BEA-090156 Invalid identity certificate signature:

Similar Messages

• BEA-090156 Invalid identity certificate signature with custom stores

  How does one go about resolving BEA-090156 <Invalid identity certificate signature> when using custom keystores. As I have DoD certificates with a root that isn't in the standard JDK keystore, how does one go about resolving this issue. I created the keystores with the DoD certs, but get this message when trying to use them. Pls advise.
  Thanks.

  The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
  Identity certificate
  Intermediate certificate
  Root certificate
  The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
  After I changed the order of the certificates it worked fine.
  Regards Steffen

• Java.io.IOException: Invalid identity certificate signature

  Hi,
  My WebLogic 11g is running on a Windows Server 2008 64 bit server. I have obtained a certificate with private key for this Windows server. Now I would like to use this certificate and private key for my WebLogic server.
  What I have done:
  1. Exported server certificate using mmc.exe to my_domain.pfx
  2. Extracted my certificates and key with OpenSSL:
  openssl pkcs12 -in my_domain.pfx -out tempcertfile.crt -nodes
  3. Cut and pasted the section
  -----BEGIN RSA PRIVATE KEY-----
  (Block of Encrypted Text)
  -----END RSA PRIVATE KEY-----
  of the generated tempcertfile.crt to file my_domain.key
  4. Copied the second set of -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- from tempcertfile.crt to file TrustedRoot.crt
  5. Used keytool to create a new trust certificate keystore:
  keytool -import -trustcacerts -file TrustedRoot.crt -alias server -keystore new_trust_keystore.jks -storepass NEWPASSWORD
  where NEWPASSWORD is the new password of the keystore
  6. Used utils.ImportPrivateKey to create a new identity certificate keystore:
  java utils.ImportPrivateKey -keystore new_identity_keystore.jks -storepass NEWPASSWORD -storetype JKS -keypass NEWPASSWORD -alias server -certfile tempcertfile.crt
  -keyfile my_domain.key -keyfilepass PFXPASSWORD
  7. Configured WebLogic to use the new trust and identity certificate keystores
  When I try to start the WebLogic server it shuts down again with the following log:
  ####<22-03-2012 07:10:42 CET> <Critical> <WebLogicServer> <HID-1041559> <AdminServer> <main> <<WLS Kernel>> <> <> <1332396642889> <BEA-000362> <Server failed. Reason:
  There are 1 nested errors:
  java.io.IOException: Invalid identity certificate signature: [***]
  at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLListenThread.java:64)
       at weblogic.server.channels.DynamicListenThreadManager.createListener(DynamicListenThreadManager.java:296)
       at weblogic.server.channels.AdminPortService.bindListeners(AdminPortService.java:76)
       at weblogic.server.channels.EnableAdminListenersService.start(EnableAdminListenersService.java:39)
       at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused by: weblogic.management.configuration.ConfigurationException: Invalid identity certificate signature: [***]
  Does anybody know what I'm doing wrong?
  Thanks in advance, Steffen

  The solution is that the certificates in tempcertfile.crt must be in the correct order. The order must be:
  Identity certificate
  Intermediate certificate
  Root certificate
  The identity certificate can be located easily in tempcertfile.crt since there must be header that shows the identity--information such as the name of a person or an organization, their address, and so forth. The intermediate certificate will be the last certificate in the tempcertfile.crt.
  After I changed the order of the certificates it worked fine.
  Regards Steffen

• Window 8.1 update & invalid security certificate errors

  I set up my new PC 2 days ago running Windows 8.1. I was able to visit all websites, including secure ones, w/no issues via Firefox. Last night, suddenly I was unable to access many secure websites. These include Google (Gmail) & Ilines (email). Here is a copy of the Google error:
  "mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)"
  There is no button to bypass, as I have seen in the past. I tried deleting cert8.db which didn't resolve anything. I have also tried adding exceptions which also don't resolve the issue.
  I searched support & found the link for the MS document (link below) indicating that FF & Windows Family Safety certificates are not playing nice.
  http://support.microsoft.com/kb/2965142/en-us#appliesto
  I tried to follow the guide, but when I get to step 6, there is no Microsoft Family Safety Certificate in the Trusted Root Certificates Authorities to export. For reference, I do not specifically have Family Safety enabled & am running my PC as admin, no other users. I personally have no use for this but it is my understanding that it cannot be uninstalled, either.
  I have spent hours researching & making adjustments to different settings to no avail. It is frustrating enough setting up a new PC & transferring info w/out this extra hassle. Does anyone have any other suggestions? FF is my preferred browser, but if this can't be resolved I will need to use something else so that I can access these important websites.

