06-19-2013 03:40 AM
as far as I know some of you had successfully configured BDS and Certificate based authentication already.
We have still issues while configuring SCEP and certificate based authentication and I hope you can give me some tips to solve this isse.
The current status is:
If I activate a Z10 device the whole activation runs through without asking for any AD password. But immidiately after finishing the activation process the device gives the following message: "Not Connected - Password Required".
Once the AD password is typed manually in the account, than I can see, send and receive messages on the device.
On the CA I can see that a certificate is successfully issued. On the EMWS log at BDS Server I can not see any errors or failures.
Has anybody any idea how to solve it? We used the computer template. Those who successfull configured certificate based authentication, did you do any settings on the Exchange Server if yes, what did you do?
Solved! Go to Solution.
06-19-2013 03:51 PM
This is an Exchange question. See the this blog post:
Configure certificate-based authentication for Exchange ActiveSync - Exchange Team Blog - Site Home - TechNet Blogs
Just a word of caution when you enable "Require client certificates" button all your other ActiveSync clients that authenticate using passwords will stop working.
06-19-2013 08:48 PM - edited 06-19-2013 08:49 PM
@ Hape - I'd suggest going back to the basics in this thread: http://supportforums.blackberry.com/t5/BlackBerry-
You should be using a customised template for the BES SCEP user certs, with "Client Auth", "IP Security IKE Intermediate" and "Secure Email" intended purposes with a subject type of "Computer". The issued cert's CN (subject) should be the user's AD display name, and the Subject Alternative Name should look like this:
where domain.local is the internal AD FQDN and publicdomain.com is the domain of the user's email address (assuming they are different).
It sounds like your ActiveSync auth isn't configured to require client certs though - check that it is (see the above thread for details).
06-20-2013 03:01 AM - edited 06-20-2013 03:03 AM
thanks for reply. It realy sounds that the Exchange ActiveSync Authentication settings are our problem.
"Just a word of caution when you enable "Require client certificates" button all your other ActiveSync clients that authenticate using passwords will stop working."
We currently have lot of people running Z10 devices with the Basic authentication (Username and Password) already. So what is the best way to achieve a smooth change to certificate based authentication.
I saw in the ActiveSync settings tab an option called: "Accept client certificates".
Is it possible to use temporarily both authentification methods like certificate based and basic?
06-20-2013 03:08 AM
Create an additional ActiveSync site with a new IP on your CAS servers with "Require client certificates" enabled (and the SSL cert re-bound to the site's IP using netsh with Negotiate Client Certificate = Enabled), and a new Mail Profile pointing at it in the BES. You can then re-provision a few BES users to use that profile for testing and if it all works well change the main mail profie to point at the new ActiveSync IP directly.
06-20-2013 12:09 PM
Unfortunately you will have to test the "Accept client certificates" option as it really depends on the Activesync client. In our case, we have many non-BlackBerry devices that do cert auth to EAS.
if you have multiple Exchange servers, the least intrusive migration method is to stand up a new Exchange server just for certificate authentication. do your testing there and migrate everyone to it when you are ready.