Share via

2.2.10 Faults

  • Article

The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows.  

 <s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:header>
     <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep</a:action>
     <activityid correlationid="2493ee37-beeb-4cb9-833c-cadde9067645" xmlns="http://schemas.microsoft.com/2004/09/servicemodel/diagnostics">2493ee37-beeb-4cb9-833c-cadde9067645</activityid>
     <a:relatesto>urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:relatesto>
   </s:header>
   <s:body>
     <s:fault>
       <s:code>
         <s:value>s:receiver</s:value>
           <s:subcode>
             <s:value>s:authorization</s:value>
           </s:subcode>
       </s:code>
       <s:reason>
         <s:text xml:lang="en-us">This User is not authorized to enroll</s:text>
       </s:reason>
     </s:fault>
   </s:body>
 </s:envelope>

Namespace

Subcode

Error

Description

HRESULT

s:

MessageFormat

MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

Message format is bad.

80180001

s:

Authentication

MENROLL_E_DEVICE_AUTHENTICATION_ERROR

User not recognized.

80180002

s:

Authorization

MENROLL_E_DEVICE_AUTHORIZATION_ERROR

User not allowed to enroll.

80180003

s:

CertificateRequest

MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

Failed to get certificate.

80180004

s:

EnrollmentServer

MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

Generic failure from management server, such as a database access error.

80180005

a:

InternalServiceFault

MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

The server hit an unexpected issue.

80180006

a:

InvalidSecurity

MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

Cannot parse the security header.

80180007

The following is an example of the deviceenrollmentserviceerror detail element, which in this case, specifies the MENROLL_E_DEVICE_AUTHORIZATION_ERROR caused by reaching a capacity limit on the number of devices.

 <s:envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:header>
     <a:action s:mustunderstand="1">http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep</a:action>
     <activityid correlationid="2493ee37-beeb-4cb9-833c-cadde9067645" xmlns="http://schemas.microsoft.com/2004/09/servicemodel/diagnostics">2493ee37-beeb-4cb9-833c-cadde9067645</activityid>
     <a:relatesto>urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:relatesto>
   </s:header>
   <s:body>
     <s:fault>
       <s:code>
         <s:value>s:receiver</s:value>
         <s:subcode>
           <s:value>s:authorization</s:value>
         </s:subcode>
       </s:code>
       <s:reason>
         <s:text xml:lang="en-us">device cap reached</s:text>
       </s:reason>
       <s:detail>
         <deviceenrollmentserviceerror xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">
           <errortype>devicecapreached</errortype>
           <message>device cap reached</message>
           <traceid>2493ee37-beeb-4cb9-833c-cadde9067645</traceid>
         </deviceenrollmentserviceerror>
       </s:detail>
     </s:fault>
   </s:body>
 </s:envelope>

The detail element can specify any of the following error messages:

Subcode

Error

Description

HRESULT

DeviceCapReached

MENROLL_E_DEVICECAPREACHED

User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

80180013

DeviceNotSupported

MENROLL_E_DEVICENOTSUPPORTED

Specific platform or version is not supported. There is no point retrying or calling admin. User could upgrade device.

80180014

NotSupported

MENROLL_E_NOTSUPPORTED

Mobile device management generally not supported (would save an admin call).

80180015

NotEligibleToRenew

MENROLL_E_NOTELIGIBLETORENEW

Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

80180016

InMaintenance

MENROLL_E_INMAINTENANCE

Account is in maintenance; retry later. The user can retry later, but they may need to contact the admin because they would not know when the problem was solved.

80180017

UserLicense

MENROLL_E_USERLICENSE

License of user is in bad state and blocking the enrollment. The user needs to call the admin.

80180018

InvalidEnrollmentData

MENROLL_E_ENROLLMENTDATAINVALID

The server rejected the enrollment data. The server may not be configured correctly.

80180019

CustomServerError

MENROLL_E_CUSTOMSERVERERROR

The server responded with a custom error string, see DeviceManagement-Enterprise-Diagnostics for details. In this case, s:reason/s:text would show as the server message.<19>

80180032

TraceID is a freeform text node which is logged. It should identify the server-side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.