Device Enrollment Fails After You Type a Password
-
Wednesday, June 25, 2008 11:40 AMHi,
Using a virtual setup of the SCMDM environment on an internal network. We are recieving an Enroll error message just after password is entered. - "Unable to enroll this device in th ecompany domain." "Contact the system administrator for assistance." Having tried various troublshooting measures & looking through the log files on the device there seems to be an issue with the server bootstrapping.
2008-06-25 12:26:08 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 8
2008-06-25 12:26:08 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Enrollment Processing
2008-06-25 12:26:09 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Server Bootstrapping
2008-06-25 12:26:11 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping: Failed to bootstrap server, hr = 0x80072f06
2008-06-25 12:26:11 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping, Return Value = 1
2008-06-25 12:26:11 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Server Bootstrapping failed, hr = 0x80072f06
Would anyone have an idea what the issue may be here? We can successfully browse to the enrollment webpage from the device.
Also when i access https://<enrollmentservername>/enrollmentserver/service.asmx?op=ShouldEnroll.
In the Version box, type 1.0.0.
In the Owner Identity box, type my user name.
Choose Invoke.
I recieve the error message: "The page cannot be displayed because the website cannot be authenticated"
Any info greatly appreciated!
Ronan
Ronan- Edited by Ronan909 Wednesday, June 25, 2008 12:38 PM Updated
All Replies
-
Wednesday, June 25, 2008 12:22 PMThe main thing that is done during the bootstrapping is provisioning the Root CA certificate to the device.
It is however difficult to say from the enclosed logs what the cause could be. I would start with running the Best Practices Analyzer (Download: SCMDM2008 - Best Practices Analyzer), and see if it finds any errors in the setup. -
Wednesday, June 25, 2008 2:21 PMAnswererHi!
How did you generate the cert? The error looked familiar so I did a Goog^h^h^h^h Live Search on it and it'll come up on ActiveSync if you're using a wildcard certificate. It'll also come up if there's a mismatch between the common name used in the cert and the name it's resolving to.
HTH, best, Pat.
Mobility Architect, Enterprise Mobile -
Thursday, June 26, 2008 4:22 PM Hi,
Thanks for the responses.
I think the issue is with our certificate names. We also need to get a correct DNS name for our enrollement server as opposed to an IP address. We are carrying out a full re-install so hopefully this will solve the problem.
Ronan- Proposed As Answer by Patrick SalmonEditor Thursday, June 26, 2008 4:36 PM
- Marked As Answer by Patrick SalmonEditor Monday, July 07, 2008 8:26 PM
-
Thursday, June 26, 2008 4:36 PMAnswerer You shouldn't need to do a full reinstall, but if that's where you're most comfortable then go for it.
Otherwise you can regenerate the cert using the MDMCert utility.
And yes, you're right. IP addresses won't work. Been there, done that, got the t-shirt.
best, Pat.
Mobility Architect, Enterprise Mobile- Marked As Answer by Patrick SalmonEditor Monday, July 07, 2008 8:26 PM
-
Wednesday, July 23, 2008 3:58 AMHi,
I got the error "Unable to enroll the device in the company domain. Contact the system administrator for assistance."
I used the "Get-EnrollmentServiceLog > C:\enrollmentlog.txt" and extracted the following error:
OperationType: bootstrapping
HResult: -2146959355
Message: MissingConfiguration
OwnerIdentity; Anonymous
Description: Bootstrapping failed for device: . Error message: Missing Configuration.
I also saw event 2002 in the event logs.
Where do I need to fix?
Thanks. -
Wednesday, July 23, 2008 8:21 AMI forgot to on the CA which is on a VM. now enrollment is okay.
-
Thursday, August 07, 2008 12:49 PMHello,
We also get the same error: Server Bootstrapping: Failed to bootstrap server, hr = 0x80072f06.
When i use MDMcert utililty i used the following command :
MDMcert.exe /install /endpoint:ens /website:Enrollment /subject:twime001 /ca:twica001.dr.corp\CA
twime001 = Enrollemt server
twica001 = CAserver
CA = Ca Instance name
Or do i need to fill in the FQDN ?
