none
MDM Connect Now failed (-2147012851)

Answers

  • Hello,

    I installed the patch (http://support.microsoft.com/Default.aspx?kbid=951840 ) on a appropriated device and it's working now with SCMDM 2008 SP1.

    Without installing the patch on devices below Build 20757.1.4.0 I get the error message
    "Root certificate does not exist" even I'm using SCMDM 2008 SP1

    >>Devices above are working without installing the patch<<

    Is there also a SCMDM 2008 SP1 Gateway patch?

    Thank you & nice weekend

     

    Friday, June 25, 2010 12:24 PM

All replies

  • Hi ym81,

    This appears to be repeating over and over in your log:

    2009-01-13 10:14:16 omadmclient.exe: Establishing connection to https://mdm01.mobile.com:8443/MDM/TEE/Handler.ashx  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] + Attempting to establish connection  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] - Attempting to establish connection  
    2009-01-13 10:14:17 omadmclient.exe: Connection established.  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] - Establishing connection  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] + Transmitting package data  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] + Initializing wininet  
    2009-01-13 10:14:17 omadmclient.exe: [PID = 0x05a6b7f2] - Initializing wininet  
    2009-01-13 10:14:17 omadmclient.exe: Additional headers sent to server = "Content-Type: application/vnd.syncml.dm+wbxml  
    Accept-Charset: UTF-8".  
    2009-01-13 10:14:18 omadmclient.exe: Failed sending an HTTP request to the server (0x80072f0d).  
    2009-01-13 10:14:18 omadmclient.exe: [PID = 0x05a6b7f2] - Transmitting package data FAILED (hr = 0x80072f0d

    So it looks like connectivty to https://mdm01.mobile.com:8443/MDM/TEE/Handler.ashx is there from the device. But I believe that the 0x80072f0d might have something to do with certificates.

    Is the VPNDiag tool showing any errors?
    Do you get a certificate warning when you try to pull up https://mdm01.mobile.com:8443/MDM/TEE/Handler.ashx on the internal network? Perhaps you can verify the web site certificate manually?

    |\\arco..
    Tuesday, January 13, 2009 4:31 AM
    Answerer
  • Hi,
      The previous log was obtained when the device tried to connect to the DM server when it is connected to the internal network.

    When I tried to connect to Mobile VPN, the message for Current State is as follows:
    Disconnected
    Only your IT helpdesk or system administrator can resolve this problem.  The current Mobile VPN configuration is not valid.

    The VPN Diag tool shows:
    State: Disconnected
    Detail: Root certificate does not exist

    I checked the device details in the MDM admin console and saw that my device does have the CA root certificate in the Root/System Certificate store.

    Its funny that another device for the same user is able to connect to the DM server in the internal network.
    Tuesday, January 13, 2009 6:48 AM
  • ym81,

    From this and previous posts, I gather you have some devices working. You've got device wipe working, which means that some devices must to working. This leads me to ask "How many device are affected?". If it's one, then I recommend you hard reset the device and start again.
    A while back, you were experimenting with "Remove Unmanaged certificates policy". Does this Device have any of these policies assigned to it. Your device may have been setup correctly, and the policy correctly removed the essential root certificates. This may cause your issue.

    If the VPNDiag is telling you that "Root certificate does not exist" then believe it. Either the enrolment didn't complete, or the Root Certificate has been removed.

    Just to be complete, what CA architecture are you using ? Single CA / Intermediate CA ? and what Versions ?

    Cheers Wayne
    Airloom

    Tuesday, January 13, 2009 9:50 AM
    Moderator
  • I agree with Wayne's points.

    Just an additional thought since it seems to be certificate related. Does DNS resolve differently externally and internally? Does the certificate match the DNS name? And is the certificate issued to the FQDN or just the host name?
    Tuesday, January 13, 2009 11:07 AM
  • ym81 said:

    The VPN Diag tool shows:
    State: Disconnected
    Detail: Root certificate does not exist


    I have seen this before. Are you using a Windows 2008 Server as your Root CA?

    If so, please install this .CAB file patch on your Windows Mobile device and see if the VPN Diag error message is resolved:
    http://support.microsoft.com/Default.aspx?kbid=951840
    You don't need to install the server side patch if you are running MDM 2008 SP1.

    You will need to install this patch on any device below 6.1.4 (Build 20757.1.4.0) before you can manage them.

    Cheers,

    |\\arco..
    Tuesday, January 13, 2009 4:58 PM
    Answerer

  • Wayne Phillips. said:

    ym81,

    From this and previous posts, I gather you have some devices working. You've got device wipe working, which means that some devices must to working. This leads me to ask "How many device are affected?". If it's one, then I recommend you hard reset the device and start again.
    A while back, you were experimenting with "Remove Unmanaged certificates policy". Does this Device have any of these policies assigned to it. Your device may have been setup correctly, and the policy correctly removed the essential root certificates. This may cause your issue.

