Consider the following scenario. On a System Center Mobile Device Manager (MDM) Gateway Server computer, there are attempts to validate Windows Mobile device certificates and to authenticate System Center MDM 2008 Device Management Server. However, the trusted root certificate contains a subject key identifier (SKI) that is not computed as the SHA-1 hash of the certificate's public key element. In this scenario, these operations fail, and the gateway management status displays an error state.
Additionally, on a Windows Mobile 6.1 device, there are attempts to validate Mobile VPN Gateway certificates and to establish a Mobile VPN tunnel. However, when the trusted root certificate contains an SKI that is not computed as the SHA-1 hash of the certificate's public key element, these operations also fail.
If the SKI element is not present in the root certificate, or if the SKI was derived by computing the SHA-1 hash of the public key element, the VPN certificate validation behaves as expected. The following hotfix adds logic to the certificate validation process to guarantee the correct behavior, regardless of the format of the SKI in the certificate.
Note This issue typically occurs when the certificate that is used has an SKI whose length is not equal to 20 bytes.
Additionally, the following event is logged in the Mobile Device Manager log on the Device Management server:
Source: Device ManagerEvent ID: 5254Description:Gateway https://<GW Server URL>:443/Vpn/ApplyConfig.ashx did not authenticate the Gateway Central Management service. Make sure that the certificate that is used by this computer is valid and trusted by the Gateway. Use the Gateway Central Management certificate template to issue a valid certificate.Subject Name: CN=<DM Server URL>Thumbprint: <Certificate thumbprint>
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
To apply this hotfix, you must have one of the following installed:
System Center MDM 2008
Windows Mobile 6.1, build 19202 or a later build
The MDM Services and the Windows Mobile 6.1 VPN client will be restarted as part of the update process.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Mobile 6.1 client
To resolve the issue, you must install this hotfix on both the server side and the client side.
On the server side, this update must be applied to each computer that hosts MDM Gateway Server.
To do this, follow these steps:
Copy the following file as appropriate for your language setting to either a local folder or an available network shared folder: MDM2008-KB951840-Server-VL-x64-CHS.exe MDM2008-KB951840-Server-VL-x64-CHT.exe MDM2008-KB951840-Server-VL-x64-DEU.exe MDM2008-KB951840-Server-VL-x64-ENU.exe MDM2008-KB951840-Server-VL-x64-ESP.exe MDM2008-KB951840-Server-VL-x64-FRN.exe MDM2008-KB951840-Server-VL-x64-ITA.exe MDM2008-KB951840-Server-VL-x64-ITA.exe MDM2008-KB951840-Server-VL-x64-KOR.exe MDM2008-KB951840-Server-MSDN-x64-CHS.exe MDM2008-KB951840-Server-MSDN-x64-CHT.exe MDM2008-KB951840-Server-MSDN-x64-DEU.exe MDM2008-KB951840-Server-MSDN-x64-DEU.exe MDM2008-KB951840-Server-MSDN-x64-DEU.exe MDM2008-KB951840-Server-MSDN-x64-FRN.exe MDM2008-KB951840-Server-MSDN-x64-ITA.exe MDM2008-KB951840-Server-MSDN-x64-JPN.exe MDM2008-KB951840-Server-MSDN-x64-KOR.exe
On each computer that is running MDM Gateway Server, run one of these files: MDM2008-KB951840-Server-VL-x64-<lang>.exe MDM2008-KB951840-Server-VL-x64-<lang>.exe
Note You can run the update executable file either from Windows Explorer or at a command prompt. The MDM services will be restarted as part of the update process.
On the client side, this update must be applied to Windows Mobile 6.1 devices that will be managed by Mobile Device Manager (MDM). Apply the update before device enrollment on Windows Mobile, build 19202 or later.
To do this, follow these steps:
Copy the WindowsMobile61-KB951840.msi file for your language to either a local folder or an available network shared folder.
Run the .msi file to extract the client .cab file.
On each Windows Mobile 6.1 device, run the .cab file. The Windows Mobile 6.1 VPN client will be restarted as part of the update application process.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
The Subject Key Identifier (SKI) of an X.509 certificate is defined in RFC 3280, Section 220.127.116.11, as an optional element of an X.509 certificate. The RFC defines two possible mechanisms for deriving the SKI, but it does not prescribe specific methods that must be used. A certificate request payload of the Internet Key Exchange Protocol Version 2 (IKEv2) is defined in RFC 4306, Section 3.7, as an entity that contains one or more SHA-1 hashes of the public key element of acceptable root certificates.
Before you apply this hotfix, the Mobile VPN incorrectly performs a direct comparison between the SKI element of the certificate (if present) and the Certificate Request Payload hashes. This check fails when the SKI is present but is derived by a mechanism other than the direct SHA-1 hash of the public key element of the certificate.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates