Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10

Re: Configuring SCEP server with BB10

Hi Marduo,

 

3. On the CA server, the certificate was issued.

 

4. Here is the IIS logs (I have tried to activate the device at 9:00am):


#Date: 2013-09-17 08:13:26
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-09-17 08:13:26 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 08:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 08:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 08:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 08:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 08:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
#Software: Microsoft Internet Information Services 7.5
#Version: 1.0
#Date: 2013-09-17 09:13:26
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2013-09-17 09:13:26 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 15
2013-09-17 09:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 09:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 09:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 09:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0
2013-09-17 09:21:22 10.140.4.26 POST /certsrv/mscep/mscep.dll - 80 - 149.xxx.x.xx - 200 0 0 0

 

5. Certificate template subject name is set to "supply in the request", with the "Use subject information from existing certificates for autoenrollment renewal requests." unchecked.

 

6. Security logs return Event 5058 (Key file operation) and Event 5061 (Cryptographic operation) information logs.

No errors nor warnings.

 

Nothing in Application logs and nothing in system logs.

 

I am really confused. According to all the info I got frm you guys, it should be working... but I can't see anything under "settings -> security&privacy -> certificates -> Enterprise client certificates"

 

I can see the root and the issuing certificates on the device though.

 

One more thing, during the last activation, I got a message saying:

 

"The email provider may not be trustworthy. Personal information may not be protected."

Continue / Cancel / details

 

If I click details, I can see the properties of the issuing cetificate.

 

Thanks in advance for input.

I really appreciate your help.

 

 

 

 

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 495
Registered: ‎05-15-2008
My Device: Z10

Re: Configuring SCEP server with BB10


Romax wrote:

I am really confused. According to all the info I got frm you guys, it should be working... but I can't see anything under "settings -> security&privacy -> certificates -> Enterprise client certificates"



You won't be able to see this certificate on the device even when it is issued correctly.  You need to look at the issued certficates on your CA directly:

 

http://www.blackberry.com/btsc/KB32286

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10

Re: Configuring SCEP server with BB10

[ Edited ]

 

1. From the IIS logs, it looks like your SCEP server is not servicing any SCEP requests from the BES server. Are we looking at the correct logs?

 

Verify your BES server is pointing to the correct SCEP server. Try accessing the SCEP admin page from the BES server.

 

See if you have the following SCEP hotfixes:

 

Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES
http://support.microsoft.com/kb/2483564

 

NDES does not submit certificate requests after the enterprise CA is restarted in Windows Server 2008 R2
http://support.microsoft.com/kb/2633200

 

Windows Server 2008 R2-based NDES server cannot submit a certificate request after you restart a server on which an enterprise CA is installed
http://support.microsoft.com/kb/2799925 

 


2. Also check the event logs (Event Viewer --> Custom Views --> Server Roles --> Active Directory Certificate Services).

 


3. About the "The email provider may not be trustworthy. Personal information may not be protected.", see this BlackBerry KB article:

 

KB33797-This email provider may not be trustworthy_ Personal information may not be protected_ is displayed when completing the enterprise activation process on a BlackBerry 10 smartphone
http://www.blackberry.com/btsc/KB33797

 

 

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: Configuring SCEP server with BB10

morser,

 

I need your help pretty badly my friend. please help me with configuring SCEP with BES 10.2

 

It seems you've got it working and you mentioned you have some documentation on it.

 

I have been banging my head for past 2 weeks with no luck so far.

 

I have been struggling for past 2 weeks to get this setup. no luck so far.

Can you help me by giving some pointers.

Our Environment in short

1. I have setup the Exchange CAS, IIS for CBA as per the technet blogs

2. I have set up NDES on win 2k8 r2 and created a SCEP profile on BES 10.2

3. I can see that a cert is being issued by the CA while enrolling the device. The cert meets the requirement discussed before i.e.

Principal Name=user@domain.local

RFC822 Name=user@publicdomain.com

 

where domain.local is the internal AD FQDN and publicdomain.com is the domain of the user's email address (assuming they are different).

Our UPN is different from the user email address.

4. However at the end of activation process it still asks for AD user name and password

Please help me head in the right direction.

 
Note: at the end of activation, i get a prompt that the email provider may not be trustworthy before the AD username and password prompt. I have tried to add the CA root cert to the BAS share and tried to import it to the device using the USB cable as well. still no luck

Since most of our current Z10,Q10 users are using Basic auth. i just change the auth temporarily to required certs at night and try to activate my test devices. when i fail after multiple attempts, i change the active syn auth back to Basic

Next morning users just type their AD password and continue working :smileywink:



 

Help please

Please use plain text.
Contributor
morser
Posts: 23
Registered: ‎12-14-2008
My Device: Z10, 9900 & Playbook 64GB

Re: Configuring SCEP server with BB10

Hi there,  It's been awhile.

 

Do you have a User Forest / Resource Forest as well or just a single forest?

 

Can you clarify whether the CA root cert is on your device?  If not you need to fix that.

