Mobile Device Manager 2008 SP1 Release Notes

2/9/2009

Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 is a Microsoft technology that helps managed Windows Mobile devices work within the IT infrastructure of an organization as trusted and managed members of the enterprise.

This document describes issues in MDM 2008 SP1 that are not included in other MDM 2008 SP1 documents.

Contents

Updates to MDM Release Notes

System Center Mobile Device Manager Beta Software

MDM Installation Issues

Configuration Issues

MDM Console Issues

MDM Software Distribution Issues

MDM Self Service Portal Issues

Managed Windows Mobile Device Issues

Updates to MDM Release Notes

The following changes and additions have been made to the MDM Release Notes.

Release note update	Change Date
Added release note item, Developer Files Not Needed on Production Server.	December 15, 2008
Added release note item, Reversed Text in English Version of Administrator Tools Help.	December 15, 2008
Added release note item, Long SSP Folder Path Ends Setup with English Error Message.	December 15, 2008
Added release note item, MDM Service Descriptions Display in English.	December 15, 2008
Added release note item, Installed Package May Not Appear in Remove Programs List on Device.	December 15, 2008
Added release note item, Error May Occur When Adding New MDM Gateway Server.	November 21, 2008
Removed release note item, MDM Gateway Server Setup Logs Warnings.	November 21, 2008

System Center Mobile Device Manager Beta Software

If you have the Beta software for Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1, you should know that it expires on May 15, 2009. To continue to use MDM 2008 SP1, you have to update your company IT infrastructure with the official release version of MDM before this date.

If you have the official release version of MDM, this message does not apply to you.

MDM Installation Issues

Upgrading to MDM 2008 SP1 May Require Specific Configurations

If you are upgrading from MDM 2008 to MDM 2008 SP1, there are Active Directory, certification authority, and Group Policy configurations that must be performed. The topic Running ADConfig to Upgrade Active Directory in the Upgrading an MDM Installation to MDM 2008 SP1 guide specifies the permissions and roles required for these configurations.

If you upgrade from earlier versions of MDM 2008 SP1 to a more recent version of MDM 2008 SP1, there are not any Active Directory or certification authority configuration steps required. However, your Group Policy infrastructure must be updated. For more information, see Updating Group Policy Objects from Earlier Versions of MDM 2008 SP1 in the Upgrading an MDM Installation to MDM 2008 SP1 guide.

Upgrading MDM 2008 to MDM 2008 SP1 Requires Membership into the MDM 2008 Server Administrators Group

To upgrade from MDM 2008 to MDM 2008 SP1, the administrator running the upgrade installers (Setup MSIs for MDM Enrollment Server, MDM Device Management Server, MDM Gateway Server, MDM Self Service Portal, MDM Administrator Tools) must be a member of both the SCMDM2008ServerAdministrators and SCMDMServerAdmins (SCMDM2008) administrator groups. If the user is not a member of the MDM 2008 Server Administrators group, Setup will fail. Ensure you log off and then on after changing permissions.

Restrictions on Naming an MDM Instance

You cannot name an MDM instance SCMDM2008, MDM2008, or MDM. These names are not supported.

MDM 2008 SP1 Tools Cannot Manage Previous MDM Versions

You cannot use the versions of MDM Console, MDM Software Distribution Console, MDM Group Policy extensions, or MDM Shell in MDM 2008 SP1 to manage MDM 2008, and you cannot use the MDM 2008 version of these tools to manage MDM 2008 SP1. You must use MDM 2008 SP1 tools to manage MDM 2008 SP1 servers and services, and MDM 2008 tools to manage MDM 2008. In addition, you cannot install MDM 2008 SP1 MDM Console and MDM Shell on the same server or computer on which the MDM 2008 MDM Console and MDM Shell are installed.

Creating an MDM Shell Shortcut with a Long Instance Name

You can edit the Windows shortcut for MDM Shell to specify an MDM instance that you want MDM Shell to manage. However, if the name of the MDM instance is very long, the Target value may exceed the 255-character limit for a Windows shortcut. The name of an MDM instance may be up to 30 characters in length; the length of the Target value is dependent on the specific installation of MDM Shell.

