Profile Failed to Install: The SCEP server returned an invalid response

Article:TECH185305  |  Created: 2012-03-29  |  Updated: 2012-03-29  |  Article URL
Article Type
Technical Solution



Enrollment of an iOS5 device fails to install the MDM  Profile.



Symantec Mobile Management 7.1 SP1

Windows 2008 R2


By default, IIS 7/7.5 security is too restrictive to permit iOS5 devices to enroll via SCEP.
With the out-of-the-box settings enrollment will fail with the following error in the Application event log:

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: {DATE.EN_US}
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.

The IIS logs will show something similar to the following line when the iOS5 device attempts to send its certificate enrollment to the NDES server:
2010-11-04 12:43:38 GET /certsrv/mscep/mscep.dll
operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJGSIb3DQEHAaCAJIAEggSTMIAG%0 . . . . . EMPlcwhmd8c1XAAAAAAAAA%3D%3D%0A 80 - Settings/1.0+CFNetwork/467.12+Darwin/10.3.1 404 15 0 812

This is a 404.15 (Request Filtering: Denied because query string too long) error and it means that the amount of data being
sent in the HTTP URL is larger than what is allowed by default. In the scenario above, the iPad was sending a string over 2700 characters,
but the default size allowed by the request filtering is 1024. This is so in order to mitigate against buffer overrun attacks.


To change the value you will use the following IIS appcmd.exe command:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"3072" /commit:apphost

Article URL

Terms of use for this information are found in Legal Notices