Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Super Contributor
fermanagh
Posts: 277
Registered: ‎04-01-2008
My Device: Z30

BES 10 and SCEP profiles with certificate Based Authentication

Hi,

 

Has anyone successfully implemented this?

 

Can BES10 request a certificate from the SCEP server with the user’s Active Directory UPN as the Subject Alternative Name field. This SAN needs to be set to the UPN in the certificate in order for Exchange CBA to work.

 

Thanks

Don't forget to hit like if I resolved your issue! :smileyhappy:
Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: BES 10 and SCEP profiles with certificate Based Authentication

Also interested at this topic...

 

@fermanagh

could you please share here if you should succeed?

 

Thanks.

Please use plain text.
Contributor
morser
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: BES 10 and SCEP profiles with certificate Based Authentication

Hi feranagh,

 

Just curious, where did you read or hear that the SAN needs to be set to the UPN in the certificate in order for Exchange CBA to work? It makes sense, I'm just looking for more documented information.

 

I am also interested in this topic.  However in my environment I have a User Forest / Resource Forest environment, where the UPN are different in each forest.  Exchange and BES10 are in the Resource forest, but authentication for resources such as ActiveSync uses the account in the User forest for authentication. 

 

Without being able to manipulate what the BES10 server sends to the SCEP service, I may not be able to get this working. 

 

Please use plain text.
Super Contributor
fermanagh
Posts: 277
Registered: ‎04-01-2008
My Device: Z30

Re: BES 10 and SCEP profiles with certificate Based Authentication

Hi there,

 

See here:

 

  • The User Principal Name (UPN) for each user account must match the Subject Name field in the user's certificate.

 

Taken from here: http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

In a resource/account forest scenario, authentication will pass to the account forest as the accounts in the resource forest are disabled. scenarioi tested this by enabling/disabling an account.

 

CBA worked for me though. As long as the UPNs are different in each forest it will work. If they are the same across forests, it will fail as the KCD lookup will hit the local domain first and will fail as the account is disabled. 

 

Have you tested anything ? 

Don't forget to hit like if I resolved your issue! :smileyhappy:
Please use plain text.
Contributor
morser
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: BES 10 and SCEP profiles with certificate Based Authentication

Hi fermanagh,

Thanks for responding. 

 

The UPN is different in our User Forest and Resource Forest. It doesn't seem to work.  I think this is because to successfully authenticate with ActiveSync, we need the credentials and attributes of the User objects in the User Forest.

 

Example:

UserForest account name: morser

UserForest UPN: morser@userforest.com

UserForest Email: morser@mycompany.com (the attribute is populated with an email address, but this Forest does not have Exchange schema)

 

ResourceForest account name: morser

ResourceForest UPN: morser@resourceforest.com

ResourceForest Email: morser@mycompany.com

 

The Certificate that is created by NDES and the CA is made up of the information BDS10 sent to it during the request.  BDS10 is sending what it knows, the ResourceForest information.  But the Certificate is not valid and can't be used to authenticate the User Forest user object to gain access to ActiveSync. 

 

I'm still investigating this.

 

Thanks again for the link and information!  I have been to that technet page often.

 

Please use plain text.
Super Contributor
fermanagh
Posts: 277
Registered: ‎04-01-2008
My Device: Z30

Re: BES 10 and SCEP profiles with certificate Based Authentication

Hold on, have you configured your BES to obtain the user's account details from the account forest? This is done via the active directory configuration section. You shouldn't be adding users from the resource forest as they are disabled. 

Don't forget to hit like if I resolved your issue! :smileyhappy:
Please use plain text.
Contributor
morser
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: BES 10 and SCEP profiles with certificate Based Authentication

Holding... :smileyhappy:

 

In Microsoft Active Directory Access:

 

TAB: Microsoft Active Directory Access - Configured for Resource Forest.  This is where the Exchange schema attributes exist.

 

TAB: Microsoft Active Directory Login - Configured for Account Forest to allow administrators to log into administration console with their credentials.

 

On Attribute Mappings Tab, there is a UPN for SCEP.  I'm looking into whether the Account Forest UPN is replicated to our Resource Forest, maybe in some other attribute so I can test this to see if it solves the problem.

 

 

 

Please use plain text.
Super Contributor
fermanagh
Posts: 277
Registered: ‎04-01-2008
My Device: Z30

Re: BES 10 and SCEP profiles with certificate Based Authentication

Wrong :smileyhappy:

 

You need to configure like this:

 

TAB: Microsoft Active Directory Access - Configured for ACCOUNT Forest

 

If you have it configured to access the resource domain, how do you think authentication will work on disabled accounts? :smileywink: Besides, when you go to add a user on the resource forest BAS will throw an error.

 

See this KB for more info: http://www.blackberry.com/btsc/KB32589

Don't forget to hit like if I resolved your issue! :smileyhappy:
Please use plain text.
Contributor
morser
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB
My Carrier: Bell Mobility

Re: BES 10 and SCEP profiles with certificate Based Authentication


fermanagh wrote:

Wrong :smileyhappy:

 

You need to configure like this:

 

TAB: Microsoft Active Directory Access - Configured for ACCOUNT Forest

 

*morser - The Microsoft Active Directory Access Tab is looking for attributes that could only exist if the Active Directory Schema was extended for Exchange 2010.  The Account Forest has no Exchange 2010 attributes.  Resource Forest does.

 

If you have it configured to access the resource domain, how do you think authentication will work on disabled accounts? :smileywink:

 

*morser - Authentication is not taking place at this point.  The configuration wants to find a mailbox enabled user; Enabled or Disabled is not a factor at this point.  For BB10 managed devices, authentication takes place the same way it does for Outlook or OWA;  the user's Account Forest credentials are used to gain access to the mailbox.

 

Besides, when you go to add a user on the resource forest BAS will throw an error. .

 

*morser - BAS does not throw an error.  When you add a user using BAS, it is looking for Exchange attributes (in an Exchange environment) and thus it succeeds. If Active Directory Access were configured for a User Forest where no Exchange schema existed, it would not be able to succeed.

 

See this KB for more info: http://www.blackberry.com/btsc/KB32589

 

*morser - This KB article actually validates the configuration my enterprise company has.  msExchMasterAccountSid is populated with on our Resource Forest with the SID of the User Forest user Object that owns the mailbox. msExchMasterAccountSid Exchange attribute has to be confgured and used if and only if AD and Mailbox are located in different forests. That is our configuration.

 


*morser - Anyway, as I mentioned I was going to attempt to change the UPN for SCEP attribute mapping on the "Attribute Mappings" TAB.  We do not populate the UPN from the User Forest to the Resource Forest for all users, so as a test I took customattribute10 in the Resource Forest and populated it with my User Forest UPN.

First I had to add customattribute10 as an attribute that BDS synchronizes; that is done on the "External Attributes" Tab.

Then on my user in BAS I had to choose "Synchronize User" option at bottom of "view user" screen so it would pull new values in from AD. 

 

I reapplied my Email SCEP profile and it worked!  If not for the "UPN for SCEP" attribute mapping, this would not have worked.

 

Thanks,

 

Please use plain text.