我正在使用OMA-DM协议实现我自己的MDM服务器,目前我正在努力将Windows 10客户端注册到我的服务器。我已成功实施此链接中提到的“发现服务”和“政策服务”步骤:https://msdn.microsoft.com/en-us/library/windows/hardware/dn925031(v=vs.85).aspx
我目前正在尝试完成第3步,即“证书注册”。如上面的链接中所述,客户端向我发送请求安全令牌(RST)消息(具有PKCS#10证书请求),根据我的理解,我应该在wap provisioning xml中发回根和客户端证书。但是,在Windows 10机器上,我收到一条消息“出了问题......”。事件查看器中的管理日志没有用,并且显示以下消息:“MDM注册:无法接收或解析证书注册响应。结果:(未知的Win32错误代码:0x80180008)。”
我有以下问题:
1)通过阅读,我已经理解客户端将在PKCS#10证书请求中发送硬编码的CN值,服务器有责任使用相同的CN发送签名的客户端证书。我对吗 ?或者由服务器发送任何CN似乎是合适的,只要wap在搜索条件参数中有主题?
2)wap配置XML有一个名为“SSLCLIENTCERTSEARCHCRITERIA”的参数。理想情况下这个值应该是多少?根据我的理解,它应该是客户证书的主题,即CN。
3)我可以在Windows 10客户端PC上看到更详细的日志吗?
这是我的WAP:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="B8E6A72180B04F64CB594AEFBFDF2F0997DB6FD7">
<parm name="EncodedCertificate" value="MIIF+zCCA+OgAwIBAgIJAJE458QXNuiLMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTAeFw0xNTAxMjcxMjUxMjRaFw0xNzEwMjMxMjUxMjRaMIGLMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVGVzdDENMAsGA1UEBxMEVGVzdDERMA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAsTDVRlc3Qgb3JnIHVuaXQxFTATBgNVBAMTDFdTTzIgUm9vdCBDQTEcMBoGCSqGSIb3DQEJARYNcm9vdEB3c28yLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANJ756zjlkNKJf9O80qwFWxlwr4vOa80oaGXaO8Luj8ZNb7zyGATppTmZi2brRVfNPGHhN/0REb5+Gcf0xvk1b5Wp4E+JoDKfZMwOVQsMVmKYHqopgiiE28L/YoNd0XmZA0J03nfQ4rzYggwQX7oRsW/AptkdURV4i8xD3SsqDGDZyYxQVDkj55nrweEd5FWOnYvvpdbFJ4WanJmGe1WRtLMJ0jFi7tw9Wc7W/5+fvIA9bvHDHoG1VlfyjQUSvTLlAN7Ui0ztXTcOZuN3HI0putMQRyaAD7Ljl7E1ROiqMhN/z80Bck8Yi7ELOmq+cJOir/4CAamj8SugZ0iXo922slrSemWL9tjNT7MFmjFXmgIfVmaJF7OxKyxHhO8gJKTlU2KSJJH2CzMwnGdRFrDlsAotVjGLYFWHUN4HW2uA2crEEmk+UduwnVMazqUwBFxv+INf0U55bsXTv7C3L06IUaTBvxhxKQmzj9BeQGwWAC2Co4s5riT2ttivSRlXijPIEDTfmvE/fjj4KfQQOTY3+EejacMe6gb/qVsCZ1g9Tbk7WLgjYHBuOQSAz3lwPPqPY+6CakeL29wWyPg7pGzR6lMcYItUdHJuNsTijs0x6Xi1O5iIuL2o0vl8FRH+tZFm3ujtCIHprjUgcn6aOR9Ms/NkUJCziKKAb4KoohNFgr/AgMBAAGjYDBeMB0GA1UdDgQWBBSDhLDYVCYhJsxvK1ZNV05qGGVajjAfBgNVHSMEGDAWgBSDhLDYVCYhJsxvK1ZNV05qGGVajjAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBhjANBgkqhkiG9w0BAQUFAAOCAgEAykqOsxHV43Bx24+7DfxLNYyafBayHacQ4uwtldwexyQBfIyJKjhzZUSvl37zhFPhJRJHogFIds+FoqaQsF8PvI/YSKs3UYRhje2mJan79lEArCd+3zDGmzQhmutVo7C1bCQuujV8YLIJGvvcnMcHnMLpc5CfjzmI2C6qMZ5XgpHx/Mhindllqr0ZVvqRive0A2svW1k47XWB7BIfx/aoZ1viPHDNYVuYZ6j/NAFv8/Fu3n/TfYOJ5rz0NPGHYXnmFcgGxtYTu5u6Q9YVdDLZv9lqYbMRSdiQ8SVDzwxft9N5g6/VoXLoMpCS7/6jR3J0GbG2r/vr024QMOHDZHQDjkAVUBni6/bRHqj389RnOXhQ+TSlx/hGgtdTpZRv63PjAqTCdDAhazWAgG/W+dxUhAywiOYHeXincuuDER0ypkfGcaUvbN9/mWtGJvtW+L9OlTj3LQlXD2ORehz5itS3eV0DVkscCOLzzkVLtIJeew1oRmiADNOUe5A6V0cW5HIFi9F7Recqv9lGphwQeq+2cmvUKkSPcx+Z/SHTT/nIOioqxxafJhci5dAEsPgtzxnA6QqPQtxOj46aZxQh5+hzZ/1CQq3UThDdQreJL51c+NOSZFQh6YVpJH6ZdSldBJnHjbS7RL/bv2kl1Pmv808T+iG+GpDw2XljwsI6TL8ACok="/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My">
<characteristic type="User">
<characteristic type="8C0765870005BC084563F0D359AE41177CEB4F1C">
<parm