Comments on: Enrolling Personal Certificates with SCMDM

By: Andreas

Andreas — Fri, 06 Nov 2009 17:27:43 +0000

Then you’re ready to roll

It’s no problem adding an option for disabling SSL. Obviously recommended to use SSL, but for debug purposes it could be useful.

I’ll add a checkbox and build a new version – hope to have it online later today or tomorrow.

By: Alex

Alex — Fri, 06 Nov 2009 12:37:43 +0000

Hi, Andreas.
I found a trouble – my CA wasn’t set to work with SSL. After I enable SSL and enroll certificate for web server your tools works fine. Thank you for your help.

P.S.
May you can add in DojoCert additional switch about using SSL?

By: Andreas

Andreas — Thu, 05 Nov 2009 22:45:17 +0000

Progress – that’s good.

1. This would be dependent on your AD setup – should probably work with all the formats you listed. You can check by opening https://ca-fqdn/certsrv in the browser on your desktop you’ll be prompted to authenticate. This would also flag any SSL errors.
2. Server can be either FQDN or IP, but make sure it matches the common name in your certificate. Usually SSL certificates aren’t issued to IP so FQDN is probably your best bet. Make sure the address is resolvable by the device.
3. My tool assumes you are using SSL. (NoSSL = 0)

Since it works building the xml, and my tool basically does the same thing, I’m not sure what it is. The settings you type into the xml are the same you should use in DojoCert. So the only difference is that SSL is optional in the XML.

By: Alex

Alex — Thu, 05 Nov 2009 11:00:13 +0000

Andreas,
Today I rename my .xml to _setup.xml as you wrote and now it’s work fine.
After that I clear my device by hard reset, install root certificate and your utility, try to get user certificate by DojoCert and receive an error
Can you answer on some of my questions:
1. Username – there must be only username, or domain\username, or username@domain?
2. Server – there must be FQDN, or IP is correct too? In xml IP is acceptable.
3. Does your tool by default work without SSL – I mean “NoSSL = 1″?

And thank you for your help one more time…

Alex

By: Alex

Alex — Wed, 04 Nov 2009 08:15:24 +0000

Many thanks for your help, Andreas! It’s very important for me.

I can’t right now make new tests, but I can see some of my mistakes:
1. My xml’s name is not _setup.xml before I start make cab
2. I was tried to enroll certificate only with NoSSL = 1
3. I think it would be better to reimport root certificate to device

Tomorrow I will try again and write here about my results.

By: Andreas

Andreas — Tue, 03 Nov 2009 18:19:08 +0000

The XML from bansky.net is ok, but keep in mind a few things:
- The quoute characters (“”) are often corrupted into a very similar quote sign when copying from a webpage to notepad. Make sure you have the correct quotes.
- The xml file should be called _setup.xml before you run makecab on it.
- When “NoSSL” is set to 1 the device will attempt to enroll over plain HTTP. A default install of an enterprise CA will not let you enroll without SSL. (Set NoSSL = 0.)
- You need to change the guid in the xml (and thus rebuild the cab) for each attempt.

I tested creating a cab like this, and it worked.

I was able to replicate your error with my own utility. If I try to enroll without the root certificate installed on my device I get the same error code.

After installing the root certificate it worked with both methods. If you have the root cert available as a .cer file I would recommend copying to the device and run it just to be sure.

By: Alex

Alex — Tue, 03 Nov 2009 14:09:06 +0000

Sorry, xml code was filtered, so I copy it one more time, but without “more than”&”less than”

wap-provisioningdoc
characteristic type=”BrowserFavorite”
characteristic type=”MSN Search”
parm name=”URL” value=”http://search.msn.com/”
/characteristic
/characteristic
/wap-provisioningdoc

By: Alex

Alex — Tue, 03 Nov 2009 14:01:52 +0000

P.S.
I try to enroll certificate from device using xml which described here:

http://bansky.net/blog/2008/11/enrolling-user-certificate-into-windows-mobile-over-the-air/

and make changes to IE on device using follow xml:

But none of them work CAB where made by makecab and signed by EM CAB Signing Utility. Root certificate is installed on device. Where can I make a mistake?

By: Alex

Alex — Tue, 03 Nov 2009 12:39:20 +0000

Andreas, Thanks for your help, but there is no any progress.
I was looked through logs and didn’t find anything interesting. After this I create new .xml file without username and password keys, make a .cab-file by makecab.exe and try to install it to device. The only thing I have is message “installation unsuccessful”. No any other errors or request (like name, password). May be you can recommend any step-by-step guides about .xml creation.

By: Andreas

Andreas — Tue, 03 Nov 2009 08:22:53 +0000

SCMDM SP1 will provision the root certificate during enrollment, but will remove on the first application of group policies if you haven’t included the root cert for distribution as part of the policy. If you can see certificate listed on the device you should be ok though.

The next part then is definitely looking at the CA to see if there’s any clues there.

You don’t need to know anything about OMA CP/DM to work with the xml above. If you manage to pack the xml into a cab/cpf file it should work. Are you getting any error on the device (other than “installation unsuccessful”)? You could try removing username/password from the xml as I have seen issues doing silent enrollments with the xml. The user will then be prompted to enter credentials when the xml executes. (Haven’t got my own source code accessible right now, but I believe I had to include a silent parameter when the user isn’t prompted for credentials.)