  Thanks for the feedback cor-el. Here are the results:
  1. Installed Kaspersky certificate per link= no change
  2. Turned off Kaspersky= able to log in to Gmail but not the other secure sites I am having probs with
  3. Booted in Safe Networking mode= able to log in to Gmail but not the other secure sites. Same blocking errors on Gmail, etc when returned to reg mode.
  Just FYI, I get 2 different secure connection errors:
  Gmail: "mail.google.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)"
  Ilines: "Secure Connection Failed An error occurred during a connection to mail.ilines.net. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature)"

• WS-Security:  Fail to configure Keystore and Identity Certificates

  Hi,
  This is my first question here!
  I want to set a secure web service, following the guide "Web Services Security Guide" i set up the keystore and Identity Certificates with a keystore that contains two certificates created by me, I set the keys to be used as signature and encryption. Not define any method for authentication.
  I deployed the application to the server (oc4j_extended_101350) and up to this point apparently everything went well.
  I created a web service proxy to test the web service with jdeveleper, but when I call the web service method the server responds with the error:
  java.rmi.ServerException:
  start fault message:
  Internal Server Error
  : End fault message
  at oracle.j2ee.ws.client.StreamingSender._raiseFault (StreamingSender.java: 571)
  at oracle.j2ee.ws.client.StreamingSender._sendImpl (StreamingSender.java: 401)
  at oracle.j2ee.ws.client.StreamingSender._send (StreamingSender.java: 114)
  at clientmessageoc4jstda.proxy.runtime.MyWebService1SoapHttp_Stub.getHelloWorld (MyWebService1SoapHttp_Stub.java: 77)
  at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.getHelloWorld (MyWebService1SoapHttpPortClient.java: 42)
  at clientmessageoc4jstda.proxy.MyWebService1SoapHttpPortClient.main (MyWebService1SoapHttpPortClient.java: 30)
  On the server the following error occurs:
  ERROR OWS-04005 error has occurred on port: () http://messagelevelsecurity/ MyWebService1SoapHttpPort: oracle.j2ee.ws.common.soap.fault.SOAP11FaultException: java.lang.NullPointerException.
  The client and server are not in the same directory.
  The class exposed by the web service is a simple Hello World.
  public class HelloWorld {
  public HelloWorld() {
  public String getHelloWorld(){
  return "Hello World";
  Thanks in advance
  I apologize for my English

  I had to add : " outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");" to the client code and it started working !

• Safari 5.1.7 "Invalid URL" & "certificate not valid"-Google won't even work! HELP

  I have the newest version of Safari and as far as I know everything else on my computer is up-to-date. I checked for a software update and it claims everything is up to date. This has been happening for a little while and started with the invalid site certificates. I never was sure if I should click "continue" or "cancel". I first was clicking cancel and continue trying to see what changed. Cancel would keep me on the same page (I think, if I remember correctly) and continue would usually take me to the desired site. But recently this problem with site certificates has been happening more and more on different sites (I believe it began on facebook; and on sites I use daily). I just tried to google the problem and of course a web page of "Invalid URL" comes up. So I tried to see if it would work on a different browser (Firefox and Chrome), I had the same problem on those two, too, which makes me think a Google problem. However, this happens on other sites, such as facebook, and the site doesn't work for a little while (usually a period of X minutes). Even when I completely quit Safari, this doesnt change.
  I reset Safari tonight, and I've cleared the cookies, and I've emptied the cache, but nothing seems to be working. Im starting to wonder if there is a way to downgrade just one version of Safari to see if maybe this is a bug on this version of Safari, but I have no idea if that's possible or if it'll work.
  Please help!

  I hear ya...irritating as ****.  It's on all the other I've followed th other threads and tried the fixes, so far nothing.  Hit me up if you ever find a workable solution other than going back to a PC.  :s You'd think Apple would've fixed this by now, cause they're supposedly very very very very good.

• After upgrading to Firefox 10.0.2 there is no way to proceed to a website with an invalid security certificate. How do you proceed to these websites in the new release? The fault page only has a button that says "Try again."

