deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5389 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore 2021-07-13 21:02:10 -07:00 committed by GitHub
commit ab8ca0221b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 308 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

607
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -89,36 +89,37 @@ https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
The following example shows the discovery service request. The following example shows the discovery service request.
```xml ```xml
<?xml version="1.0"?> <?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"> xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1"> <a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action> </a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID> <a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo> <a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo> </a:ReplyTo>
<a:To s:mustUnderstand="1"> <a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To> </a:To>
</s:Header> </s:Header>
<s:Body> <s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/"> <Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance"> <request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress> <EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>3</OSEdition> <!--New --> <OSEdition>3</OSEdition> <!--New -->
<RequestVersion>3.0</RequestVersion> <!-- Updated --> <RequestVersion>3.0</RequestVersion> <!-- Updated -->
<DeviceType>WindowsPhone</DeviceType> <!--Updated --> <DeviceType>WindowsPhone</DeviceType> <!--Updated -->
<ApplicationVersion>10.0.0.0</ApplicationVersion> <ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies> <AuthPolicies>
<AuthPolicy>OnPremise</AuthPolicy> <AuthPolicy>OnPremise</AuthPolicy>
<AuthPolicy>Federated</AuthPolicy> <AuthPolicy>Federated</AuthPolicy>
</AuthPolicies> </AuthPolicies>
</request> </request>
</Discover> </Discover>
</s:Body> </s:Body>
</s:Envelope>
``` ```
The discovery response is in the XML format and includes the following fields: The discovery response is in the XML format and includes the following fields:
@ -151,7 +152,7 @@ The following are the explicit requirements for the server.
The enrollment client issues an HTTPS request as follows: The enrollment client issues an HTTPS request as follows:
``` ```http
AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name> AuthenticationServiceUrl?appru=<appid>&amp;login_hint=<User Principal Name>
``` ```
@ -195,37 +196,37 @@ The server has to send a POST to a redirect URL of the form ms-app://string (the
The following example shows a response received from the discovery web service which requires authentication via WAB. The following example shows a response received from the discovery web service which requires authentication via WAB.
```xml ```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"> xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1"> <a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action> </a:Action>
<ActivityId> <ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId> </ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo> <a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header> </s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse <DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment"> xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult> <DiscoverResult>
<AuthPolicy>Federated</AuthPolicy> <AuthPolicy>Federated</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion> <EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl> <EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl> </EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl> <EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl> </EnrollmentServiceUrl>
<AuthenticationServiceUrl> <AuthenticationServiceUrl>
https://portal.manage.contoso.com/LoginRedirect.aspx https://portal.manage.contoso.com/LoginRedirect.aspx
</AuthenticationServiceUrl> </AuthenticationServiceUrl>
</DiscoverResult> </DiscoverResult>
</DiscoverResponse> </DiscoverResponse>
</s:Body> </s:Body>
</s:Envelope> </s:Envelope>
``` ```
## Enrollment policy web service ## Enrollment policy web service
@ -234,58 +235,60 @@ Policy service is optional. By default, if no policies are specified, the minimu
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message. This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
For Federated authentication policy, The security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: For Federated authentication policy, the security token credential is provided in a request message using the &lt;wsse:BinarySecurityToken&gt; element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows:
- wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element. - wsse:Security: The enrollment client implements the &lt;wsse:Security&gt; element defined in \[WSS\] section 5. The &lt;wsse:Security&gt; element must be a child of the &lt;s:Header&gt; element.
- wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header. - wsse:BinarySecurityToken: The enrollment client implements the &lt;wsse:BinarySecurityToken&gt; element defined in \[WSS\] section 6.3. The &lt;wsse:BinarySecurityToken&gt; element must be included as a child of the &lt;wsse:Security&gt; element in the SOAP header.
As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server. As was described in the discovery response section, the inclusion of the &lt;wsse:BinarySecurityToken&gt; element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the &lt;AuthenticationServiceUrl&gt; element of &lt;DiscoveryResponse&gt; and the enterprise server.
