Andreas
Mar 12th, 2009 at 5:06 pm
I’d follow the steps in this article: . Start out with the “Unable to Enroll Device in Domain” section.

with no luck. I am still holding out hope this can be done with a iPhone becuase I get the same website on my windows mobile emulated device that I do from a web brower on my iphone.

I have followed through all the steps but I seems to be having a problem connecting to the enrollment server from the mobile emulator. I came across a tool called EM IP Utility, installed it on the emulator and scaned it for assigned IP but the IP assigned to it is wrong. I have enabled the NE2000 PCMCIA network adapter and bind it to the VMWare Accelerated AMD PCNet Adapter.

Any reason why the emulator is not picking the IP address assigned to the server?

Assigned IP is 192.168.55.101
Expected IP is 192.168.10.xxx

When it fails during enrollment with an error like this the steps you should check are:
- You have a valid SSL certificate for the enrollment site. (Should be fixed during install but you never know.)
- If you don’t use mobileenroll.contoso.com as the address you will need to type it in manually on the device.
- The certificate will be checked so if you type in 192.168.x.y it will fail if the certificate isn’t issued to this name.
- Are you using multiple domain names and e-mail addresses? Always test using the primary address if you’re having problems.

Still no go? You could test the webservices on a desktop to see if you are eligible for enrollment.

“We are unable to localte a server successfully, but enrollment could not complete. Verify your e-mail address and enrollment password, and then try again.”

I’ve entered the information correctly..

When I go to enroll a device I receive the following:

Summary: 1 item(s). 0 succeeded, 1 failed.
Elapsed time: 00:00:00

Enrollment Data
Failed

Error:
You are not authorized to perform this action.

Mobile Device Manager Shell command attempted:
New-EnrollmentRequest -Owner ‘CN=Domain Username Removed,CN=Users,DC=domainname,DC=ca’ -Name ‘TouchPro2′ -Container ‘OU=SCMDM Managed Devices (ALLSOL),DC=domainname,DC=ca’

Elapsed Time: 00:00:00

—

BPA comes back with 4 warnings that are performance related (I’m setting the servers up in VMWware (SCMDM = 2003 x64 Enterprise / Cert Server on Server 2003 x86) such as low ram, disk space, and processor speed. Everything else has green checkmarks.

I’m running MDM Console as Aministrator and have ensured that account is part of the 5 crucial SCMDM groups and Domain Admins.

Provided you aren’t trying to run them both on port 443 or a similar conflict. The SSP can be run on a different port, but the enrollment site needs to run on port 443 for devices to be able to enroll. Port 8445 is for the admin part of it, and it is correct that some of the web service methods can only be run from localhost. I have another post detailing how the web services work, and how they can be used.

Are you running multiple MDM roles on a single box (like in my test scenario) or have you split the roles over different boxes? Are you running the DC and MDM on the same server? This may create access issues. I cannot remember any issues using the domain admin account for administrating the MDM servers as long as this account is also a member of the MDM groups. (Remember to logout and login for the membership to apply.) I usually attempt device enrollment with a normal user account though.

If I were to troubleshoot the issue I’d have a crack at the following steps:
- Check Event Viewer for any suspicious error messages.
- Check that you have the correct DNS entries. Records for mobileenroll, for the SSP, for MDM, etc. You can have multiple records pointing to the same IP address.
- Double check that certificates are installed, and are valid.
- Check IIS that the host names apply to the correct web site, the correct ports, and that there are no conflicts in the IIS setup.

If all is good you could attempt a repair install of the enrollment role.