Android Devices Fail to Enroll with User-Based Enrollment

User-based enrollment fails, even though no changes were made on the SOTI MobiControl side or the LDAP/Azure side.

This issue can occur on both on-premise and cloud-based servers where customers use LDAP or Azure for user-based enrollment. If a user is part of more than a certain number of groups - direct as well as nested groups (the exact limit is currently unknown), the enrollment may fail due to the group membership limit.

Device-based enrollment works as expected.

SOTI MobiControl 2024.1.0 and later.

User-based enrollment of the device fails. while device-based enrollment is successful. 

If the enrolment user is part of many groups, both direct and nested groups, the request header sent to SOTI MobiControl may exceed the default size limits set on the server under: 

registrykey\Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

Check the MaxFieldLength and MaxRequestBytes registry values. If they are missing, the server will use the default limits set by Windows.

Use the following PowerShell script on the LDAP server to check how many groups the user belongs to:

$userSam = Read-Host "Enter the user's sAMAccountName (e.g., jdoe)"

try {
   
    $user = Get-ADUser -Identity $userSam -Properties *
    
    $groups = Get-ADUser -Identity $userSam -Properties MemberOf |
              Select-Object -ExpandProperty MemberOf |
              ForEach-Object { Get-ADGroup -Identity $_ | Select-Object Name, DistinguishedName }

 
    $nestedGroups = Get-ADUser -Identity $userSam | Get-ADPrincipalGroupMembership |
                    Select-Object Name, DistinguishedName

    $extensions = @{}
    1..15 | ForEach-Object {
        $propName = "extensionAttribute$_"
        $extensions[$propName] = $user.$propName
    }

    $userInfo = @{
        UserName            = $user.SamAccountName
        DisplayName         = $user.Name
        DistinguishedName   = $user.DistinguishedName
        Email               = $user.EmailAddress
        Title               = $user.Title
        Department          = $user.Department
        Groups              = $groups
        NestedGroups        = $nestedGroups
        ExtensionAttributes = $extensions
    }

    $jsonOutput = $userInfo | ConvertTo-Json -Depth 5
    $outputPath = "$env:TEMP\$($user.SamAccountName)_ADClaimsInfo.json"
    $jsonOutput | Out-File -FilePath $outputPath -Encoding UTF8

    Write-Host "Local AD user 'authorization claims' exported to: $outputPath"
    Write-Host "`n--- JSON Preview ---`n"
    Write-Output $jsonOutput
}
catch {
    Write-Error "Failed to retrieve AD user info: $_"
}

If the values MaxFieldLength and MaxRequestBytes are missing or set to default in the registry at:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters,

Refer to the articles by Microsoft mentioned below to set them to the maximum or calculate the value based on the user's groups.

Calculate the value based on the user's group memberships: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/http-bad-request-response-kerberos 

Configure it to the maximum value: Http.sys registry settings for Windows - Internet Information Services | Microsoft Learn 

After the change, a server reboot is needed for the change to take effect. 

The following can be used as a short-term solution if there are any issues updating the registry values:

1. Enroll the device without any user details using device-based enrollment.

2. Assign a user to a device from the device information page >  User detail section in the SOTI MobiControl web console.