoXDTI0MDgyNDIwMjIyOFowLTEbMBkGA1UEAwwSU0NFUCBDQSBmb3IgRXJpYyBX MQ4wDAYDVQQLDAU1MjYwNzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ANLZhaLjRfvcBDOOhnzXjSNCyqpxYf0TsD5sjzP4+yAlc9rAj+nfixTp78zXidxL LeIPcXviXJlbMCtLFyN2NTHNV6i0R5kReJ0WTkotLBEjZbcj4RlWIl8dMVj937IV nNO7nICE7Mt6XV59+IWId15yC+fsJVOp7Mkzo70K7kXFrXQ/bTWm4kZeRtEXadWU GSg7ZLemDbguEtfLU9NobGnsm2aVskt/11n8k9sa7MUNP2JttkJV+WSNIpiTP0os FNXzYkmM+Sv0LXPuugC1fjWRlvJxgfWgLcRMG7tf4XJMrMLo9c6lhRYUCPn5Asz5 PcAX2y6nVZuHL6mMIxoVhPcCAwEAAaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBADAO BgNVHQ8BAf8EBAMCAoQwDQYJKoZIhvcNAQELBQADggEBAJMAv4VAECgYNLBZg74k CBkCNOXWD0gJSFgjvqH2EeOYXprzM1l6wmJgQdq23gSi6N4XPA+VzNcZLpw23Qcr QTGLrk20JsLtIwk0lzQufnB6MuXah9n3/lS0dsG6kmcXUBdnLrvuq5S9Vt3GOBNF YOaEbhFURpEffXF6OLa/CM6AutY8uo9H82yg9yKFJu8Ho261zI/MggCytkdrDe9O p9DkvPJaRdN5ozHzy6u1Q70awGAFNSe40DZKDtgZDWXnS7pj+lFWvHyGms928HE7 orXIhcMoJ+bCxjtDJb2FOluk0U77nAwdJ07HgIeNidKbsKdz/sgblCyleUuszvQJ VXU= -----END CERTIFICATE-----

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1409171248 (0x53fe3f30)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=SCEP CA for Eric W, OU=52607
            Validity
                Not Before: Aug 27 20:22:28 2014 GMT
                Not After : Aug 24 20:22:28 2024 GMT
            Subject: CN=SCEP CA for Eric W, OU=52607
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:d2:d9:85:a2:e3:45:fb:dc:04:33:8e:86:7c:d7:
                        8d:23:42:ca:aa:71:61:fd:13:b0:3e:6c:8f:33:f8:
                        fb:20:25:73:da:c0:8f:e9:df:8b:14:e9:ef:cc:d7:
                        89:dc:4b:2d:e2:0f:71:7b:e2:5c:99:5b:30:2b:4b:
                        17:23:76:35:31:cd:57:a8:b4:47:99:11:78:9d:16:
                        4e:4a:2d:2c:11:23:65:b7:23:e1:19:56:22:5f:1d:
                        31:58:fd:df:b2:15:9c:d3:bb:9c:80:84:ec:cb:7a:
                        5d:5e:7d:f8:85:88:77:5e:72:0b:e7:ec:25:53:a9:
                        ec:c9:33:a3:bd:0a:ee:45:c5:ad:74:3f:6d:35:a6:
                        e2:46:5e:46:d1:17:69:d5:94:19:28:3b:64:b7:a6:
                        0d:b8:2e:12:d7:cb:53:d3:68:6c:69:ec:9b:66:95:
                        b2:4b:7f:d7:59:fc:93:db:1a:ec:c5:0d:3f:62:6d:
                        b6:42:55:f9:64:8d:22:98:93:3f:4a:2c:14:d5:f3:
                        62:49:8c:f9:2b:f4:2d:73:ee:ba:00:b5:7e:35:91:
                        96:f2:71:81:f5:a0:2d:c4:4c:1b:bb:5f:e1:72:4c:
                        ac:c2:e8:f5:ce:a5:85:16:14:08:f9:f9:02:cc:f9:
                        3d:c0:17:db:2e:a7:55:9b:87:2f:a9:8c:23:1a:15:
                        84:f7
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:0
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign
        Signature Algorithm: sha256WithRSAEncryption
             93:00:bf:85:40:10:28:18:34:b0:59:83:be:24:08:19:02:34:
             e5:d6:0f:48:09:48:58:23:be:a1:f6:11:e3:98:5e:9a:f3:33:
             59:7a:c2:62:60:41:da:b6:de:04:a2:e8:de:17:3c:0f:95:cc:
             d7:19:2e:9c:36:dd:07:2b:41:31:8b:ae:4d:b4:26:c2:ed:23:
             09:34:97:34:2e:7e:70:7a:32:e5:da:87:d9:f7:fe:54:b4:76:
             c1:ba:92:67:17:50:17:67:2e:bb:ee:ab:94:bd:56:dd:c6:38:
             13:45:60:e6:84:6e:11:54:46:91:1f:7d:71:7a:38:b6:bf:08:
             ce:80:ba:d6:3c:ba:8f:47:f3:6c:a0:f7:22:85:26:ef:07:a3:
             6e:b5:cc:8f:cc:82:00:b2:b6:47:6b:0d:ef:4e:a7:d0:e4:bc:
             f2:5a:45:d3:79:a3:31:f3:cb:ab:b5:43:bd:1a:c0:60:05:35:
             27:b8:d0:36:4a:0e:d8:19:0d:65:e7:4b:ba:63:fa:51:56:bc:
             7c:86:9a:cf:76:f0:71:3b:a2:b5:c8:85:c3:28:27:e6:c2:c6:
             3b:43:25:bd:85:3a:5b:a4:d1:4e:fb:9c:0c:1d:27:4e:c7:80:
             87:8d:89:d2:9b:b0:a7:73:fe:c8:1b:94:2c:a5:79:4b:ac:ce:
             f4:09:55:75


