When attempting to install a Profile on an iOS device the process fails while attempting to enroll the certificate with the message "The SCEP Server returned an invalid response".

book

Article ID: 19765

calendar_today

Updated On:

Products

CA Mobile Device Management

Issue/Introduction

Description:

When attempting to install a Profile on an iOS device the process fails while attempting to enroll the certificate with the message "The SCEP Server returned an invalid response."

Solution:

CAUSE:

The Certification Authority (CA) used for web enrollment is not properly configured.
If the "Maximum query string" size for the CertSrv virtual directories Request Filtering is to small this message will occur.

SOLUTION:

On the CA Server open Internet Information Services (IIS) Manager,
click on the CertSrv virtual directory
Double click the Request Filtering icon in the IIS section in the center pane.
Click "Edit Feature Settings" in the right pane.
Change the value of the "Maximum query string" to 65536 .
Stop and restart IIS.
If the CA MDM Relay Server is being used to proxy the connections to the CA Server you must also set the above setting on the Relay Server virtual directory in IIS on the Relay Server system.
On the CA MDM Relay Server system open Internet Information Services (IIS) Manager, click on the ias_relay_server virtual directory (assumes the default name is being used for the virtual directory)
Double click the Request Filtering icon in the IIS section in the center pane.
Click "Edit Feature Settings" in the right pane.
Change the value of the "Maximum query string" to 65536 .
Stop the Relay Server service (or just rshost.exe if not installed as a windows service).
Stop and restart IIS on the Relay Server.
Stop and restart IIS on the CA Server
Stop and Restart the Active Directory Certificate Service on the CA Server.

MORE INFORMATION:

By default, IIS 7/7.5 security is too restrictive to permit these Apple devices to enroll via SCEP.
With the out-of-the-box settings enrollment
will fail with the following error in the Application event log:
Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: {DATE}
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {COMPUTERNAME}
Description:
The Network Device Enrollment Service received an http message without the
"Operation" tag, or with an invalid "Operation" tag.
The IIS logs will show the following line when the iPad device attempts to send its certificate enrollment to the NDES server:

2010-11-04 12:43:38 xx.xx.xx.xx GET /certsrv/mscep/mscep.dll operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJGSIb3DQEHAaCAJIAEggSTMIAG%0 . . . {Shortened for the blog} . . .

EMPlcwhmd8c1XAAAAAAAAA%3D%3D%0A 80 - 10.188.117.101 Settings/1.0+CFNetwork/467.12+Darwin/10.3.1 404 15 0 812

This is a 404.15 (Request Filtering: Denied because query string too long) error and it means that the amount of data being sent in the HTTP URL is larger than what is allowed by default. In the scenario above, the iPad was sending a string over 2700 characters, but the default size allowed by the request filtering is 1024. This is so in order to mitigate against buffer overrun attacks.

To change the value you will use the following IIS appcmd.exe command:
%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"65536" /commit:apphost

Environment

Release:
Component: MDM