 

If i recall correctly, the BES wants certs in a PEM file in the certs folder.   I didn't know what that was.  To my surprise all I did was create a .PEM text file and I copied the contents of the Root Cert followed by the intermediate chain. 
Note that any mods you make to ANY file inthe cert or background folder will cause all the files in there to be sent to device.  Not a big deal but just fyi.

 

When setting a user to use the CBA email profile, i had to change the domain from my resource forest to the user forest.  not relevant to you if you have a single forest but just fyi.

 

 

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: Configuring SCEP server with BB10

Thanks for the reply

 

Yes we have just a single forest

 

I copied the exported certs (.cer) files to the ENTERPRISE and WWW forlder on the BAS share (for bes 10.2 Blackberry recommends copying the cert files to the ENTERPRISE Server)

i restored the device to factory settings and imported the root cert using USB cable

 

When i went to the settings -> security-> certificates i could see that our private self signed CA root cert was trusted and listed in the certs

 

then i fired up the device activatoin again...but still no luck...at the end of activation it still flags a prompt stating "the email provider may not be trustworthy....". when i view the details, its the cert from the activesync server which is issued by our CA. the same CA whose root cert is trusted by the device....I dont understand whats going on...

 

But let me try the trick you mentioned, i will try with the PEM file this time and update you the progress.

 

i dont want to give up on it now

 

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10

Re: Configuring SCEP server with BB10

Hi,

 

I opened this case 6 months ago, and it seems like the exact same situation i had (and still have) here.

 

This actually never worked in our environment, and we are slowly giving up on Blackberry in our enterprise.

 

If you manage to make it work, I would be VERY interested to know how you did it.

 

thanks

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: Configuring SCEP server with BB10

Dear Moser,

 

thank you for the TIP about converting the der cert file to pem.

 

I converted the root cert and the chain into a PEM and copied it to both WWW and ENTERPRISE folder. Now i dont get the prompt about the "Email provider is not trust worthy"   :Clap:

 

Thank you for that tip again.

 

But the other issue still remains where when i activate a user with the scep profile....it go through all the steps and at the end while setting up the messaging account i still prompts for AD username and password

 

To setup the NDES on microsoft, i followed the below link

 

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

 

To setup the SCEP on Blackberry i followed the below link

http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB34857&sliceId=2&cmd=displayKC&d...

 

We have NDES on Win 2008 R2 so that password expiry issue has already been addressed in it

 

to configure the CBA on exchange i followed

https://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-f...

i went through these posts again and again to see if i have missed any thing. everything seems to be inplace. But i still get the AD Username and PWD prompt at the end of the EA.

 

Dont know what to do now....its seems to be dark tunnel with no sight of light anywhere

 

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 495
Registered: ‎05-15-2008
My Device: Z10

Re: Configuring SCEP server with BB10


Sidjustice wrote:

Dear Moser,

 

thank you for the TIP about converting the der cert file to pem.

 

I converted the root cert and the chain into a PEM and copied it to both WWW and ENTERPRISE folder. Now i dont get the prompt about the "Email provider is not trust worthy"   :Clap:

 

Thank you for that tip again.

 

But the other issue still remains where when i activate a user with the scep profile....it go through all the steps and at the end while setting up the messaging account i still prompts for AD username and password

 

To setup the NDES on microsoft, i followed the below link

 

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

 

To setup the SCEP on Blackberry i followed the below link

http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB34857&sliceId=2&cmd=displayKC&d...

 

We have NDES on Win 2008 R2 so that password expiry issue has already been addressed in it

 

to configure the CBA on exchange i followed

https://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-f...

i went through these posts again and again to see if i have missed any thing. everything seems to be inplace. But i still get the AD Username and PWD prompt at the end of the EA.

 

Dont know what to do now....its seems to be dark tunnel with no sight of light anywhere

 

 


Have you looked into the ActiveSync IIS logs yet?  If you want to know why Exchange is rejecting authentication you will need to see what it logs.

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: Configuring SCEP server with BB10

Dear BD,

 

Sorry for the delayed response. As i mentioned in the previous posts, there are lot of users on BES 10 who are using the current active sync authentication which is Basic Auth.

 

If i change the Active sync auth from Basic to accept certs or required certs, these existing users will go down and i dont know how long will it be until i troubleshoot the IIS logs and see whats wrong.

 

I am unable to get a scheduled downtime approved by my manager as it seems that this is a peak season for our employees and they cannot afford any downtime at the moment. I believe i can try during the coming weekend between 14-16 Feb.

 

Could you help me with a list of http error codes and possible cause or resolution which can help me troubleshoot

 

Also i was wondering if the steps mentioned in the below link for setting up NDES with the type of cert template are correct as i followed the same link to setup up our environment.

 

http://blogs.technet.com/b/askds/archive/2010/11/22/ipad-iphone-certificate-issuance.aspx

 

Please help be troubleshoot this issue and god will bless you.

Please use plain text.