The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element. wsse:BinarySecurityToken/attributes/ValueType: The &lt;wsse:BinarySecurityToken&gt; ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken". The &lt;wsse:BinarySecurityToken&gt; element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the &lt;wsse:BinarySecurityToken&gt; element.
wsse:BinarySecurityToken/attributes/EncodingType: The &lt;wsse:BinarySecurityToken&gt; EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary". - wsse:BinarySecurityToken/attributes/ValueType: The `<wsse:BinarySecurityToken>` ValueType attribute must be "http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken".
- wsse:BinarySecurityToken/attributes/EncodingType: The `<wsse:BinarySecurityToken>` EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary".
The following is an enrollment policy request example with a received security token as client credential. The following is an enrollment policy request example with a received security token as client credential.
```xml ```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1"> <a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action> </a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID> <a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo> <a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo> </a:ReplyTo>
<a:To s:mustUnderstand="1"> <a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To> </a:To>
<wsse:Security s:mustUnderstand="1"> <wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken <wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
</wsse:Security> </wsse:Security>
</s:Header> </s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies <GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy"> xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client> <client>
<lastUpdate xsi:nil="true"/> <lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/> <preferredLanguage xsi:nil="true"/>
</client> </client>
<requestFilter xsi:nil="true"/> <requestFilter xsi:nil="true"/>
</GetPolicies> </GetPolicies>
</s:Body> </s:Body>
</s:Envelope> </s:Envelope>
``` ```
After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN.
@ -298,80 +301,80 @@ MS-XCEP supports very flexible enrollment policies using various Complex Types a
The following snippet shows the policy web service response. The following snippet shows the policy web service response.
```xml ```xml
<s:Envelope <s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"> xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1"> <a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action> </a:Action>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo> <a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header> </s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"> xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse <GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy"> xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response> <response>
<policyID /> <policyID />
<policyFriendlyName xsi:nil="true" <policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true" <nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true" <policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies> <policies>
<policy> <policy>
<policyOIDReference>0</policyOIDReference> <policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<commonName>CEPUnitTest</commonName>
<policySchema>3</policySchema>
<certificateValidity>
<validityPeriodSeconds>1209600</validityPeriodSeconds>
<renewalPeriodSeconds>172800</renewalPeriodSeconds>
</certificateValidity>
<permission>
<enroll>true</enroll>
<autoEnroll>false</autoEnroll>
</permission>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<revision>
<majorRevision>101</majorRevision>
<minorRevision>0</minorRevision>
</revision>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" /> <cAs xsi:nil="true" />
<oIDs> <attributes>
<oID> <commonName>CEPUnitTest</commonName>
<value>1.3.14.3.2.29</value> <policySchema>3</policySchema>
<group>1</group> <certificateValidity>
<oIDReferenceID>0</oIDReferenceID> <validityPeriodSeconds>1209600</validityPeriodSeconds>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName> <renewalPeriodSeconds>172800</renewalPeriodSeconds>
</oID> </certificateValidity>
</oIDs> <permission>
</GetPoliciesResponse> <enroll>true</enroll>
</s:Body> <autoEnroll>false</autoEnroll>
</s:Envelope> </permission>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<revision>
<majorRevision>101</majorRevision>
<minorRevision>0</minorRevision>
</revision>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
``` ```
## Enrollment web service ## Enrollment web service
@ -380,7 +383,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
Note that the RequestSecurityToken will use a custom TokenType (http:<span></span>//schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. Note that the RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section.
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
@ -390,83 +393,84 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType
The following example shows the enrollment web service request for federated authentication. The following example shows the enrollment web service request for federated authentication.