  Using Firefox 10.0.2 for Mac.
  In trying to proceed to various websites (corporate such as dlnet.delta.com (expired certificate), government such as https://www.homeport.navy.mil/links/owa-navy-links/ ) with "invalid" security certificates, Firefox 10.0.2 does not have a button on the error page to continue on to the website. How can you do this using Firefox 10.0.2? I have not found any settings in Firefox preferences to enable this capability either.
  Thx.

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  *https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes

• Invalid security certificate for my website host-they say the problem is Apple Safari and use Firefox instead

  For the past few days, I keep getting an invalid security certificate in Safari whenever I select Edit My Site from my website homepage (http://annaporterartist.com), or whenever I select anything requiring a secure log in from my website host main page (FASO.com). I have contacted technical support at my website host (fineartstudioonline.com) and they say that this has been an intermittently recurring problem in Safari for years and they recommend that I use Firefox instead. As proof of this they emailed a link to an Apple Support discussion, but it was for Mac OS X Lion v 10.7.4 and Safari 5.1, even though I told them I am using Mac OS X Mountain Lion v 10.8.2 and Safari 6.0.2. I do not get this error message anywhere else on the web using Safari. I did try Firefox and it seems to work fine, but I prefer Safari and I want to know why Safari is not working as it should be. I am concerned that there is a real security problem with my website host and I need someone to explain why I am getting this error message, what it means, and if it is, in fact, a known problem with Safari or is my website host corrupted? Really tired of technical support playing pass the buck or pretending the problem does not exist.
  The specific error message is:
  Their response to my inquiry and my reply is shown below:

  Back up all data.
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  From the menu bar, select
  Keychain Access ▹ Preferences ▹ Certificates
  There are three menus in the window. What is selected in each of them?

• Invalid issuer or signature.

  I approached an app, and got this error when getting current sharepoint user.
  I'm not sure why this happens and it works normally in another sharepoint sites.
  Any help would be greate.
  Invalid issuer or signature.
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  Exception Details: System.IdentityModel.Tokens.SecurityTokenException: Invalid issuer or signature.
  Source Error:
  An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
  Stack Trace:
  [SecurityTokenException: Invalid issuer or signature.]
  Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.VerifySignature(String signingInput, String signature, String algorithm, SecurityToken signingToken) +873
  Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadTokenCore(String token, Boolean isActorToken) +498
  Microsoft.IdentityModel.S2S.Tokens.JsonWebSecurityTokenHandler.ReadToken(String token) +7
  RLTC.FE.SharePointAppWeb.TokenHelper.ReadAndValidateContextToken(String contextTokenString, String appHostName) +32
  RLTC.FE.SharePointAppWeb.TokenHelper.GetClientContextWithContextToken(String targetUrl, String contextTokenString, String appHostUrl) +18
  RLTC.FE.SharePointAppWeb.Common.Utility.GetCurrentUserName() +184
  RLTC.FE.SharePointAppWeb.Common.RLTCBasePage.Page_Init(Object sender, EventArgs e) +22
  System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +51
  System.Web.UI.Control.OnInit(EventArgs e) +92
  System.Web.UI.Page.OnInit(EventArgs e) +12
  System.Web.UI.Control.InitRecursive(Control namingContainer) +134
  System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +489

  If you are using a Service account, then use a different account. APPs have issue with Service accounts
  http://sharepoint.stackexchange.com/questions/51046/invalid-issuer-or-signature-error-in-autohosted-app-sharepoint-2013
  Uninstall the app, then in the Office 365 Admin Center, click apps then
  App Permissions. Delete any app permissions left behind for your app, and install the app again.
  I think what was happening was that it was using the wrong set of permissions and sending the app an invalid token.
  resolved it by editing the permissions my App needed to the Host Web. Originally I was just leaving it blank, but setting those permissions explicitly in the manifest got it working.
  http://blogs.technet.com/b/projectsupport/archive/2014/01/13/sharepoint-2013-workflow-token-contains-invalid-signature.aspx

• The enrollment server did not provision a valid identity certificate

  I'm working on rolling my own MDM service, and I'm trying to combine the SCEP and MDM payloads as the MDM protocol document from Apple suggests. I created my own SCEP web service in C# .Net and I know that the device can get a valid certificate when I just send the SCEP payload. However when I also include an MDM payload that points to the SCEP payload's UUID via the IdentityCertificateUUID key, I get the following error, "The enrollment server did not provision a valid identity certificate." This configuration is the one that is sent after the user chooses to install the initial enrollment configuration (step 1 of phase 2 in this diagram).
  The device doesn't appear to even make an attempt at connecting to my server, and thanks to server side logging I know that it never reaches my SCEP web service page. This seems to indicate that there's something wrong with the certificate I use to sign the payload. I've separately tried signing it with my SSL certificate (from a pre trusted root authority), my customer MDM push certificate (chained from our vendor cert), and my self-signed root certificate authority certificate (created via makecert.exe) that the SCEP service uses to issue new certificates (i.e. device identity certificates).
  I've looked at the output from the iPCU (iPhone Configuration Utility) when I create a profile with both the MDM and SCEP payloads, and it isn't a valid profile (I've even tried copying it nearly wholesale). However when I install the profile via the iPCU the error doesn't come up and it begins the SCEP enrollment process without issue.
  A side note - using a preexisting MDM vendor is not an option here.
  Below is the profile I'm using:
  <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
          <dict>
            <key>PayloadContent</key>
            <array>
              <dict>
                <key>PayloadContent</key>
                <dict>
                  <key>Challenge</key>
                  <string>this is a challenge</string>
                  <key>Key Type</key>
                  <string>RSA</string>
                  <key>Key Usage</key>
                  <integer>5</integer>
                  <key>Keysize</key>
                  <integer>1024</integer>
                  <key>Name</key>
                  <string>mycompany</string>
                  <key>Retries</key>
                  <integer>3</integer>
                  <key>RetryDelay</key>
                  <integer>0</integer>
                  <key>Subject</key>
                  <array><array><array>
                    <string>CN</string>
                    <string>mycompany</string>
                  </array></array></array>
                  <key>URL</key>
                  <string>https://mysite.com/scep.aspx</string>
                </dict>
                <key>PayloadDescription</key>
                <string>Configures SCEP</string>
                <key>PayloadDisplayName</key>
                <string>SCEP (mycompany)</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.scep1</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.security.scep</string>
                <key>PayloadUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
              </dict>
              <dict>
                <key>AccessRights</key>
                <integer>3</integer>
                <key>CheckInURL</key>
                <string>mysite.com/checkin.aspx</string>
                <key>CheckOutWhenRemoved</key>
                <false/>
                <key>IdentityCertificateUUID</key>
                <string>57225d3d-0758-4d23-8093-e4d8c9bbd47c</string>
                <key>PayloadDescription</key>
                <string>Configures MobileDeviceManagement.</string>
                <key>PayloadIdentifier</key>
                <string>com.mycompany.mdm.mdm2</string>
                <key>PayloadOrganization</key>
                <string></string>
                <key>PayloadType</key>
                <string>com.apple.mdm</string>
                <key>PayloadUUID</key>
                <string>ed0ae41d-1aa7-4721-9fe9-139c1072132c</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>ServerURL</key>
                <string>https://mysite.com/checkin.aspx</string>
                <key>SignMessage</key>
                <false/>
                <key>Topic</key>
                <string>com.apple.mgmt.mypushsubject</string>
                <key>UseDevelopmentAPNS</key>
                <true/>
              </dict>
            </array>
            <key>PayloadDescription</key>
            <string>Profile description.</string>
            <key>PayloadDisplayName</key>
            <string>Test Profile</string>
            <key>PayloadIdentifier</key>
            <string>com.mycompany.mdm</string>
            <key>PayloadOrganization</key>
            <string>mycompany</string>
            <key>PayloadRemovalDisallowed</key>
            <false/>
            <key>PayloadType</key>
            <string>Configuration</string>
            <key>PayloadUUID</key>
            <string>13321058-4037-478c-9b1e-ef6f810065cb</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
          </dict>
        </plist>

  I got in touch with Apple about this.
  Apparently you want to send the combined MDM & SCEP payload in step 2 of phase 3 of the diagram I linked in my question, which is the profile that's sent after OTA enrollment.  According to Apple you need two separate certificates (which means two SCEP enrollments) - one for OTA enrollment, and one for MDM enrollment.