name="EncodedCertificate" value="MIIEazCCAlOgAwIBAgIGAVNVq4FVMA0GCSqGSIb3DQEBCwUAMIGLMRwwGgYJKoZIhvcNAQkBFg1yb290QHdzbzIuY29tMRUwEwYDVQQDDAxXU08yIFJvb3QgQ0ExFjAUBgNVBAsMDVRlc3Qgb3JnIHVuaXQxETAPBgNVBAoMCFRlc3QgT3JnMQ0wCwYDVQQHDARUZXN0MQ0wCwYDVQQIDARUZXN0MQswCQYDVQQGEwJVUzAgFw0xNjAzMDYxMDAwMTZaGA8yMTE2MDMwODEwMDAxNlowSzFJMEcGA1UEAwxAMEM1OUJBQjAtQUU0Ny00NDlDLTkyQ0QtRTEyMjM2MyFEMzdCNzM1Nzc0MUVGNDRFQTI4NUQwRDYzNzFGNzBBQzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOF6TccENSlWosUpeh4ILwFu50vbvgYLoTgE1eVqP+SqPwdWAs9zfCexKqp0ySFV6lVvx8YRVgXpBpLV4Co6mqED18EqsS0OgpdiyowBhWh0yFwxXb7gVYmB+2s6vHoYTf2+mseWDMHiJbiZsJd+jep8+ZLUeMq2YZwz3uB8pbZ5v1AJjRs2kCOA99G8TKMF6kY0rlOaEIb4rhLolBOxgS8V7rhND6+e0ruTspLeoHKxUcw+Udh2jFA6uIkjWqdarFcx3a18a7JK8mCxY1bA5YrVDr+DCKgwFNwQYUW8n3y/REVSFaoKVjtZWdtCGx0NNTEgmg1Qilx0ckrStAwuFBkCAwEAAaMSMBAwDgYDVR0PAQH/BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQBrpXVXQtx3DMzmNQBVcthaM7Tr7/EEmrqwkgwWlnPKVWPKgps+dPhulgQ9fNvcfiGrra6L6NYmU92g16G8DgmH7CCjwWsHWeETWjegcNMn4a0lX81HCS+8yb62+i5U3Jz5/eU4QL5iJZabT5iMfe7oE1enP+o5BzfKa4ce+gk2Id/WoIdTPmsTge+vPGXl8D0x+wk/AV/SzsFuv5u12K19H/3Sta0jjQl+VVLkwHiKxQ6SUmR+E4HIX+f9903fONYZGLXQJrVadG+lP2ydHOyYss8efbVNkTA3/VkUApG1Wx5P+WdFWtJBgZxajO5mosrNOJaCZ/5SVxmEf/7LH4I5JSfr4WXGponTw/TCWsdyklY3z18E4w+Go8KMseITGThtPhuZ9Uxg6LrE/SFSHqhEaMinbGW1LlvXXui6CqbHC6+ytQHzm40OAp1Wfp/+yyaegOxZTNePFKtzoQg/bJzgdHLEDU2L2fxHFPSNHGXpMKryCVGYta5Zapy4Mwa9fkA2vaSDq1FXW12wzPjal8pc4C0mBq5WAd/99u6xhsAHUrimIOzq92ifw9z9zVR37qYPi4tFuhyVvxRrblciGmS9/LWkDcYezrpBKnrSAo8qEySgJcoENlc3x906vh4TLrJdjjEIRSWiCrmTGP32o/cYIvZa8J5v0ysJzX4jaw769g=="/>
</characteristic>
<characteristic type="PrivateKeyContainer"/>
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<parm datatype="boolean" name="ROBOSupport" value="true"/>
<parm datatype="integer" name="RenewPeriod" value="60"/>
<parm datatype="integer" name="RetryInterval" value="4"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="MDMServer"/>
<parm name="NAME" value="test"/>
<parm name="ADDR" value="https://dhruvesh.auth.hpicorp.net/services/oma-dm/ws/syncml/initialquery"/>
<parm name="CONNRETRYFREQ" value="6"/>
<parm name="INITIALBACKOFFTIME" value="30000"/>
<parm name="MAXBACKOFFTIME" value="120000"/>
<parm name="BACKCOMPATRETRYDISABLED"/>
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D0C59BAB0-AE47-449C-92CD-E122363!D37B7357741EF44EA285D0D6371F70AC&amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/> <!-- Have a doubt about this field and the one below. Whose passwords and nonce do they mean? -->
<parm name="AAUTHDATA" value="nonce"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="abc@abc.com"/> <!-- Have a doubt about this field and the one below. Whose username and passwords do they mean? -->
<parm name="AAUTHSECRET" value="Computer@2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient">
<characteristic type="Provider">
<characteristic type="MDMServer">
<parm datatype="string" name="UPN" value="UserPrincipalName@contoso.com"/> <!-- Doubt about this field too. What is expected ? -->
<characteristic type="Poll">
<parm datatype="integer" name="NumberOfFirstRetries" value="8"/>
<parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/>
<parm datatype="integer" name="NumberOfSecondRetries" value="5"/>
<parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/>
<parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/>
<parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/>
<parm datatype="boolean" name="PollOnLogin" value="true"/>
</characteristic>
<parm datatype="string" name="EntDeviceName" value="Administrator_Windows"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
在上面的wap中也有一些疑问(已在那里发表评论)。
真的卡在这里。真的很感激任何帮助:)
答案 0 :(得分:0)
您应该删除xml标记
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
从一开始就是因为WAP有效载荷不是完整的XML有效载荷。除此之外,从PKCS10有效负载生成证书时可能会遇到问题。确保将主题名称更改为您想要的值,并将其传递给&#34; SSLCLIENTCERTSEARCHCRITERIA&#34;标准。否则,您的设备将注册,但绝不会与管理服务器通信。
祝你好运!