For example, if the Target value in the MDM Shell shortcut is the following, then adding an MDM instance name longer than 15 characters increases the value beyond the 255-character limit.

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "C:\Program Files\Microsoft System Center Mobile Device Manager\AdminTools\Mobile Device Manager Power Shell.psc1" -noexit -command ". '%SCMDMDIR%\AdminTools\MDM.ps1' VeryLongMDMInstanceName"

To specify a longer MDM instance name, you can use the environment variable %SCMDMDIR% in place of the full path to the MDM console file. This shortens the overall length of the text and allows you to add a longer MDM instance name. Using this method, you can change the Target value in the example above to the following.

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "%SCMDMDIR%\AdminTools\Mobile Device Manager Power Shell.psc1" -noexit -command ". '%SCMDMDIR%\AdminTools\MDM.ps1' VeryLongMDMInstanceName"

Warning or Error Messages from Perflib

When you install MDM, you may receive warning or error messages in the Application log from the performance library, Perflib, that have Event IDs such as 1017, 1021, and 2003. You can safely ignore these informational messages.

Do Not Run Multiple Installations at the Same Time

If you install more than one of MDM Device Management Server, MDM Enrollment Server, MDM Gateway Server, or MDM Administrator Tools on the same computer, or if you install more than one copy of any of these on a single computer, wait at least five minutes after you start the first installation before you start the next installation. If two installations start at the same time, the installation will be unstable.

Uninstalling or Upgrading MDM Gateway Server May Fail

If you attempt to uninstall MDM Gateway Server, or if you attempt to upgrade to the released version of MDM Gateway Server, and the uninstall or upgrade fails, then everything is rolled back properly except that the IPSECVPN driver is not restored. The computer is now in an unstable state.

If the uninstall fails, use MDM Cleanup Tool to completely remove MDM Gateway Server and install it again. As an alternative you can attempt to repair the installation (run Setup and select the Repair option), and then uninstall it again. To download MDM Cleanup Tool, see MDM 2008 SP1 Server Tools at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkId=127030.

If the upgrade fails, try to repair the installation (run Setup and select the Repair option), and then try to upgrade again.

Use Only Alphanumeric Characters for Server Names

MDM supports only the characters A-Z, a-z, 0-9, dash (-), and underscore (_) for the following names:

• All FQDNs, including host and domain names
• Certification authority names (certification authority names can contain spaces)
• Microsoft SQL Server instances
• Microsoft Windows Server Update Services (WSUS) server instances

Cannot Specify Localhost for SQL Server Location

When you install MDM Device Management Server or MDM Enrollment Server, you cannot specify "localhost" or "localhost\<sqlinstance>" for the location of SQL Server. You must use the machine name or the fully qualified domain name (FQDN) instead of "localhost".

For example, specify "mdm.contoso.com\sqlinstance" instead of "localhost\sqlinstance".

Database Installations on Windows Server 2000 May Fail

If you install MDM databases on a computer that is running Microsoft Windows Server 2000, the installation may fail if the name of the computer that is running Microsoft SQL Server and the name of the computer that is running MDM Device Management Server, or MDM Enrollment Server, begin with the same characters. To correct this problem, rename the computer that is running SQL Server, or use a later version of Windows, such as Windows Server 2003 with Service Pack 2 (SP2).

For example, if you install MDM databases on a computer that is running SQL Server named mdmsql.contoso.com, and MDM Device Management Server or MDM Enrollment Server are named mdm.contoso.com, the database installation may fail. We recommend that you install SQL Server on Windows Server 2003 with SP2.

Special Installation Option if SQL Server Is in a Different Language

If you install MDM Enrollment Server in a language that differs from that of the Microsoft SQL Server installation, and you connect to the computer that is running SQL Server remotely, you must install MDM Enrollment Server at a command prompt. During the installation, you must specify the name of the Anonymous account on the computer that is running SQL Server by using the ENWEB_SVC_ACC property. The following example shows you how to run Setup if you install the English version of MDM Enrollment Server but use a remote connection to a computer that is running the German version of SQL Server:

msiexec /i Enrollment.msi ENWEB_SVC_ACC="NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"

If you install MDM Device Management Server or MDM Enrollment Server, while Anonymous, Network Service, or Local Service accounts are already present in the SQL logins on the computer that is running SQL Server in a language that differs from that of the computer on which you want to install MDM Device Management Server or MDM Enrollment Server, the installation will fail. Delete these accounts from the computer that is running SQL Server before you install MDM Device Management Server or MDM Enrollment Server or use a different SQL instance.

