Profile Failed to Install: The SCEP server returned an invalid response

Article:TECH185305  |  Created: 2012-03-29  |  Updated: 2012-03-29  |  Article URL http://www.symantec.com/docs/TECH185305
Article Type
Technical Solution

Environment

Issue



Enrollment of an iOS5 device fails to install the MDM  Profile.


Error




Environment



Symantec Mobile Management 7.1 SP1

Windows 2008 R2


Cause



By default, IIS 7/7.5 security is too restrictive to permit iOS5 devices to enroll via SCEP.
With the out-of-the-box settings enrollment will fail with the following error in the Application event log:

Log Name: Application
Source: Microsoft-Windows-NetworkDeviceEnrollmentService
Date: {DATE.EN_US}
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: {COMPUTERNAME.EN_US}
Description:
The Network Device Enrollment Service received an http message without the "Operation" tag, or with an invalid "Operation" tag.

The IIS logs will show something similar to the following line when the iOS5 device attempts to send its certificate enrollment to the NDES server:
2010-11-04 12:43:38 10.28.40.27 GET /certsrv/mscep/mscep.dll
operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJGSIb3DQEHAaCAJIAEggSTMIAG%0 . . . . . EMPlcwhmd8c1XAAAAAAAAA%3D%3D%0A 80 - 10.188.117.101 Settings/1.0+CFNetwork/467.12+Darwin/10.3.1 404 15 0 812

This is a 404.15 (Request Filtering: Denied because query string too long) error and it means that the amount of data being
sent in the HTTP URL is larger than what is allowed by default. In the scenario above, the iPad was sending a string over 2700 characters,
but the default size allowed by the request filtering is 1024. This is so in order to mitigate against buffer overrun attacks.
 


Solution



To change the value you will use the following IIS appcmd.exe command:

%systemroot%\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/requestFiltering /requestLimits.maxQueryString:"3072" /commit:apphost




Article URL http://www.symantec.com/docs/TECH185305


Terms of use for this information are found in Legal Notices