This post isn’t going to describe what HPE Aruba ClearPass or MobileIron is. And neither will it describe the configuration steps necessary to add MobileIron to ClearPass, but I will give a short summary:
This post tells a bit more about an error message I suddenly started to receive in the CPPM Eventy Viewer.
Error: not well-formed (invalid token)
I checked the internet, but I couldn’t find any useful information. I opened a TAC case to look into this error. The TAC engineer told me he had seen this error before, where MobileIron sends invalid token characters to ClearPass. He told me that CPPM does batch processing of the devices and the entire batch fails when CPPM doesn’t understand special characters. He also told me how to see which device is causing the problem.
You have to collect the CPPM logs (CPPM – Administration – Server Manager – Server Configuration – Collect Logs). After you untar the tar.gz file, you should look at the directory “strange string”\PolicyManagerLogs\mdm\MI\mdm-server and you should open the file 0.xml.bak.
Scroll down to the line mentioned in the error message and you will see something like below. I always use Notepad++ to open the file.
CPPM doesn’t understand these special characters in the key. When you start scrolling up, you can determine which device in MobileIron triggers the error message in CPPM.
After I found the device in MobileIron I checked every setting on the device to find the special character, but I couldn’t find one. In the end there was only one solution for me: retire the device. This basically means remove the device from MobileIron and the user needs to reprovision the device in MobileIron. The sync between CPPM en MobileIron was successful again after I retired the device.
Tip of the week: I guess you aren’t always looking at the Event Viewer for errors, so maybe it is useful to configure ClearPass Insight to send a notification if a System Error Event occurs!!!
Last week I have installed a Microsoft UAG array. I installed Microsoft ForeFront Unified Access Gateway 2010 including Service Pack 1. When using an array configuration you have to deploy Microsoft’s Network Load Balancing (NLB) for redundancy and load balancing purposes. I configured NLB with multicast and IGMP support. I had configured some HTTPS trunks and some HTTP trunks for http-to-https redirection.
Everything was working perfectly and I decided to install the update KB2585140 (ForeFront UAG SP1 Update 1). The main reason for installation was the introduction of SharePoint 2010 with Office Web Apps and Lync web services publishing.
The installation process was easy and completed without any errors. I noticed that after installing the update I couldn’t activate any configuration changes. Everything I hit Activate I receive the following error message:
The Activation works again by deleting all HTTP trunks and only use HTTPS trunks. The customer started a support call with Microsoft and Microsoft acknowledges this behavior when installing the update on an array configuration. At first Microsoft advised to “break” the array and use a stand-alone server deployment. If that isn’t an option we should uninstall the update. We are told that the current configuration will get to the configuration state prior to the installation.
This morning the customer received another e-mail from Microsoft stating at more and more calls were logged with the same issues. The issues now has the highest priority for the Microsoft UAG developers. Microsoft couldn’t tell when the issue will be fixed, but I guess very soon.
So when using a Microsoft UAG array configuration DON’T install Microsoft UAG SP1 Update-1.
The usage of Pocket PCs (PDAs) becomes more and more a default feature for business. The last months I have installed quit some Windows ISA 2006 servers for Reverse Proxy purposes. I have installed them normally for webmail only, but lately I have added the Microsoft Active Sync feature.
The Pocket PCs connect to the organization via UMTS, GPRS, USB with laptop or whatever with an internet connection. Today I had the same job on the schedule: Enable Active Sync for Pocket PCs.
I thought by myself: EASY JOB, but NOT. After configuring the ISA reverse proxy I used a Pocket PC emulator to test the Active Sync features. I received the following error message when synchronizing:
I found this a strange message, because clients use the same URL as the Pocket PC for accessing their webmail and they never receive an error message for an untrusted certificate.
The used certificated is issued by Equifax Secure Global eBusiness CA-1. This is a common and one of the better CA’s.
I had to dig deeper into the problem. I tried to install the certificate on the Pocket PC, but no luck. I searched the internet and found a tool called Microsoft Exchange Server Disable Certificate Verification. You can find an executable here, which can be used when using the Pocket PC in conjunction with a PC through USB. I also found a similar tool to install on the pocket PC, this is called AS_Cert_OFF.cab. The tool wasn’t the solution to the problem, so I had to dig deeper.
I was thinking way to complex, the problem was fixed by requesting a new certificate. The used certificate didn’t support Pocket PC. Comparing the different SSL certificates on QuickSSL.com I noticed I had to use a QuickSSL Premium certificate. This certificate supports popular mobile devices and smartphones.
After generating a CSR, requesting the certificate and installing the certificate on the ISA server, the connection and synchronization works like a charm. At least for the most PDA’s. Some PDA’s received the following error 80072f7d. After searching some forums, I found the solution in adding a registry key. I added the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
After adding the key to the registry, all Pocket PC’s synchronized perfectly.