Server Setup May Fail to Request Certificates

When you install MDM Enrollment Server, MDM Device Management Server, or MDM Self Service Portal, the Setup program may fail to request certificates for SCMDM2008EnrollmentServers, SCMDM2008SelfServiceServers, and SCMDM2008DeviceManagement, possibly because of incorrect COM launch and activation permission. You may receive the error message "Failed to configure SSL certificates for web services" during installation.

To correct this, perform the following procedure on the certification authority.

1. Click Start, point to Administrative Tools, and then click Component Services.
2. Expand the Component Services\Computers container.
3. Right-click My Computer, and then click Properties.
4. On the COM Security tab, click Edit Limits in the Launch and Activation Permissions area or in the Remote Activation area.
5. Choose Add and type in SCMDM2008EnrollmentServers, SCMDM2008DeviceManagement, SCMDM2008SelfServiceServers, choose OK, and then click Allow for the Remote Access permissions or for the Remote Launch and Remote Activation permissions.
6. Click OK two times to accept the changes.

If this does not correct the problem, then you must install the certificates manually. To install the certificates manually, follow the procedures described in, "Creating Manual Certificates" at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=117718

Specifically, follow the procedures in these sections:

• Create the IIS Certificate for an MDM Web Site
• Create and Install Certificates from the SCMDMGCM Template
• Provide Network Service Permissions to the Certificate

Cannot Uninstall MDM if IIS Is Uninstalled

You cannot uninstall MDM Device Management Server, MDM Enrollment Server, MDM Self Service Portal, or MDM Gateway Server if you have uninstalled IIS. IIS must be installed and must have the correct metabase for you to be able to uninstall MDM Device Management Server, MDM Enrollment Server, MDM Self Service Portal, or MDM Gateway Server.

Location of Setup Log Files

By default, when you run MDM Setup from the Setup menu, log files are created in the system temp directory, %temp%. Depending on the MDM system component that you install, Setup creates the following files:

• MDMSetup[yyyy_mm_dd].log
• Enrollment.log
• DeviceManagement.log
• Gateway.log
• AdminTools.log
• MDMInstance[yyyy_mm_dd].log

The value [yyyy_mm_dd] corresponds to the date that Setup was run. For example, MDMSetup[2008_10_23].log.

If you use command-line commands to install MDM software, specify the log file command-line option, /l*xv, to create log files. For example:

msiexec Enrollment.msi /l*xv Enrollment1.log

This example puts the log file in the current folder. You can also specify a path for the log file in the command line.

Configuration Issues

Maximum Server Memory Configuration

The SQL Server default value for maximum server memory is approximately 2000 gigabytes (GB). Configured such as this, with MDM Device Management Server or MDM Enrollment Server installed, SQL Server could become unusable. You may have to modify this value in order to provide the best performance for the database.

To set a fixed amount of memory, follow these steps:

1. In SQL Server Management Studio, in Object Explorer, right-click the SQL Server name, and then select Properties.
2. In the Select a page area, select Memory.
3. In the Server memory options area, select Dynamic memory configuration.
4. Enter values for Minimum server memory and Maximum server memory.

With the Dynamic memory configuration option selected, SQL Server changes its memory requirements dynamically based on available system resources. The default setting for Minimum server memory is 0, and the default setting for Maximum server memory is 2,147,483,647 megabytes (MB). The minimum amount of memory that you can specify for Maximum server memory is 16 MB.

For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=110809.

OMA Session Time-Out Must Be Less Than Firewall TCP Idle Time-Out

The Open Mobile Alliance (OMA) session time-out that you set for MDM Device Management Server should be at least 30 seconds less than the TCP protocol idle time-out value in the network firewall. For example, if the firewall idle time-out is set to eight minutes, you should set the OMA session time-out to seven minutes and 30 seconds, or less. You set the OMA session time-out by using the Set-DeviceManagementConfig cmdlet in MDM Shell. The following example shows you how to set the OMA session time-out by using the Set-DeviceManagementConfig cmdlet.

