2.2.10 Faults
The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows.
-
<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"> <s:header> <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep</a:action> <activityid correlationid="2493ee37-beeb-4cb9-833c-cadde9067645" xmlns="http://schemas.microsoft.com/2004/09/servicemodel/diagnostics">2493ee37-beeb-4cb9-833c-cadde9067645</activityid> <a:relatesto>urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:relatesto> </s:header> <s:body> <s:fault> <s:code> <s:value>s:receiver</s:value> <s:subcode> <s:value>s:authorization</s:value> </s:subcode> </s:code> <s:reason> <s:text xml:lang="en-us">This User is not authorized to enroll</s:text> </s:reason> </s:fault> </s:body> </s:envelope>
Namespace |
Subcode |
Error |
Description |
HRESULT |
---|---|---|---|---|
s: |
MessageFormat |
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
Message format is bad. |
80180001 |
s: |
Authentication |
MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
User not recognized. |
80180002 |
s: |
Authorization |
MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
User not allowed to enroll. |
80180003 |
s: |
CertificateRequest |
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
Failed to get certificate. |
80180004 |
s: |
EnrollmentServer |
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
Generic failure from management server, such as a database access error. |
80180005 |
a: |
InternalServiceFault |
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
The server hit an unexpected issue. |
80180006 |
a: |
InvalidSecurity |
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
Cannot parse the security header. |
80180007 |
The following is an example of the deviceenrollmentserviceerror detail element, which in this case, specifies the MENROLL_E_DEVICE_AUTHORIZATION_ERROR caused by reaching a capacity limit on the number of devices.
-
<s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"> <s:header> <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep</a:action> <activityid correlationid="2493ee37-beeb-4cb9-833c-cadde9067645" xmlns="http://schemas.microsoft.com/2004/09/servicemodel/diagnostics">2493ee37-beeb-4cb9-833c-cadde9067645</activityid> <a:relatesto>urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:relatesto> </s:header> <s:body> <s:fault> <s:code> <s:value>s:receiver</s:value> <s:subcode> <s:value>s:authorization</s:value> </s:subcode> </s:code> <s:reason> <s:text xml:lang="en-us">device cap reached</s:text> </s:reason> <s:detail> <deviceenrollmentserviceerror xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"> <errortype>devicecapreached</errortype> <message>device cap reached</message> <traceid>2493ee37-beeb-4cb9-833c-cadde9067645</traceid> </deviceenrollmentserviceerror> </s:detail> </s:fault> </s:body> </s:envelope>
The detail element can specify any of the following error messages:
Subcode |
Error |
Description |
HRESULT |
---|---|---|---|
DeviceCapReached |
MENROLL_E_DEVICECAPREACHED |
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help. |
80180013 |
DeviceNotSupported |
MENROLL_E_DEVICENOTSUPPORTED |
Specific platform or version is not supported. There is no point retrying or calling admin. User could upgrade device. |
80180014 |
NotSupported |
MENROLL_E_NOTSUPPORTED |
Mobile device management generally not supported (would save an admin call). |
80180015 |
NotEligibleToRenew |
MENROLL_E_NOTELIGIBLETORENEW |
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling. |
80180016 |
InMaintenance |
MENROLL_E_INMAINTENANCE |
Account is in maintenance; retry later. The user can retry later, but they may need to contact the admin because they would not know when the problem was solved. |
80180017 |
UserLicense |
MENROLL_E_USERLICENSE |
License of user is in bad state and blocking the enrollment. The user needs to call the admin. |
80180018 |
InvalidEnrollmentData |
MENROLL_E_ENROLLMENTDATAINVALID |
The server rejected the enrollment data. The server may not be configured correctly. |
80180019 |
CustomServerError |
MENROLL_E_CUSTOMSERVERERROR |
The server responded with a custom error string, see DeviceManagement-Enterprise-Diagnostics for details. In this case, s:reason/s:text would show as the server message.<19> |
80180032 |
TraceID is a freeform text node which is logged. It should identify the server-side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.