    SyncML:

    <SyncML
        xmlns="SYNCML:SYNCML1.2">
        <SyncHdr>
            <VerDTD>1.2</VerDTD>
            <VerProto>DM/1.2</VerProto>
            <SessionID>13B</SessionID>
            <MsgID>8</MsgID>
            <Target>
                <LocURI>IMEI:353048061957769</LocURI>
            </Target>
            <Source>
                <LocURI>https://ericw.ios-devel.test.com/windows_mdm/manage?org=52607</LocURI>
            </Source>
        </SyncHdr>
        <SyncBody>
            <Status>
                <CmdID>1</CmdID>
                <MsgRef>8</MsgRef>
                <CmdRef>0</CmdRef>
                <Cmd>SyncHdr</Cmd>
                <TargetRef>https://ericw.ios-devel.test.com/windows_mdm/manage?org=52607</TargetRef>
                <SourceRef>IMEI:353048061957769</SourceRef>
                <Data>212</Data>
            </Status>
            <Atomic>
                <CmdID>2</CmdID>
                <Add>
                    <CmdID>3</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">node
                            </Format>
                        </Meta>
                    </Item>
                </Add>
                <Add>
                    <CmdID>4</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/RetryCount</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>3</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>5</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/RetryDelay</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>10</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>6</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/KeyUsage</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>160</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>7</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/KeyLength</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>2048</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>8</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/HashAlgorithm</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>SHA-1</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>9</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/SubjectName</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>CN=Eric</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>10</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/ValidPeriod</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>Years</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>11</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/ValidPeriodUnits</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>1</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>12</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/EKUMapping</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>1.3.6.1.5.5.7.3.2+1.3.6.1.5.5.7.3.4</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>13</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/KeyProtection</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">int
                            </Format>
                        </Meta>
                        <Data>3</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>14</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/ServerURL</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>https://ericw.ios-devel.test.com/apple_mdm/scep_info/52607:182776</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>15</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/Challenge</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>123456ABCDEFG</Data>
                    </Item>
                </Add>
                <Add>
                    <CmdID>16</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/CAThumbprint</LocURI>
                        </Target>
                        <Meta>
                            <Format
                                xmlns="syncml:metinf">chr
                            </Format>
                        </Meta>
                        <Data>EA01A5E18ECFE62997BE9F16122C97D0BE3FFEAB</Data>
                    </Item>
                </Add>
                <Exec>
                    <CmdID>17</CmdID>
                    <Item>
                        <Target>
                            <LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1445295067/Install/Enroll</LocURI>
                        </Target>
                    </Item>
                </Exec>
            </Atomic>
            <Final/>
        </SyncBody>
    </SyncML>



    Monday, October 19, 2015 11:53 PM

All replies

  • Same issue. WP8 doesn't go on after getCaCaps and when queried returns Status 16 (failed), ErrorCode -2147024883 (invalid data). No matter what. 
    Sunday, November 1, 2015 11:19 AM
  • OK, don't copy/paste your CAthumbprint from Windows certificate information window / details tab! Besides empty spaces and "?" in the beginning there are still some invalid character codes before the beginning. Visual Studio doesn't show it, Notepad++ doesn't show it in generated XML, you need Hex-Editor plugin or something to see it. You can also detect it by pressing left/right arrows on that spot and your cursor will not move. Weekend lost.
    Sunday, November 1, 2015 2:38 PM