Set-DeviceManagementConfig -OMASessionTimeout "0:07:30"

Configuration Error if Client Address Pool Is Added to ISA Routing Table

If Microsoft Internet Security and Acceleration (ISA) Server is used as the back-end firewall, and the ISA server’s routing table has been modified to add a route to the client address pool through MDM Gateway Server, the ISA server configuration must be updated to add the client IP address range to the network object that represents the current placement of MDM Gateway Server.

Without this change a configuration error Alert in the management console is displayed and the traffic destined for VPN clients will be dropped as spoofed. The application log also contains these events:

Event Type:     Warning
Event Source:   Microsoft Firewall
Event Category: None
Event ID:       14147
Date:           <date>
Time:           <time>
User:           N/A
Computer:       <computer running ISA server>
Description:
ISA Server detected routes through adapter "<adapter>" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: <IP address>-<IP address>;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network check if the event recurs. If it does not you may safely ignore this message. 

Event Type:     Warning
Event Source:   Microsoft Firewall
Event Category: None
Event ID:       21265
Date:           <date>
Time:           <time>
User:           N/A
Computer:       <computer running ISA server>
Description:
The routing table for network adapter <adapter> includes IP address ranges that are not defined in the array network <array> to which it is bound. As a result when packets go in/out via this network adapter and they are from/sent to the IP address ranges listed below they will be considered spoofed and will be dropped. To resolve this issue add the missing IP address ranges to the array network.  The following IP address ranges will be dropped as spoofed: <range>.

To modify the ISA server configuration, use the following procedure.

1. Open the ISA management console, select Configuration in the left pane, and then select Networks.
2. Click the Networks tab in the right window and choose the network that represents the current placement of MDM Gateway Server.
3. Right-click the network object and select Properties.
4. Select the Addresses tab, then click Add Range and specify the IP range for the VPN client pool subnet.
5. Click Apply, then click OK to exit the Properties window.
6. In the Networks window, click Apply to apply the change.

The address range should be now listed within the ranges for the network object you modified. The configuration error should be resolved by this change.

MDM Service Descriptions Display in English

In the Services snap-in of Microsoft Management Console (MMC), the names and descriptions of SCMDM Password Recovery Service and SCMDM Software Distribution Service are displayed in English even in a non-English installation of MDM.

MDM Console Issues

MDM Console May Terminate When Sorting by Added Columns

In the Select User - Entire Forest dialog box of the Pre-Enrollment Wizard, MDM Console may terminate unexpectedly if you sort the list of Active Directory users by columns that you add.

MDM Console terminates if you performed the following steps:

1. You started the Pre-Enrollment Wizard in MDM Console.
2. You clicked Next, entered a device name, and then clicked Next again.
3. On the Select User page, you clicked Browse.
4. In the Select User - Entire Forest dialog box, on the View menu, you chose Add/Remove Columns.
5. You added one or more columns by clicking Add or Add All, and then clicked OK.
6. In the Select User - Entire Forest dialog box you selected any one of the columns you added in step 5 to sort by that column.
7. You clicked OK or Cancel.
8. On the Select User page, you clicked Browse.

To reopen MDM Console, you must exit the MMC and restart MDM Console.

User OU Does Not Display in Pre-Enrollment Wizard

In the Pre-Enrollment Wizard, the Select Organizational Unit dialog box does not display Users organizational units (OUs). This occurs when you follow these steps:

1. On the wizard Select User page, select Active Directory User, and then choose Browse.
2. In the Select User dialog box, on the Scope menu, choose the Modify User Picker Scope command.
3. In the User Picker Scope dialog box, select View all users in specified organizational unit, and then choose Browse.

The Select Organizational Unit dialog box displays all OUs except Users. You can view Users OUs in the Select User dialog box if you have set that dialog box to View all users in forest.