• EAP_TLS not successful, getting X509 decrypt error - certificate signature failure

  Hi
  I am trying EAP-TLS authentication on ACS 5.1.
  I have placed the Root CA of the device certitifcate on ACS.
  But getting this error.
  OpenSSLErrorMessage=SSL alert
  code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure"
  OpenSSLErrorStack=  3055889312:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2649
  Can anyone help in debugging the issue, is it problem with Device's root CA certificate or anything else
  Thanks

  Hi Smita,
  Similar post but with ISE:
  https://supportforums.cisco.com/thread/2135392
  Are we using SHA 2 certs anywhere here?
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp157364
  ACS 5.2 supports SHA 256.
  Rate if useful

• Trying to register MS Word 8.5 and Firefox says Invalid security certificate.

  I tried to register MS Word 8.5 and got an error message from Firefox saying > Profile. microsoft.com uses an invalid security certificate. Error code:sec_error_unknown_issuer > I downloaded a patch that MS said I needed > kb933828 but it refuses to activate. MS Word 8.5 seems to work o/k but I want to get access to other templates etc, but cannot register. Please, help if you can.
  == I downloaded MS Word 8.5 and tried to register with Microsoft.

  The www<i></i>.photoshopuser<i></i>.com server doesn't send a required intermediate "PositiveSSL CA" certificate issued by Comodo.
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/
  You can Copy and Paste the certificate text of the missing intermediate certificate on the www.networking4all.com site to a .cer text file and import the certificate(s) in the Certificate Manager.<br />
  DON'T set any trust bits, those are only required for root certificates and should never be set for intermediate certificates.
  *Firefox > Preferences > Advanced : Encryption: Certificates - View Certificates

• Certificate signature validation failed

  Hi!
  I'm getting nuts over how to get Acitve Directory to work with java.
  I have a root-certificate for the domain (supposed to work for everything according to our networking expert) but when using it I get: "Certificate signature validation failed".
  When looking in C:\ on the ADS I find another certificate but then my javaprogram says: "No trusted certificate found".
  So, now after much searching where I seems to find everything but what I'm looking for I have to ask: What should I be looking for? Hopefully when looking for the right thing I will find the answers. :-)
  Thanks you very much in advance
  Roland Carlsson

  Please! Anyone? How can I get a correct certificate from our ADS? The certificate-server on is on our Exchange-server. I have a certificate that is supposed to work all over the domain and I have check several other certificate that I found on our servers but I still havn't found anything that works.
  I'd would really like to get some ideas about where how to find the working one.
  Thanks in advance
  Roland

• Adobe XI when i use signature option i try to use rectangle, it gives option of certificate signature, does not give me webcam or digital signature or any other option to sign

  when i use signature option i try to use rectangle, it gives option of certificate signature, does not give me webcam or digital signature or any other option to sign, have downgraded to Adobe X, no options show. Have upgraded back to XI no change. Free software I am using currently.

  There are two types of signatures in PDF: electronic signatures, which are just images (stamps, text, image) and digital signatures.
  If you want to use electronic signatures in Acrobat XI go to Fill&Sign->Place Signature. If a drag rectangle for the digital signature dialog comes up, you have selected digital signatures and Acrobat/Reader remembered it. Cancel it, go back to Fill&Sign->Place Signature and click a triangle to the left of "Place Signature". Then click on "Changed Saved Signature" and select the electronic signature type you want to use.
  If you want to use digital signatures you can create custom digital signature appearance. Go to Edit->Preferences->Signatures->Creation&Appearance->More. In the "Appearances" section click "New". You will be presented with the dialog that allows you to create a custom appearance. If you want to put there your picture or image of your ink signature, you need to prepare this image as a file beforehand, select "Image" radio button, browse to the location of your image file. In Reader you can use only PDF as your image file. In Acrobat you can use many more file formats: JPEG, PNG, etc.

