none
Web Services Auto Enrollment with Windows 10 and Windows Server 2012+ RRS feed

  • Question

  • Hi,

    We have implemented two web services server endpoints according to the MS-WSTEP and MS_XCEP standards (Autoenrollment)

    This is to replace the IIS CEP and CES service with a third party CA.

    The CEP service works fine.

    The CES service always says WS_E_INVALID_FORMAT.

    It's impossible - to my knowledge - to know what is wrong.

    Windows events tells the same error message.

    We are using Kerberos authentication and sending back a PKCS#7 together with the X509v3 certificate.

    The WS-Addressing action is input RST/wstep and output RSTRC/wstep with token type Issue (RequestType.)

    I can send the complete response if needed (using dummy CA so no important private keys will be compromised)

    .

    This is crucial to get to work since we want to help our customers get into Windows Hello for Business solutions.


    Saturday, August 17, 2019 11:18 AM

All replies

  • <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep</Action><MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:56b21bda-c905-41b2-8d5d-f1317f8a7383</MessageID><To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:04a3b892-008b-4ec0-b4e7-2b823b8e650a</RelatesTo></soap:Header><soap:Body><ns9:RequestSecurityTokenResponseCollection xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:ns2="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:ns3="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns6="http://schemas.microsoft.com/windows/pki/2009/01/enrollment" xmlns:ns7="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy" xmlns:ns8="http://www.w3.org/2000/09/xmldsig#" xmlns:ns9="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><RequestSecurityTokenResponse><TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</TokenType><ns5:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">MIAGCSqGSIb3DQEHAqCAMIACAQExADCABgkqhkiG9w0BBwEAAKCAMIIC+zCCAeOg
    AwIBAgICAIIwDQYJKoZIhvcNAQELBQAwTzEoMCYGA1UEAwwfQ2VydGlmaWNhdGUg
    U2VydmljZXMgSGVsbG8gUm9vdDEjMCEGA1UECgwaQ2VydGlmaWNhdGUgU2Vydmlj
    ZXMgSGVsbG8wHhcNMTkwODE2MTEwODM1WhcNMjAwODE3MTEwODM1WjAyMTAwLgYD
    VQQDDCdCbGFja0RyYWdvbi5pbnRyYW5ldC5hbmRyZWpha29ic3Nvbi5jb20wggEi
    MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4lujaW7Sw0h7qM41638q3Zt2E
    GRlWjeNXfaOHWxJGgFo660uCdk9fsjk6pZ/uhcrACwO95EttCsuKAQp+WQBeCnk3
    dgjMRnSFTKThEwia04ldd1tKDt27Zhm3+2f9fxqKh3KOalcJdW6ieoOWXwOZZfNF
    huVEv+GELbCT4O5qq9s8QlvjR2eRO53M2vPqsYmRLpxGiTJfqvmexLs3pVP6u7Sf
    sHWGCYLJuKyxvDjo0Ms1vA+EGTc/zdBwAibHGKhWcCW0A4X3Y+rrOZjSYwgK3Vvx
    BN8M46EulkyytBG846gE8Gbour/JOnK1cwrMerwds6Ug6NU7onOa7CVvonD1AgMB
    AAEwDQYJKoZIhvcNAQELBQADggEBACfxl56N+5KZBDNyfcryZD60Jm1mhA6CL6Ew
    tZAegh8BY4zfn5Y5PsFHlIo/Sad85+jjI3NtAXysymefDmIrSd45yR1lZAa6ihGq
    ec3XKUADGSi2ZfFMcSvW3cBy7QznWpGL+Hp+SpKC31ElW5vuxwR61mgw3LGbBNsD
    LQyelhKVda+EIA/6E80aP6N2dtEltGF9lRLFwdYzbsK+ejCw85rtNuiBY7wiIM12