Pre-Enrollment Wizard User Picker Scope Dialog Box Does Not Display Selected OU

In the Pre-Enrollment Wizard, the User Picker Scope dialog box does not always display the OU that you select. This occurs when you follow these steps:

1. On the Select User page of the wizard, select Active Directory User, and then choose Browse.
2. In the Select User dialog box, on the Scope menu, choose the Modify User Picker Scope command.
3. In the User Picker Scope dialog box, select View all users in specified organizational unit, and then choose Browse.
4. In the Select Organizational Unit dialog box, select an OU, and then choose OK.
5. In the User Picker Scope dialog box, notice that the OU you selected is displayed in Organizational Unit. Choose OK.
6. In the Select User dialog box, on the Scope menu, select the Modify User Picker Scope command.

In the User Picker Scope dialog box, notice that Organizational Unit is blank. The OU that you selected remains selected. However, it does not display.

MDM Console May Become Unresponsive

It is possible for the Pre-Enrollment Wizard or Add Gateway Wizard in MDM Console to become unresponsive when you click Cancel or Finish.

To force MDM Console to end, open Task Manager. On the Applications tab, select System Center Mobile Device Manager, and then choose End Task.

For more information about related issues with MMC, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=110811.

Device Name Cannot Be Reused Immediately After Expiration

When an enrollment record expires, it may take 15 minutes or more before the device name can be used again due to delays in processing the expired record and replication in Active Directory.

Set-MDMCurrentInstance Does Not Support WhatIf, Confirm

The get-help text for the Set-MDMCurrentInstance cmdlet (get-help set-mdmcurrentinstance) indicates that the cmdlet supports the standard parameters WhatIf and Confirm. However, the cmdlet does not support these parameters. If you specify either of these parameters, the actions are not taken and no error is displayed.

Error May Occur When Adding New MDM Gateway Server

If, when adding a new MDM Gateway Server, you specify an alternate WINS server but you do not specify an alternate DNS server, the error "Object reference not set to an instance of an object" is displayed and the MDM Gateway Server is not added. This occurs if you use the Add MDM Gateway Wizard, and you enter a value on the DNS/WINS page for Alternate WINS Server but do not enter a value for Alternate DNS Server. This also occurs if you use the Add-MDMGatewayServer cmdlet and specify the -BackupWINS parameter without specifying the BackupDNS parameter.

If you want to specify an alternate WINS server for a new MDM Gateway Server but do not want to specify an alternate DNS server, then follow these steps:

1. Use the Add MDM Gateway Wizard or Add-MDMGatewayServer cmdlet to add the new MDM Gateway Server, but do not specify the alternate WINS server.
2. After the new MDM Gateway Server is added successfully, in MDM Console, select Gateway Management in the left pane.
3. Right-click the server you added in step 1 and select Properties.
4. In the DNS/WINS tab, enter the Alternate WINS Server value, and then click OK.

Reversed Text in English Version of Administrator Tools Help

In the English version of Administrator Tools Help, in the topic Allowing an Unsigned Application to Run As Privileged, the descriptions of the fields in the Add Item dialog box are reversed. Step 7 of the procedure should read as follows:

"In the Add Item dialog box, in the Enter the name of the item to be added box, type the complete file name of the application, and then in the Enter the value of the item to be added box, type the application hash value."

The wording is correct in the non-English versions of the help file.

MDM Software Distribution Issues

MDM Requires WSUS 3.0 with SP1

MDM software distribution requires that you install WSUS 3.0 with Service Pack 1 (SP1) on the computer that is running MDM Device Management Server. To obtain a copy of WSUS 3.0 SP1, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=105090.

Event Message from Software Distribution

If a managed Windows Mobile device responds to MDM software distribution with incomplete information, a message that resembles the following appears in the event log:

Event Type:     Warning
Event Source:   Device Manager
Event Category: None
Event ID:       8041
Date:           <date>
Time:           <time>
User:           N/A
Computer:       <computer running MDM Software Distribution Console>
Description:
Software Distribution service received insufficient query results from device <deviceId>.
Missing LocUri ./Vendor/MSFT/SwMgmt/Download?list=StructData.

This warning does not always indicate a problem on the managed device. It may indicate a problem in MDM software distribution, or there may be no problem.

To verify that MDM software distribution is working correctly with the managed device, check the state of the device in MDM Software Distribution Console by using the reporting tools, or check the managed device itself.