-
Thursday, August 07, 2008 8:51 PMHi Tim,
You should FQDN of Enrollment Server as subject in MDMcert.exe /install /endpoint:ens /website:Enrollment /subject:twime001 /ca:twica001.dr.corp\CA
I will suggest to run BPA first to check both Pre-Deployment and Post-Deployment to identify if there is some issue. You can download BPA from
http://www.microsoft.com/downloads/details.aspx?FamilyId=EC5EEDEA-7741-4D1B-ABA8-A5181847FAD3&displaylang=en
Arvind Maurya -
Thursday, August 21, 2008 8:39 AMAnd another one from this error family:
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Processing
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 7
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Passcode Entry
2008-08-18 13:34:30 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Passcode Entry
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 8
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Enrollment Processing
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Server Bootstrapping
2008-08-18 13:34:33 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Device Certificate Installation
2008-08-18 13:34:34 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Device Certificate Installation
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping: Failed to enroll device in domain, hr = 0x80072f0d
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping, Return Value = 1
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Server Bootstrapping failed, hr = 0x80072f0d2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Processing
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 9
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Enrollment Error
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Error failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment Initial State Manager failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: State Manager failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment failed, hr = 0x80072f0d
On the device the same error as above:
"Unable to enroll the device in the company domain. Contact the system administrator for assistance." -
Thursday, August 21, 2008 9:57 AMSpiridon said:
And another one from this error family:
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Processing
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 7
2008-08-18 13:34:08 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Passcode Entry
2008-08-18 13:34:30 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Passcode Entry
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 8
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Enrollment Processing
2008-08-18 13:34:31 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Server Bootstrapping
2008-08-18 13:34:33 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Device Certificate Installation
2008-08-18 13:34:34 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Device Certificate Installation
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping: Failed to enroll device in domain, hr = 0x80072f0d
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment: Server Bootstrapping, Return Value = 1
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Server Bootstrapping failed, hr = 0x80072f0d2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Processing
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE: Machine Enrollment Initial State Manager: UI State = 9
2008-08-18 13:34:35 MACHINEENROLLERLAUNCH.EXE:+Machine Enrollment: Enrollment Error
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: Enrollment Error failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment Initial State Manager failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment: State Manager failed, hr = 0x80072f0d
2008-08-18 13:34:43 MACHINEENROLLERLAUNCH.EXE:-Machine Enrollment failed, hr = 0x80072f0d
On the device the same error as above:
"Unable to enroll the device in the company domain. Contact the system administrator for assistance."
0x80072f0d is an error that can occur in ActiveSync when there is a problem with the certificate. (Usually when you're using self-signed on the Exchange box, or an incorrectly configured ISA server.)
Have you tried the suggestions above? Do you have the results/logs? As previously mentioned you should try running the BPA as well to check your environment.
Is your CA a sub-CA of another enterprise CA, or is it a separate CA just for the SCMDM deployment? -
Thursday, August 21, 2008 11:30 AM
Found myself, that this error code can be googled around the topic "activesync", but that's not my problem:
- error occurs while trying to enroll the device, after entering the enrollment-password
- BPA isn't able to scan the Enrollment or Device Management (same machine) servers "unable to scan" is the exact error message, regardless if we use the bpa on the server or on a workstation
- logfile has been generated with MDMConnectnow and can be provided (extract has been posted)
- CA is a sub-CA of another enterprise CA (from D-Trust)
- Gateway Server Fix KB951840 has been deployed on Gateway Server and device. -
Thursday, August 21, 2008 11:54 AMYes, I expect your browser provides the same Google results as mine :) The errors usually apply to other scenarios as well on Windows Mobile even though ActiveSync is not the issue here. Many of the underlying SSL issues will have the same error code.
I wouldn't know why BPA isn't able to run, or if that is related to the enrollment issue...
I don't know how clever the enrollment process is in SCMDM but it needs to provision the root ca certificate for the chain to be complete (I believe the chain is verified before the actual enrollment is performed). So just to rule this out you could try manually installing the root ca cert on the device before you retry the enrollment. -
Thursday, August 21, 2008 12:40 PMAnswererBecause you have a >1 tier PKI then in addition to the Root cert being in the trusted root store, the issuing CA's cert has to be installed in the Intermediate Root CA Store. If you don't do that then the chain of trust is broken. That would explain one part of the errors you're seeing.
I don't have a clue as to why BPA isn't running, either.
Pat.
Mobility Architect, Enterprise Mobile -
Thursday, August 21, 2008 2:46 PMAndreas Helland said:
I don't know how clever the enrollment process is in SCMDM but it needs to provision the root ca certificate for the chain to be complete (I believe the chain is verified before the actual enrollment is performed). So just to rule this out you could try manually installing the root ca cert on the device before you retry the enrollment.
Tried with Root CA cert and SUB CA cert in device keystore before enrollment, same error.
I'll give up at this time and let MS look behind this, thanks for your help.
.png)
