http://blogs.technet.com/mdm/archive/tags/Enrollment/default.aspxTags: Enrollmenten-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/mdm/archive/2009/01/05/scmdm-enrollment-fails-with-unknown-error-in-enrollment-service-system-argumentnullexception-value-cannot-be-null.aspxMon, 05 Jan 2009 17:29:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3176553jchornbe0http://blogs.technet.com/mdm/comments/3176553.aspxhttp://blogs.technet.com/mdm/commentrss.aspx?PostID=3176553<P>Here's another MDM enrollment failure issue we ran across recently that's caused by the CA not being available when the SCMDM Enrollment Service starts.&nbsp; Fortunately the solution to this one is pretty easy:</P> <P>========</P> <P><STRONG><U>Issue:</U></STRONG> Enrollment fails and the following event is logged on the Enrollment Server:</P> <P><STRONG><FONT color=#004080>Unknown error in Enrollment service: <BR>System.ArgumentNullException: Value cannot be null. <BR>Parameter name: data <BR>&nbsp;&nbsp; at Microsoft.Mobile.ManagementServices.EnrollmentServer.CryptoService.ComputeHmac(Byte[] data, Byte[] sessionKey) <BR>&nbsp;&nbsp; at Microsoft.Mobile.ManagementServices.EnrollmentServer.Authentication.AuthenticateServer(BootstrappingRequest rc) <BR>&nbsp;&nbsp; at Microsoft.Mobile.ManagementServices.EnrollmentServer.Authentication.Authenticate(RequestContext rc)</FONT></STRONG></P> <P><STRONG><U>Cause:</U></STRONG> This can occur if the Certificate Authority (CA) was not running when the SCMDM Enrollment Service started. </P> <P><STRONG><U>Resolution:</U></STRONG> Restart the SCMDM Enrollment Service. </P> <P>========</P> <P><STRONG>J.C. Hornbeck | Manageability Knowledge Engineer</STRONG></P><img src="http://blogs.technet.com/aggbug.aspx?PostID=3176553" width="1" height="1">TroubleshootErrorSP1CMEnrollmenthttp://blogs.technet.com/mdm/archive/2008/12/17/scmdm-enrollment-fails-if-a-port-other-than-443-is-used-for-the-enrollment-service.aspxWed, 17 Dec 2008 16:45:01 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3170269jchornbe0http://blogs.technet.com/mdm/comments/3170269.aspxhttp://blogs.technet.com/mdm/commentrss.aspx?PostID=3170269<p>Here's another SP1 issue that we came across.&#160; If your server and client logs indicate that Enrollment failed because it could not resolve the Enrollment server URL and you changed the port then this may be your issue:</p> <p>========</p> <p><strong><u>Issue:</u></strong> The server and client logs indicate that enrollment failed because it could not resolve the enrollment server URL. </p> <p><strong><u>Cause:</u></strong> Enrollment can fail if PAT (Port Address Translation) is used or if an alternate port other than 443 is used for the Enrollment Service. </p> <p>Setup itself does not allow you to specify an alternate port number for the enrollment server when it is installed, so if an alternate port is specified in IIS after installation, and the SCP value for the enrollment server is not changed, then client auto discovery breaks. What happens is that the client is sent back a request to switch to the URI of an enrollment server without the alternate port causing the enrollment to fail. </p> <p><strong><u>Resolution:</u></strong> If the port number in IIS is changed to a port other than 443, the SCP value must also be changed. </p> <p>To change the SCP value follow these steps: </p> <p>1. Launch ADSIEDIT.MSC. </p> <p>2. Right click on &#8220;CN=Instance&#8221; to bring up the property dialog box. </p> <p>3. Check the &#8216;Show only attributes that have values&#8217; checkbox. </p> <p>4. Double click on &#8216;keywords&#8217; attribute. </p> <p>5. Change the &#8220;enurl= &#8230;&#8221; value to the new port number. </p> <p>========</p> <p><strong>J.C. Hornbeck | Manageability Knowledge Engineer</strong></p><img src="http://blogs.technet.com/aggbug.aspx?PostID=3170269" width="1" height="1">TroubleshootSP1CMEnrollmenthttp://blogs.technet.com/mdm/archive/2008/12/16/scmdm-set-enrollmentpermissions-returns-error-encountered-when-delegating-container.aspxTue, 16 Dec 2008 18:51:00 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3169742jchornbe0http://blogs.technet.com/mdm/comments/3169742.aspxhttp://blogs.technet.com/mdm/commentrss.aspx?PostID=3169742<P>Here's another MDM SP1 issue for you.&nbsp; This one involves the <STRONG>Set-EnrollmentPermissions</STRONG> command and an error you can receive if SCMDMEnrollmentServers has full permissions on the specified OU:</P> <P>========</P> <P><STRONG><U>Issue:</U></STRONG> When running the <STRONG>Set-EnrollmentPermissions</STRONG> command you may receive the following error: </P> <P><STRONG><FONT color=#004080>Set-EnrollmentPermissions : Error encountered when delegating container "OU=SCMDM Managed Devices (Instance1),DC=yonaloc,DC=nttest,DC=microsoft,DC=com" permission to Enrollment Server. <BR>At line:1 char:26 <BR>+ Set-EnrollmentPermissions&nbsp; &lt;&lt;&lt;&lt; "SCMDM MAnaged Devices (Instance1)"</FONT></STRONG></P> <P><STRONG><U>Cause:</U></STRONG> The Set-EnrollmentPermissions command verifies what permissions SCMDMEnrollmentServers has on the specified OU (i.e. the OU that is passed in the command).&nbsp; There is a known issue in this verification process where it will return false if Full Permissions are enabled.</P> <P><STRONG><U>Resolution:</U></STRONG> Do not enable full permission for SCMDMEnrollmentServers group on the device OU. To workaround this issue delete the SCMDMEnrollmentServers group from Security.&nbsp; To do this follow these steps:</P> <OL> <LI>Run DSA.MSC. </LI> <LI>Find the OU where you were trying to set permissions. </LI> <LI>Right click on the OU and select Properties. </LI> <LI> <P>On the Security tab, click on SCCMEnrollmentServers(&lt;your instance name&gt;) and remove it.</P></LI></OL> <P>The last step is to run the Set-EnrollmentPermissions command again.&nbsp; This time it should succeed without error.</P> <P>========</P> <P><STRONG>J.C. Hornbeck | Manageability Knowledge Engineer</STRONG></P><img src="http://blogs.technet.com/aggbug.aspx?PostID=3169742" width="1" height="1">ErrorSP1CMEnrollment