• Windows 8.1 Device Identity Certificate

  I am implementing Windows 8.1 MDM and seems to be stuck on Certificate Enrollment web service step.
  I am sending the below response and Windows client seems to be proceeding further by sending DM Initialization and responding to SyncML requests from the server. 
  I also can see the certificate using certmgr under Certificate->Personal->Certificates, where the certificate is marked as "Valid" and notes that the device has a private key that corresponds to the certificate.
  The CA is a self-signed CA and CA certificate is placed under Root/System in wap-provisioning response (see it below)
  However, I was expected to see Client Identity certificate to be be a part of all SyncML requests coming from the client.
  Should the client send identity certificate with SynML messages? If yes, what could be wrong in the way I set the certificate?
  If no, what the right way to get device certificate?
  <wap-provisioningdoc version="1.1">
  <!-- This contains information about issued and trusted certificates. -->
  <characteristic type="CertificateStore">
  <!-- This contains trust certificates. -->
  <characteristic type="Root">
  <characteristic type="System">
  <!--The thumbprint of the certificate to be added to the trusted root store -->
  <characteristic type="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2">
  <!-- Base64 encoding of the trust root certificate -->
  <parm name="EncodedCertificate" value="MIIDbzCCAlegAwIBAgIJAKZI3oplYTv2MA0GCSqGSIb3DQEBCwUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTQwODE0MDU1NDE5WhcNMjUwNzI3MDU1NDE5WjBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyOxdnl8PEtvfyhPzj9ANeLKF3YR6nFvOuIKHW/HDXAMIodtcRSf2qyPEZ3+l5f2/TZojjX401AnQeBdSKijdkKWqLboxp6237ZVdlezT1Xw7c6dmxJUwDKekUhEHJd6Ru8Rsu7c0Bzn79F7LOEGkNkGGy+LG12xzwDwg+tx3GZwVRfoMZcjtJNM9vwZCxrkgjYvJPDUl2yIca7MTl61w1wSZaOpnd2xJNbsIC3myD6oXIJoeVTEQE+XXlZcKGYs1Puv0ekdZt4P2+XUj3grHD7+XTqu0oPLFQRw0mbjyFbw4c6/8HDOrHYXr1SkHL5rm21eaN84ssFzXdf0aF2RY3wIDAQABo1AwTjAdBgNVHQ4EFgQUJRCDC1HaVsVZF8uMeakHmBrDwEIwHwYDVR0jBBgwFoAUJRCDC1HaVsVZF8uMeakHmBrDwEIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAncr1ZHB6wuwGaQXGvdVXF22VVLU41ojkw4EcU6/5H+LiRwBGpgDSwPnssqia+/zNukEI8s1zxbo3UHOS29hGFwEPKlsYVzbCaAnXDtfmMrxG8FmoSCEmcoYbCg0nEGsQXPbdgbwsF7V2equclxouvAHs36j0qNoIqu2Mwmkf6XBaLKEFiJ4nX89AFqNLDq5TjrJ9lSG6WnM3l8Gn4c28FPsPnrvtuoNNX4nBTJOXe57h48raawvN3UAstSGsofgQV1rbHj+qZ9EnIdiaaUVZk54CVY8Ic+4Z/8v18Z06s/2bMwHEgd+tICHdCPL9cs4SJNZ2vTick93rtYtMNYE8cA==" />
  </characteristic>
  </characteristic>
  </characteristic>
  <!-- This contains intermediate certificates. -->
  <!-- NOTE: WE DO NOT USE INTERMEDIATE CERTIFICATE
  <characteristic type="CA">
  <characteristic type="System">
  <characteristic type="{thumbprint}">
  <parm name="EncodedCertificate" value="{encoded intermediate cert inserted here}" />
  </characteristic>
  </characteristic>
  </characteristic>
  -->
  <characteristic type="My" >
  <characteristic type="User">
  <!-- Client certificate thumbprint. -->
  <characteristic type="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E">
  <!-- Base64 encoding of the client certificate -->
  <parm name="EncodedCertificate" value="MIID1jCCAr6gAwIBAgIGDOsyplYiMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UECgwNQXBwZGlnaW8gVGVzdDEaMBgGA1UEAwwRQXBwZGlnaW8gVGVzdCBNRE0wHhcNMTUwMTA1MDQwNDIwWhcNMzAwMTAxMDQwNDIwWjAvMS0wKwYDVQQDEyQ4NjRlNjk5NC04NzJlLTQzOGMtYWJjNy1kYmM2N2ZmZTI1NzYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCoFYRQG+OnkHm+Zv9wNeTICnSSrkWVf50rRWb1OVSuMTHEgNfDMpdbjb3tZZucmo1WWcJHiMpMiFmSF1KfNVttIPZK0+pX3eqAwnTlt7YcdV3OhQShE9mh7caalUxQLBZNBeKjXzj0erQgzt1CleIDWGikg11iuGHSlwRyb7aRMvYsXOppfdH9vIebNznKavaRG0IPi4joOR161bmwQ4bPmMiYuQ49MEvSx92F/g+F2dI7bPeo6is7AqQO7iA1woVyGgeI0M0IpQDLftO0EwSXlLNFjDTBsqWH2PZrCkQNXPyuP1/vPiHuiYyBugdCpK1quc4HnMrXEuYBz+xqUV+1AgMBAAGjgdgwgdUwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCAaYwHQYDVR0OBBYEFOySgxF+y4dZX5ilGJi0yi7n1NjCMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMCMH4GA1UdIwR3MHWAFCUQgwtR2lbFWRfLjHmpB5gaw8BCoVKkUDBOMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAoMDUFwcGRpZ2lvIFRlc3QxGjAYBgNVBAMMEUFwcGRpZ2lvIFRlc3QgTURNggkApkjeimVhO/YwDQYJKoZIhvcNAQEFBQADggEBAD6ee4/RfIFddNmaY+Bw5KShe42mvDOoYeOxKbzA6S4qcMJxzfRMkXqtPxAqni7BdxxhIuVpBdfL3dEFWMyA6fRxX/mGo4cp4ZxdFhs5ADvTu51stRECVKo9LKoT2Y8NzQxc5th0GwXcCMKBm6iR1UV6DKhjFaLDNv8F2B+cOeSVaBrJdDBcokBkX/kPOWEzQHtMEMD3OBgLrJAW1Xv/OvBjE2KlhAfDWNImXT7DkUbaDmqbg25GO/qTkSCUspe978OTHrVkOy8n/sJLSkVn9VQe1HRVTZOo1XSZRFcz50OUI3lgetcDyQl/WWDJL6PLDDhNP+URq4mn/dGByN58NOk=" />
  <characteristic type="PrivateKeyContainer">
  <parm name="KeySpec" value="2"/>
  <parm name="ContainerName" value="ConfigMgrEnrollment"/>
  <parm name="ProviderType" value="1"/>
