locked
Self Service Portal RRS feed

  • Question

  •  Hi,

    A while ago we were able to install the ES, DM and the SSP on one test server, and it all functioned well. (Allthough I have red the advise not to install this all on one server).
     
    After a reinstall we are not able to get the SSP functioning as it did.  When trying to open the devicelist page SSP displays "error, An error has occurred. Your system administrator will be notified with an error report.
    Error information: An administrative error has occurred. See your system administrator or retry your request later."
    I am suspecting an access rights issue but up till now I was not able to solve this issue.  
    Any ideas?

    Roelof Vredeveld

    Monday, June 23, 2008 3:12 PM

Answers

  • Ah. Looks like you just stumbled on the reason why MS don't recommend this route <g>.
     
    If you haven't already done so, add another IP address dedicated to the SSP instance. Am not 100% sure since I haven't tried it but IIRC it's conflicting with either the default website or enrollment. Giving it its own IP will make this go away.

    best, Pat
    Mobility Architect, Enterprise Mobile
    Monday, June 23, 2008 10:43 PM
    Answerer
  • Self Service Portal has a log file where more details are provided about the errors.
    The file is SelfServiceLog.txt in App_Data folder of the web site.
    Please let us know if the information in there is not sufficient to solve the problem.
    Tuesday, June 24, 2008 1:41 AM
  • IIS 6 can only bind 1 certificate to a specific combination of IP address & port. Which means that if you want to use multiple certificates on the same IIS server the you need to either assign different ports, or assign multiple IP addresses to the NIC.

    The enrollmentserver needs to run the "Enrollment" web site on port 443. (I'm guessing that the client is not only by default coded to look up mobileenroll.domain.com as the address, but specifically port 443 - which would make sense from a firewall point of view as well). You can specify that the self service portal should run on a different port, and it shouldn't be a problem (have tested in my lab environment). But when the point of a portal like this is self service it is more intuitive for users to type in selfservice.domain.com in their browser than https://selfservice.domain.com:xxx.

    If you're using an ISA server in front this does not have to be an issue, but if not you have to design a workaround or install a second web server.

    I also found during testing that you need to get the DNS pointers matching the FQDN of the SSL certificate. Although mobileenroll.domain.com:xxx/selfserviceportal and selfservice.domain.com:xxx resolves to the same IP and should functionally be the same I only got it working when using the "proper" name.  (A certificate warning is displayed, but I can dismiss that, type in credentials, and it still would not work.)

    As far as I know you have to use different certificates for the enrollment site, and the self service site. (Correct me if there is a workaround for this and I'm wrong.)
    Tuesday, June 24, 2008 9:57 PM

All replies

  •  What about the IIS logs on the server hosting the site.  Are there any 401s or similar in the IIS logs. 
    Monday, June 23, 2008 10:26 PM
  • Ah. Looks like you just stumbled on the reason why MS don't recommend this route <g>.
     
    If you haven't already done so, add another IP address dedicated to the SSP instance. Am not 100% sure since I haven't tried it but IIRC it's conflicting with either the default website or enrollment. Giving it its own IP will make this go away.

    best, Pat
    Mobility Architect, Enterprise Mobile
    Monday, June 23, 2008 10:43 PM
    Answerer
  •  We have received your message. We will review it and follow up with an answer within the next few days.
    Tuesday, June 24, 2008 12:17 AM
  • Self Service Portal has a log file where more details are provided about the errors.
    The file is SelfServiceLog.txt in App_Data folder of the web site.
    Please let us know if the information in there is not sufficient to solve the problem.
    Tuesday, June 24, 2008 1:41 AM
  •  

    First, thanks for your replies.
    We are going to take the SSP away from the ES/DM and install in on a seperate server.