MDM Software Distribution Console May Become Unresponsive

It is possible for the Create Package Wizard or Modify Package Wizard in MDM Software Distribution Console to become unresponsive when you click Cancel or Finish.

To force MDM Software Distribution Console to end, open Task Manager. On the Applications tab, select System Center Mobile Device Manager Software Distribution, and then choose End Task.

For more information about related issues with MMC, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=110811.

Incorrect "\" in Registry Path Causes Installation to Fail

When specifying a registry dependency for a package in the Add Registry Dependency dialog box, if you enter a "\" character rather than a "/" character in the path for the registry key, no error is displayed but the registry check will fail and the package will not be installed on the device.

Device May Be Reoffered an Installed Update

If a managed Windows Mobile device is offered a software update and the device installs the update, under certain conditions the status for the installation may not be received by the server. In this case the software update is reoffered to the device and the device reinstalls it. The result is that the user may see the update installed multiple times and multiple entries for the update may appear in the Managed Programs history on the device.

This situation occurs if the device goes offline within ten minutes after installing the software and then stays offline for longer than the software update reoffer period. In this case MDM software distribution offers the update to the device again the next time that the device connects. The default setting for the reoffer period (ReofferPeriodInDays value) is seven days.

Installed Package May Not Appear in Remove Programs List on Device

When you install an application on managed Windows Mobile devices by using MDM software distribution, the application may not appear in the Remove Programs list on some devices, even if you select Yes on the Permit Uninstall page of the Create Package Wizard when you create the package. This issue is device-dependent. If this occurs on a specific device, and you want the user to be able to remove the application from the device, then uninstall the application by approving the package for removal in MDM Software Distribution Console, and then manually install the application on the device. This will cause the application to appear in the Remove Programs list on the device.

Avoid Large Detailed Reports

We recommend that you limit the size of device or package reports to 200 pages or fewer. If you generate detailed reports for many devices or packages, the result can be very memory-intensive and time-consuming. Detailed reports are most effective for smaller subsets of your devices or packages. You can use different filters to reduce the size of the report, or you can choose the tabular format instead of the detailed format to reduce the number of pages.

If you do run a device status summary report for a large number of devices (for example, 8,000 devices), the report may be generated correctly. But if you then select Run Report again without closing the Devices Reports window, Software Distribution Console eventually displays the message, "Report is being generated," after which the console may take several minutes to finish.

MDM Self Service Portal Issues

Developer Files Not Needed on Production Server

We recommend that after you install MDM Self Service Portal on your production server, you remove certain files from the installation that are not required in production use. The files are only required for a development environment where portal code is being modified.

All files ending in .cs, .csproj, and .xsd in the following directories should be removed from the MDM Self Service Portal production server:

.\ (the installation directory)

.\App_GlobalResources

.\Code

.\Pages

.\Properties

Upgrading Resets Configured Options to Default Options

When you run MDM 2008 SP1 Setup and install MDM Self Service Portal, be aware that custom administrator settings are not migrated to the upgraded installation of the portal.

To use the same settings in the upgraded installation of the portal, note the settings you have configured on the Portal Administration page of the current portal before you upgrade. Then set the same options on the Portal Administration page after you upgrade MDM Self Service Portal.

User Authentication Can Be Slow

If a user who is not in a trusted domain accesses MDM Self Service Portal, the first page may be slow to load. In this scenario, when Windows Integrated Authentication tries to use the Kerberos protocol, Kerberos authentication fails for the non-trusted domain. Windows authentication uses the NT LAN Manager protocol instead. This prolongs the logon process.

To prevent a prolonged logon process, enable NTLM authentication only on the Web site. For more information, see this Microsoft Web site: https://support.microsoft.com/kb/215383.

Repeated Prompts for User Credentials

Users who access MDM Self Service Portal published through Microsoft Internet Security and Acceleration (ISA) Server may experience repeated prompts to provide their credentials. This symptom can occur even after users type valid credentials. This behavior can occur for the following reasons:

• The published Web server requires Kerberos authentication.
• The published Web server and the ISA Server–based computer both have Windows Integrated Authentication enabled, and both require authentication.