  </characteristic>
  </characteristic>
  </characteristic>
  </characteristic>
  </characteristic>
  <!-- Contains information about the management service and configuration
  for the management agent -->
  <characteristic type="APPLICATION">
  <parm name="APPID" value="w7"/>
  <!-- Management Service Name. -->
  <parm name="PROVIDER-ID" value="TestMDM"/>
  <parm name="NAME" value="TestMDM"/>
  <!-- Link to an application that the management service may provide
  eg a Windows Store application link.
  The Enrollment Client may show this link in its UX.-->
  <!--
  <parm name="SSPHyperlink" value="http://go.microsoft.com/fwlink/?LinkId=255310" />
  -->
  <parm name="SSPHyperlink" value="https://192.168.1.121:8080" />
  <!-- Management Service URL. -->
  <parm name="ADDR" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
  <parm name="ServerList" value="https://192.168.1.121:8080/server/mdm/windows/mdm.svc" />
  <parm name="ROLE" value="4294967295"/>
  <!-- Discriminator to set whether the client should do Certificate Revocation List
  checking. -->
  <parm name="CRLCheck" value="0"/>
  <parm name="CONNRETRYFREQ" value="6" />
  <parm name="INITIALBACKOFFTIME" value="30000" />
  <parm name="MAXBACKOFFTIME" value="120000" />
  <parm name="BACKCOMPATRETRYDISABLED" />
  <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
  <!-- Search criteria for client to find the client certificate using subject name of the
  certificate -->
  <!-- <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d%s&amp;Stores=My%5CUser" /> -->
  <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3d864e6994-872e-438c-abc7-dbc67ffe2576&amp;Stores=MY%5CSystem%EF%80%80MY%5CUser" />
  <characteristic type="APPAUTH">
  <parm name="AAUTHLEVEL" value="CLIENT"/>
  <parm name="AAUTHTYPE" value="DIGEST"/>
  <parm name="AAUTHSECRET" value="dummy"/>
  <!-- Windows Phone 8.1 documentaion on page 21 says that AUTHDATA is base64 encoded -->
  <parm name="AAUTHDATA" value="bm9uY2UK"/>
  <!-- <parm name="AAUTHDATA" value="nonce"/> -->
  </characteristic>
  <characteristic type="APPAUTH">
  <parm name="AAUTHLEVEL" value="APPSRV"/>
  <parm name="AAUTHTYPE" value="DIGEST"/>
  <!-- <parm name="AAUTHNAME" value="dummy"/> -->
  <parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
  <parm name="AAUTHSECRET" value="dummy"/>
  <parm name="AAUTHDATA" value="nonce"/>
  </characteristic>
  </characteristic>
  <!-- Extra Information to seed the management agent's behavior . -->
  <characteristic type="Registry">
  <characteristic type="HKLM\Security\MachineEnrollment">
  <parm name="RenewalPeriod" value="90" datatype="integer" />
  </characteristic>
  <characteristic type="HKLM\Security\MachineEnrollment\OmaDmRetry">
  <!-- Number of retries if client fails to connect to the management service. -->
  <parm name="NumRetries" value="8" datatype="integer" />
  <!--Interval in minutes between retries. -->
  <parm name="RetryInterval" value="15" datatype="integer" />
  <parm name="AuxNumRetries" value="5" datatype="integer" />
  <parm name="AuxRetryInterval" value="3" datatype="integer" />
  <parm name="Aux2NumRetries" value="0" datatype="integer" />
  <parm name="Aux2RetryInterval" value="480" datatype="integer" />
  </characteristic>
  </characteristic>
  <!-- Extra Information about where to find device identity information. This is redundant
  in that it is duplicative to what is here, but it is required in the current version of the
  protocol. -->
  <characteristic type="Registry">
  <characteristic type="HKLM\Software\Windows\CurrentVersion\MDM\MachineEnrollment">
  <parm name="DeviceName" value="" datatype="string" />
  </characteristic>
  </characteristic>
  <characteristic type="Registry">
  <characteristic type="HKLM\SOFTWARE\Windows\CurrentVersion\MDM\MachineEnrollment">
  <!--Thumbprint of root certificate. -->
  <parm name="SslServerRootCertHash" value="ED1CF6EB4BE80017DDD7A076957FC438B689A7D2" datatype="string" />
  <!-- Store for device certificate. -->
  <parm name="SslClientCertStore" value="My%5CSystem" datatype="string" />
  <!-- Common name of issued certificate. -->
  <parm name="SslClientCertSubjectName" value="CN=864e6994-872e-438c-abc7-dbc67ffe2576" datatype="string" />
  <!--Thumbprint of issued certificate. -->
  <parm name="SslClientCertHash" value="4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
  </characteristic>
  <nocharacteristic type="HKLM\Security\Provisioning\OMADM\Accounts" />
  <characteristic type="HKLM\Security\Provisioning\OMADM\Accounts\037B1F0D3842015588E753CDE76EC724">
  <parm name="SslClientCertReference" value="My;System;4F18B6FF6EBC72812E4BA709C3865280DDF2EA1E" datatype="string" />
  </characteristic>
  </characteristic>
  </wap-provisioningdoc>

