Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de
Accepted Solution

BDS 6.2 Certificate based Authentication

Hi Together,

 

as far as I know some of you had successfully configured BDS and Certificate based authentication already.

 

We have still issues while configuring SCEP and certificate based authentication and I hope you can give me some tips to solve this isse.

 

The current status is:

If I activate a Z10 device the whole activation runs through without asking for any AD password. But immidiately after finishing the activation process the device gives the following message: "Not Connected - Password Required".

Once the AD password is typed manually in the account, than I can see, send and receive messages on the device.

 

On the CA I can see that a certificate is successfully issued. On the EMWS log at BDS Server I can not see any errors or failures.

 

Has anybody any idea how to solve it? We used the computer template. Those who successfull configured certificate based authentication, did you do any settings on the Exchange Server if yes, what did you do?

 

Regards,

hape

 

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: BDS 6.2 Certificate based Authentication

Hi Hape,

 

This is an Exchange question. See the this blog post:

 

Configure certificate-based authentication for Exchange ActiveSync - Exchange Team Blog - Site Home - TechNet Blogs
http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

Just a word of caution when you enable "Require client certificates" button all your other ActiveSync clients that authenticate using passwords will stop working.

 

Mike

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: BDS 6.2 Certificate based Authentication

[ Edited ]

@ Hape - I'd suggest going back to the basics in this thread: http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Service-10/E-Mail-Authentication-with-c...

 

You should be using a customised template for the BES SCEP user certs, with "Client Auth", "IP Security IKE Intermediate" and "Secure Email" intended purposes with a subject type of "Computer". The issued cert's CN (subject) should be the user's AD display name, and the Subject Alternative Name should look like this:

 

Other Name:

Principal Name=user@domain.local

RFC822 Name=user@publicdomain.com

 

where domain.local is the internal AD FQDN and publicdomain.com is the domain of the user's email address (assuming they are different).

 

It sounds like your ActiveSync auth isn't configured to require client certs though - check that it is (see the above thread for details).

 

Regards,

 

Jacob

Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: BDS 6.2 Certificate based Authentication

[ Edited ]

Hi marduo1294,

 

thanks for reply.  It realy sounds that the Exchange ActiveSync Authentication settings are our problem.

 

You wrote:

 

"Just a word of caution when you enable "Require client certificates" button all your other ActiveSync clients that authenticate using passwords will stop working."

 

We currently have lot of people running Z10 devices with the Basic authentication (Username and Password) already. So what is the best way to achieve a smooth change to certificate based authentication.

I saw in the ActiveSync settings tab an option called: "Accept client certificates".

 

Is it possible to use temporarily both authentification methods like certificate based and basic?

 

Regards,

Hape

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: BDS 6.2 Certificate based Authentication

Create an additional ActiveSync site with a new IP on your CAS servers with "Require client certificates" enabled (and the SSL cert re-bound to the site's IP using netsh with Negotiate Client Certificate = Enabled), and a new Mail Profile pointing at it in the BES. You can then re-provision a few BES users to use that profile for testing and if it all works well change the main mail profie to point at the new ActiveSync IP directly.

 

Regards,

 

Jacob

Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: BDS 6.2 Certificate based Authentication

Hi Jacobl,

 

thanks.. sounds good. Will test it. Thanks.

 

Regards,

Hape

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: BDS 6.2 Certificate based Authentication

Hape,

 

Unfortunately you will have to test the "Accept client certificates" option as it really depends on the Activesync client. In our case, we have many non-BlackBerry devices that do cert auth to EAS.

 

if you have multiple Exchange servers, the least intrusive migration method is to stand up a new Exchange server just for certificate authentication. do your testing there and migrate everyone to it when you are ready.

 

Mike

 

Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: BDS 6.2 Certificate based Authentication

We finally got it running.

Currently we only have the issue that the usernaname contains a comma and we need to wait for 10.1.1

 

Thanks for all supporters.

 

 

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10
My Carrier: Etisalat

Re: BDS 6.2 Certificate based Authentication

Saw that you have been successful in configuring SCEP (Certificate based auth) for BB 10 devices under BDS.

 

I have been struggling for past 2 weeks to get this setup. no luck so far.

 

Can you help me by giving some pointers.

 

In Environment in short

 

1. I have setup the Exchange CAS, IIS for CBA as per the technet blogs

2. I have set up NDES on win 2k8 r2 and created a SCEP profile on BES 10.2

3. I can see that a cert is being issued by the CA while enrolling the device. The cert meets the requirement discussed before i.e.

Principal Name=user@domain.local

RFC822 Name=user@publicdomain.com

 

where domain.local is the internal AD FQDN and publicdomain.com is the domain of the user's email address (assuming they are different).

Our UPN is different from the user email address.

4. However at the end of activation process it still asks for AD user name and password

 

Please help me head in the right direction.

 

Note: at the end of activation, i get a prompt that the email provider may not be trustworthy before the AD username and password prompt. I have tried to add the CA root cert to the BAS share(ENTERPRISE) and also tried to import it to the device using the USB cable as well. still no luck

 

Since most of our current Z10,Q10 users are using Basic auth. i just change the auth temporarily to required certs at night and try to activate my test devices. when i fail after multiple attempts, i change the active syn auth back to Basic auth and next morning users just type their AD password and continue working :smileywink:

 

 

Help please

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10
My Carrier: Etisalat

Re: BDS 6.2 Certificate based Authentication

Hi Hape,

 

I just came across your post where you had successfully configured CBA for BES 10. I know it has been a long time now but i have exactly the same problem as you had.

 

The activation process go through the whole cycle, i can even see the user cert being generated on the CA during the activation process. However at the end i am prompted for  the AD username and password.

 

What did you do to resolve this issue. was there anything on exchange. on exchange side we have require client certs selected.

 

Please help me resolve this issue.

 

Many thanks

Please use plain text.