    If the VPNDiag is telling you that "Root certificate does not exist" then believe it. Either the enrolment didn't complete, or the Root Certificate has been removed.

    Just to be complete, what CA architecture are you using ? Single CA / Intermediate CA ? and what Versions ?

    I am using Windows server 2003, single CA.  I recently installed SP1.

    I am doing testing in my lab when I encountered this.  Its easy to do a hard reset when I am testing the device.  But when the device is deployed to the user and if this happens, doing a hard reset will be the last resort because of the inconvenience it will cause the user.  That is why I am trying to understand and troubleshoot these situations that may affect the user experience.

    The policy for removing unmanaged root certificates is not enabled.  Question:  If I enabled the removal of unmanaged root certificates, will my own CA root certificates be removed?  Is this CA root certificate which is provisioned during enrollment also considered as "unmanaged"?

    I will try to do another provision for another device of the same model and see whether it happens again before I pass it off as a one-off issue.

    Thanks to all suggestions!




    Wednesday, January 14, 2009 1:41 AM
  • ym81,

    Happy to help with the troubleshooting... I was trying to ascertain whether this is a server wide issue. It seems to be user specific so I will not suggest rebuilding anything... just yet ;-)


    ym81 said:

    The policy for removing unmanaged root certificates is not enabled.  Question:  If I enabled the removal of unmanaged root certificates, will my own CA root certificates be removed?  Is this CA root certificate which is provisioned during enrollment also considered as "unmanaged"?



    It will remove ALL certificates from the certificate stores. I've tried... It wasn't pretty. It seems that all certificates are "unmanaged". I originally thought that my Root CA would be classed as managed, but my tested proved otherwise. This behaviour may have changed in recent WM 6.1 builds, but to the best of my knowledge it hasn't. You can manage this with CPF and CAB files.
    It even removed my client certificate. No way back from that.

    In my very Lazy opinion it is a one-of issue. More importantly, the expectation should be that these device are disposable. Not in a financial or environment way... but in an enrolment and security way. Easy to setup, stress free to lose.

    Back to the troubleshooting... One of the first steps during device enrolment is Root CA negotiation, which deploys the correct Root CA to the device. So I think the Root CA was removed somehow. My thought is a rouge policy.
    Have you tried manually adding the Root Certificates back onto the device ? I recommend creating a CAB file to deploy your Root Certificate to all Certificate Stores. Try that see if it helps.

    Cheers Wayne
    Airloom
    Wednesday, January 14, 2009 3:50 AM
    Moderator
  • Hi,

      I realised I have this problem when I set my password policy to "Strong".  This does not happen when I set it to "PIN".

      I enrolled fresh devices and emulators before and after the password policy changes to confirm this.

      Anybody else has this problem?

    Thursday, January 29, 2009 5:50 AM
  • ym81,

    So to recap, if you set your PIN to strong, you can’t connect to the VPN… and The VPN Diag tool shows : Root certificate does not exist ?
    What happened when you tried to do another provision for another device of the same model ? Did it fail ? 

    Cheers Wayne
    Airloom

    Thursday, January 29, 2009 6:07 AM
    Moderator
  • Hi Wayne,

      I did not check the VPN diag tool this time.  This was what happened when I was using the WM 6.1.4 professional emulator.  I notice this happens on my HTC Tytn 2 also. 

      However, when I try to reproduce the problem after reading your post, I found that it does not happen now.

      I will monitor this and feedback here if the problem happens again.

      Thanks.

    Thursday, January 29, 2009 7:42 AM
  • This has happened again on my HTC Tytn 2.

    Same problem: Root certificate does not exist

    I was happily doing many successful Mobile VPN and MDM connect now when after 1 particular soft reset (I have done many soft resets before this), this problem arises.  I did not make any changes to the policy once the device is enrolled.

    This problem seems to happen on my devices when I have Strong PIN enabled.  Not sure whether there is any link.




     
    Tuesday, February 03, 2009 9:41 AM
  • You probably have one of the certificate policies set to remove certificates. Uncheck the policy.

    Cheers Wayne
    Airloom
    Thursday, January 14, 2010 12:37 AM
    Moderator
  • Hello,

    I installed the patch (http://support.microsoft.com/Default.aspx?kbid=951840 ) on a appropriated device and it's working now with SCMDM 2008 SP1.

    Without installing the patch on devices below Build 20757.1.4.0 I get the error message
    "Root certificate does not exist" even I'm using SCMDM 2008 SP1

    >>Devices above are working without installing the patch<<

    Is there also a SCMDM 2008 SP1 Gateway patch?

    Thank you & nice weekend

     

    Friday, June 25, 2010 12:24 PM