  Eric,
  I do have APPAUTH portion in the  wap-provisioningdoc
  <characteristic type="APPAUTH">
  <parm name="AAUTHLEVEL" value="CLIENT"/>
  <parm name="AAUTHTYPE" value="DIGEST"/>
  <parm name="AAUTHSECRET" value="dummy"/>
  <!-- Windows Phone 8.1 documentaion on page 21 says that AUTHDATA is base64 encoded -->
  <parm name="AAUTHDATA" value="bm9uY2UK"/>
  <!-- <parm name="AAUTHDATA" value="nonce"/> -->
  </characteristic>
  <characteristic type="APPAUTH">
  <parm name="AAUTHLEVEL" value="APPSRV"/>
  <parm name="AAUTHTYPE" value="DIGEST"/>
  <!-- <parm name="AAUTHNAME" value="dummy"/> -->
  <parm name="AAUTHNAME" value="https://192.168.1.121:8080/test"/>
  <parm name="AAUTHSECRET" value="dummy"/>
  <parm name="AAUTHDATA" value="nonce"/>
  </characteristic>
  My Windows 8.1 (tablet, not a phone) does not send SyncML DM Auth Request. I.e. it sends session initialization, then I send a <get> command to which client responds appropriately. But no <Cred> is sent.
  I also do not see any connection attempts to the server name (https://192.168.1.121:8080/test)
  Oleg