SOTI Pulse Logo

Protocol used to Deploy on WIN CE 6

S
SteeveP
Sogesma/Logesma

Hello everyone,

HAd this subject opened month ago, but then evolved to a ticket...Wich was closed due MySys admin having security issues on the server at that time.

So , to get all informations.

We are using Mobicontrol

Already got Bunch of device (Mostly Datalogic Memor 10)

But I was requested to make our Old "Datalogic Skorpio X3" able to be on the server as well.

First problem was protocol used, cause TLS1.0 was disabled times ago...and so began the "security problem "at that time :)

Right now, SysAdmin have been able to enable TLS1.0 on server side, but i stil encounter a communication problem.

2023-09-21 10:52:49,266 (0x00000f54) [INFO ] <394> Comm.Client.623: Accepted a new connection from [::ffff:x.x.x.x]:49943.

2023-09-21 10:52:49,282 (0x00000f54) [ERROR] <394> Comm.Client.623: Error authenticating client [::ffff:x.x.x.x]:49943: System.Security.Authentication.AuthenticationException: Échec d'un appel à SSPI, consultez l'exception interne. ---> System.ComponentModel.Win32Exception: Le client et le serveur ne peuvent pas communiquer car ils ne possèdent aucun algorithme commun

On the ticket that was created month ago , it was suggested to install and try to get information by Wireshark.

But Admin would prefer to avoid and get maybe informations needed directly.

As well it seems that even if protocol seems to be the right one, he's still unsure bout KeyLenght or Crypt Alogorithm used by SOTI Client on the device.

So...if there is someone knowing that...or that have some kind of older documentation

I would much appreciate

Thanks a lot.

Steeve

WinCE mobicontrol Win CE 6
2 years ago
SOTI MobiControl
ANSWERS
RC
Raymond Chan Diamond Contributor
2 years ago

You can find earlier MobiControl on-line documentations by choosing the version number near the right-hand corner of the v15.x online manual page, bringing you to say v14.5 & v13.x manual at

  https://www.soti.net/mc/help/v14.5/en/start.html 

and

   https://www.soti.net/mc/help/v13/en/default.htm

respectively.

S
SteeveP
2 years ago

Hi Raymond,

thanks for that, but sadly can't find enough informations on this.

TG
Thomas G.
2 years ago

Hi,

if your MobiControl installation was done with 15.x, the MC root certificate has a SHA256 hash, which is rarely or not supported by Windows CE 6. Most often, you need to have a MC root certificate with SHA1 and also a deployment server certificate with SHA1. That’s why there is an option to use 2  different ports (and certificates) for the deployment server in the MC admin utility to support Windows CE. (So far it didn’t work for us and we use different systems for Windows and Android.)

The next thing on the server beside the protocols are the enabled ciphers and hashes. You can use IIS Crypto from Nartac (Freeware) for the configuration. It’s also depending from the device what needs to be enabled, for a test you can enable all (a restart of the server is required afterwards). You should be aware of the fact that enabling the old protocols and ciphers to support Windows CE makes your server heavy vulnerable for security threads..

TG
Thomas G.
2 years ago
S
SteeveP
2 years ago

Hello Thomas,

Thanks for this answer,

I should have explained that this was already enabled the first time we tried.

I've re-generated an agent from that certificate using SHA-1.

I saw also a topic from someone else who said he had to re-create the certificate and agent etc... once to make it work..

I'll give it a try too .

ZC
Zafer Cigdem
2 years ago

Hi Steeve,

As far as I know in addition to the Protocol (as you mentioned above as TLS 1.0), you can also verify the Cipher suites as well. If there is no match between "your device's cipher suites" and your Mobicontrol Server's current Cipher Suites configuration, you may enable some Cipher suites from your Mobicontrol server sides to let this device(s) in your Mobicontrol system. 

You can see which cipher suites are supported from your device side by opening an internet browser from your device and visit https://clienttest.ssllabs.com:8443/

Below is an example from my WinCE device when I visit above website. 

I hope it helps, thank you. 

Zafer

S
SteeveP
2 years ago

Hi Zafer,

I think this should help a lot.

I'll give it a try and let you know.

thanks for this

S
SteeveP
2 years ago

May have spoken too fast.

Still looking at it...But Skorpio X3 use a WINCE6.

Wich only browser available on it is I.E. and clearly outdated.

Seems a problem for it to gon on web

ZC
Zafer Cigdem
2 years ago

Hi Steeve,

If you can install another internet browser on your device or update your IE browser one on your device that would be great. Otherwise, if you can't use your device's internet browser to check out your device's Cipher suite, one of the alternative options to try enable cipher suites from your MobiControl server for a very limited time during your device enrollment test, and you can monitor whether you can enroll your device to your MobiControl or not. You may use a 3rd party tool for this such as IIS Crypto, you may use best case from the UI tool. Please remember enabling old version of the Cipher suite may be risky. So, as soon as you complete your test (if the device enrollment still does not work, you may revert the settings back to the original one).

I hope it helps. Thank you

Zafer

 

S
SteeveP
2 years ago

Hi Zafer,

thanks for your answer

Didn't find any other browser that could be installed on the device atm.

SysAdmin want to avoid enabling useless Cypher to be sure to keep the server as clean as possible.

We should try to getWireShark data this week...hope it will help to find out what is missing.

M
MPMOD@SOTI
2 years ago
S
SteeveP
2 years ago

Hi ,

Sadly, we are still unable to connect them to Mobicontrol.

Even when we wiresharked the connection, we're still unable to get it to work...

Regards

Steeve

M
MPMOD@SOTI
2 years ago

Hi Steeve,

Would it be possible for you to request a test server from your account manager from Soti and have the Cipher suites all enabled temporarily as you attempt to enroll your device?

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net lDiscussion Forum | Log a Case Online l Facebook l LinkedIn l Twitter 

S
SteeveP
2 years ago

Hi ,

I'm just getting my access to £Entreprise solution.

Hope i'll get in touch with TAM asap, as i'll be unavaible for 3 Weeks , starting on 21th Nov.

Thanks for your reply.

Steeve

ZC
Zafer Cigdem
2 years ago

That's a great idea. That you can verify which cipher suite(s) needed. I hope it works. 

M
MPMOD@SOTI
2 years ago

Hi Steeve,

I hope you have a fantastic vacation! When you get back, please open up a case with Soti Support to get this issue sorted out.

If you are getting enterprise support, feel free to use the customer portal and when creating your case, please link in this discussion post to make things clear for the agent working on the issue.

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net lDiscussion Forum | Log a Case OnlineLinkedIn 

Similar Discussions