    Since it is still odd that at first we had no problems I still would like to know about this issue. Therefore you find requested information below: 

    IIS log SSP website shows the following entries in sequence shown:
    - on "get  /pages/devicelist.aspx"
       401 2 2148074254
       401 1
       401 1 2148074252
       401 1 0 
    - on "GET /pages/devicelist.aspx <domain>\<adminid>"
       200 0 0
    - on "GET /App_Themes/SmokeAndGlass/SmokeAndGlass.css <domain>\<adminid>"
       304 0 0
    - on "GET /WebResource.axd d=<identifier1> <domain>\<adminid>"
       200 0 0
    - on "GET /favicon.ico <domain>\<adminid>"
       404 0 2

    IIS log website EnrollmentAdmin shows the following entries:
    - on "POST /MDM/EnrollmentAdminService/Admin.asmx"
       401 2 2148074254
       401 1 0
       401 1 2148074252

    IIS log website MobileDevicemanager Admin shows the following sequence:
    - on "POST /MDM/WipeService/Admin.asmx"
       401 2 2148074254
       401 1 0
    - on "POST /MDM/WipeService/Admin.asmx <domain>\<server>$"
       200 0 0
    - on "POST /MDM/AdminService/Admin.asmx"
       401 2 2148074254
       401 1 0
    - on "POST /MDM/AdminService/Admin.asmx <domain>\<server>$"
       200 0 0


    SSP logfile:
    <event>
    <time_utc>128587707893750000</time_utc>
    <time>6/24/2008 8:46:29 AM 375</time>
    <user>"domain"\"adminid"</user>
    <sessionid>ollwdlnjibuypc55a5yqotuv</sessionid>
    <type>Microsoft.Mobile.ManagementServices.SelfServicePortal.SelfServiceWebEvent</type>
    <message>ASP.pages_devicelist_aspx/GridViewDevices_OnDataBound error: Error contacting server https://mobileenroll.%22domain%22:8445/MDM/EnrollmentAdminService/Admin.asmx: The request failed with HTTP status 401: Unauthorized.</message>
    <code>100001</code>
    </event>


    Tuesday, June 24, 2008 9:19 AM
  • From the log file it looks that EnrollmentServer can't be contacted. Make sure that EnrollmentServer if up. If it is up, it might be that the FQDN is not right or the SSL certificate is missing or issued for the wrong FQDN. You can check those things by taking a look at the EnrollmentAdmin web service under IIS. Open the properties dialog and under Directory Security tab check the certificate is issued correctly.
    I will ask someone from EnrollmentServer to follow up.
    • Edited by Luc [MSFT] Tuesday, June 24, 2008 7:54 PM edit
    Tuesday, June 24, 2008 7:52 PM
  • IIS 6 can only bind 1 certificate to a specific combination of IP address & port. Which means that if you want to use multiple certificates on the same IIS server the you need to either assign different ports, or assign multiple IP addresses to the NIC.

    The enrollmentserver needs to run the "Enrollment" web site on port 443. (I'm guessing that the client is not only by default coded to look up mobileenroll.domain.com as the address, but specifically port 443 - which would make sense from a firewall point of view as well). You can specify that the self service portal should run on a different port, and it shouldn't be a problem (have tested in my lab environment). But when the point of a portal like this is self service it is more intuitive for users to type in selfservice.domain.com in their browser than https://selfservice.domain.com:xxx.

    If you're using an ISA server in front this does not have to be an issue, but if not you have to design a workaround or install a second web server.

    I also found during testing that you need to get the DNS pointers matching the FQDN of the SSL certificate. Although mobileenroll.domain.com:xxx/selfserviceportal and selfservice.domain.com:xxx resolves to the same IP and should functionally be the same I only got it working when using the "proper" name.  (A certificate warning is displayed, but I can dismiss that, type in credentials, and it still would not work.)

    As far as I know you have to use different certificates for the enrollment site, and the self service site. (Correct me if there is a workaround for this and I'm wrong.)
    Tuesday, June 24, 2008 9:57 PM
  • Luc [MSFT] said:

    From the log file it looks that EnrollmentServer can't be contacted. Make sure that EnrollmentServer if up. If it is up, it might be that the FQDN is not right or the SSL certificate is missing or issued for the wrong FQDN. You can check those things by taking a look at the EnrollmentAdmin web service under IIS. Open the properties dialog and under Directory Security tab check the certificate is issued correctly.
    I will ask someone from EnrollmentServer to follow up.

    The last time I got this error it was due to my SQL server which was down.
    The enrollment server was unable to join the SQL and all the cmdlets about Enrollment failed, of course.
    And I got this error on the devicelist page but the other tabs could be browsed.

    After rebooting IIS on enrollment server, all was ok.

    Wednesday, June 25, 2008 3:31 PM