```xml ```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1"> <a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action> </a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID> <a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo> <a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo> </a:ReplyTo>
<a:To s:mustUnderstand="1"> <a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To> </a:To>
<wsse:Security s:mustUnderstand="1"> <wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken <wsse:BinarySecurityToken
wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken" wsse:ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken"
wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"> wsse:EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
</wsse:Security> </wsse:Security>
</s:Header> </s:Header>
<s:Body> <s:Body>
<wst:RequestSecurityToken> <wst:RequestSecurityToken>
<wst:TokenType> <wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType> </wst:TokenType>
<wst:RequestType> <wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</wst:RequestType> </wst:RequestType>
<wsse:BinarySecurityToken <wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10" ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken> </wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization"> <ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition"> <ac:ContextItem Name="OSEdition">
<ac:Value> 4</ac:Value> <ac:Value> 4</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="OSVersion"> <ac:ContextItem Name="OSVersion">
<ac:Value>10.0.9999.0</ac:Value> <ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="DeviceName"> <ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value> <ac:Value>MY_WINDOWS_DEVICE</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="MAC"> <ac:ContextItem Name="MAC">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value> <ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="MAC"> <ac:ContextItem Name="MAC">
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value> <ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI"> <ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value> <ac:Value>49015420323756</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="IMEI"> <ac:ContextItem Name="IMEI">
<ac:Value>30215420323756</ac:Value> <ac:Value>30215420323756</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="EnrollmentType"> <ac:ContextItem Name="EnrollmentType">
<ac:Value>Full</ac:Value> <ac:Value>Full</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="DeviceType"> <ac:ContextItem Name="DeviceType">
<ac:Value>CIMClient_Windows</ac:Value> <ac:Value>CIMClient_Windows</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion"> <ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.9999.0</ac:Value> <ac:Value>10.0.9999.0</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="DeviceID"> <ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value> <ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:ContextItem> </ac:ContextItem>
<ac:ContextItem Name="TargetedUserLoggedIn"> <ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value> <ac:Value>True</ac:Value>
</ac:ContextItem> </ac:ContextItem>
</ac:AdditionalContext> </ac:AdditionalContext>
</wst:RequestSecurityToken> </wst:RequestSecurityToken>
</s:Body> </s:Body>
</s:Envelope>
``` ```
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
@ -492,43 +496,43 @@ Here is a sample RSTR message and a sample of OMA client provisioning XML within
The following example shows the enrollment web service response. The following example shows the enrollment web service response.
```xml ```xml
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header> <s:Header>
<a:Action s:mustUnderstand="1" > <a:Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</a:Action> </a:Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo> <a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o= <o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0"> <u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created> <u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires> <u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp> </u:Timestamp>
</o:Security> </o:Security>
</s:Header> </s:Header>
<s:Body> <s:Body>
<RequestSecurityTokenResponseCollection <RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse> <RequestSecurityTokenResponse>
<TokenType> <TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType> </TokenType>
<DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/> <DispositionMessage xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/>
<RequestedSecurityToken> <RequestedSecurityToken>
<BinarySecurityToken <BinarySecurityToken
ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc" ValueType="http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken B64EncodedSampleBinarySecurityToken
</BinarySecurityToken> </BinarySecurityToken>
</RequestedSecurityToken> </RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID> <RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0</RequestID>
</RequestSecurityTokenResponse> </RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection> </RequestSecurityTokenResponseCollection>
</s:Body> </s:Body>
</s:Envelope> </s:Envelope>
``` ```
The following code shows sample provisioning XML (presented in the preceding package as a security token): The following code shows sample provisioning XML (presented in the preceding package as a security token):
@ -610,11 +614,16 @@ The following code shows sample provisioning XML (presented in the preceding pac
</wap-provisioningdoc> </wap-provisioningdoc>
``` ```
**Notes** > [!NOTE]
>
- &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. > - &lt;Parm name&gt; and &lt;characteristic type=&gt; elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase.
- In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. >
- Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. > - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML.
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. >
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. > - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document.
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. >
> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
>
> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
>
> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.