Perform one of the following steps to resolve this issue:

• Enable only NTLM authentication.
• Enable both Kerberos and NTLM authentication on the published Web site, and then publish the Web server in ISA Server.

Results for Log On as a Different User Depend on the Security Zone

If you are logged on to Windows as a domain user and MDM Self Service Portal is detected in the local intranet security zone, when you select Log in as a different user on the portal, the user credentials dialog box does not display. By default, because your computer and MDM Self Service Portal are both in the local intranet security zone, Internet Explorer resubmits your current Windows logon credentials to the MDM Self Service Portal Web site. Therefore, you will be unable to log on to MDM Self Service Portal from the Windows domain as a different user.

If MDM Self Service Portal is detected in the Internet security zone, or if you are logged on to the Windows domain as a local user instead of as a domain user, when you select Log in as a different user, the user credentials dialog box appears and you can log on to the portal as a different user.

Running Setup Repair Option Resets the Secure Sockets Layer (SSL) Port to Default

In MDM Setup, if you use the MDM Self Service Portal repair option, this sets the Secure Sockets Layer (SSL) port number to the default port, 443. If you used a port other than the default port 443 during MDM Setup, you can restore the SSL port to the port that you used during the original installation.

To set the SSL port in Internet Information Services Manager

1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

2. Double-click the name of the local computer, and then expand Web Sites.

3. Right-click SelfServicePortal, and then select Properties.

4. In the SelfServicePortal Properties dialog box, on the Web site tab, type the correct SSL port number.

5. Choose OK.

Long SSP Folder Path Ends Setup with English Error Message

When you install MDM Self Service Portal, if you specify a destination folder path that is longer than 240 characters, MDM Setup ends with an error message. This error message is displayed in English even in non-English versions of MDM.

Managed Windows Mobile Device Issues

Managed Device Operating System Requirement

Windows Mobile devices that you manage by using MDM require the Windows Mobile 6.1 operating system, and later versions of Windows Mobile.

No Internet Sharing with Mobile VPN Enabled

The Internet Sharing application on a managed Windows Mobile device will not function while the Mobile virtual private network (VPN) is enabled. In order to avoid user confusion, you may choose to do one of the following:

• If it is not required, disable Internet Sharing permanently. The user will be unable to use Internet Sharing even when the Mobile VPN is disabled. We recommend this option if, by policy, you do not let users disable Mobile VPN.
• Inform users who use Internet Sharing that they must disable Mobile VPN manually and then enable it again when they are finished with Internet Sharing. However, you can only do this if, by policy, you let the user disable the Mobile VPN.

Mobile VPN Fails When Root Certification Authority Certificate Is Issued By Certain Non-Microsoft Certification Authorities

The following applies only to Windows Mobile 6.1, build 19208 or later. Windows Mobile 6 AKU 1.4, build 20757 and later, includes an update for this issue.

In Windows Mobile 6.1 (build 19208 or later), validation of Mobile VPN Gateway certificates and establishment of the Mobile VPN tunnel fails when the trusted root certificate contains a Subject Key Identifier (SKI) that is not computed as the SHA-1 hash of the Public Key element of the certificate.

The SKI of an X.509 certificate is defined in RFC 3280, Section 4.1.2.7 as an optional element of an X.509 certificate. The RFC defines two possible mechanisms for deriving the SKI but does not prescribe specific methods that must be used. A "Certificate Request Payload" of the Internet Key Exchange Protocol version 2 (IKEv2) is defined in RFC 4306, Section 3.7 as containing one or more SHA-1 hashes of the Public Key element of acceptable root certificates. However, the Mobile VPN incorrectly performs a direct comparison between the SKI element of the certificate (if present) and the Certificate Request Payload hashes. This check fails when the SKI is present but is derived by a mechanism other than the direct SHA-1 hash of the Public Key element of the certificate.

If the SKI element was derived by computing the SHA-1 hash of the Public Key element, the VPN certificate validation behaves as expected.

If the SKI element is not present in the root certificate, or the SKI was derived by computing the SHA-1 hash of the Public Key element, the VPN certificate validation behaves as expected.

If you have this issue, please contact a Microsoft Customer Support Services (CSS) representative for assistance.