    AXnfyf0Ie6778KXXNjR2HF9NATw+QSGL3M6YQ0bLFiuryU7jfnS33ba/TtGYoKwR
    VGtVrj0b2SfN6bs+iW+O29ND3UYwU2bZetarNt/fiyg2Y7YfPGUwggLxMIIB2aAD
    AgECAgF4MA0GCSqGSIb3DQEBCwUAME8xKDAmBgNVBAMMH0NlcnRpZmljYXRlIFNl
    cnZpY2VzIEhlbGxvIFJvb3QxIzAhBgNVBAoMGkNlcnRpZmljYXRlIFNlcnZpY2Vz
    IEhlbGxvMB4XDTE5MDgxNDIwMjE0M1oXDTQ0MDgxNTIwMjE0M1owKjEoMCYGA1UE
    AwwfQ2VydGlmaWNhdGUgU2VydmljZXMgSGVsbG8gUm9vdDCCASEwDQYJKoZIhvcN
    AQEBBQADggEOADCCAQkCggEBAKXAK2GaAy4rMiU/BuIcBIXE6wCnTsR1oLbI8jW0
    z8V1YGcyaPJGEk9Ji6fBoyxZIoWrXoShAqzh4As69psYJMjEBb4nGgXCqD7n3olx
    2TT/bmTx6eRkmvCQHeOLD95otRcEEI00bjQVo3LW7KfcbXpIC8e3asJeNphYt0oB
    dS7PJZ/5qZBNQ/Y9Hf6gWfIYmGkgNFplwxwKKK9fxVNASsqrBkZBb4n7vjJ3f9UH
    iA5dJPjJp0K9YNtGCPk922TqENUb2pQrE7pNVfeV6eLdpLQURf2Kt5rhsaUOFl9b
    +IYI7VQzzDfIpLHEAhQUNhgIaDDPX/6R0VeDpOwhOaIL3DcCAhABMA0GCSqGSIb3
    DQEBCwUAA4IBAQCa7iOMBK2weRl7fKBHpu7mQxid2VQQR0wDhVmGYr6+ZtgKfj8V
    H5TC4tpPmzejr7gCdywXBaBEB8X3sRQOwz6r95uHmhQbpSW1AnHk35n8yBeWR1Df
    ocwPJcZXXJKU6V2u/4giSvKTdH47jiJwWM26TW5zfLpaQdEqS56ohuoyg1zagSdc
    S9GlvHPKYfWK0+8Kqcyd0gqEQ9gFKTbm8VJyLXo4VP/+y5nLYsmUH+7YN4VB+adX
    auJulq2Hj4ZTQm0ByHbezl8dhi/BXswtCPItLOPgKDs1O4Zhq4H+bQd2z56YrtB2
    QD5IsOfffJmRHFfls4utzLPSEplmPrn8yVsGAAAxAAAAAAAAAA==</ns5:BinarySecurityToken><ns6:DispositionMessage xml:lang="en-US">Issued</ns6:DispositionMessage><RequestedSecurityToken><ns5:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">MIIC+zCCAeOgAwIBAgICAIIwDQYJKoZIhvcNAQELBQAwTzEoMCYGA1UEAwwfQ2Vy
    dGlmaWNhdGUgU2VydmljZXMgSGVsbG8gUm9vdDEjMCEGA1UECgwaQ2VydGlmaWNh
    dGUgU2VydmljZXMgSGVsbG8wHhcNMTkwODE2MTEwODM1WhcNMjAwODE3MTEwODM1
    WjAyMTAwLgYDVQQDDCdCbGFja0RyYWdvbi5pbnRyYW5ldC5hbmRyZWpha29ic3Nv
    bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4lujaW7Sw0h7q
    M41638q3Zt2EGRlWjeNXfaOHWxJGgFo660uCdk9fsjk6pZ/uhcrACwO95EttCsuK
    AQp+WQBeCnk3dgjMRnSFTKThEwia04ldd1tKDt27Zhm3+2f9fxqKh3KOalcJdW6i
    eoOWXwOZZfNFhuVEv+GELbCT4O5qq9s8QlvjR2eRO53M2vPqsYmRLpxGiTJfqvme
    xLs3pVP6u7SfsHWGCYLJuKyxvDjo0Ms1vA+EGTc/zdBwAibHGKhWcCW0A4X3Y+rr
    OZjSYwgK3VvxBN8M46EulkyytBG846gE8Gbour/JOnK1cwrMerwds6Ug6NU7onOa
    7CVvonD1AgMBAAEwDQYJKoZIhvcNAQELBQADggEBACfxl56N+5KZBDNyfcryZD60
    Jm1mhA6CL6EwtZAegh8BY4zfn5Y5PsFHlIo/Sad85+jjI3NtAXysymefDmIrSd45
    yR1lZAa6ihGqec3XKUADGSi2ZfFMcSvW3cBy7QznWpGL+Hp+SpKC31ElW5vuxwR6
    1mgw3LGbBNsDLQyelhKVda+EIA/6E80aP6N2dtEltGF9lRLFwdYzbsK+ejCw85rt
    NuiBY7wiIM12AXnfyf0Ie6778KXXNjR2HF9NATw+QSGL3M6YQ0bLFiuryU7jfnS3
    3ba/TtGYoKwRVGtVrj0b2SfN6bs+iW+O29ND3UYwU2bZetarNt/fiyg2Y7YfPGU=</ns5:BinarySecurityToken></RequestedSecurityToken><ns6:RequestID>61</ns6:RequestID></RequestSecurityTokenResponse></ns9:RequestSecurityTokenResponseCollection></soap:Body></soap:Envelope>
    Saturday, August 17, 2019 11:21 AM
  • Is the PKCS#7 and Certificate suppose to be 64 in length for each row?

    Is the PKCS#7 and Certificate suppose to have new lines, new lines with carriage returns, or other combination?

    What tags are required?

    Saturday, August 17, 2019 11:25 AM