Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10

[ Edited ]

Romax wrote:

...

Now, when I try to activate a device, I get this error:

 

"Device activation can't be completed because a SCEP profile is invalid."

 

Any idea?

 

Could it be caused by something else than my SCEP profile settings (which, I believe are correct).

 

THX


Hi Romax,

  That appears to be a generic error caused by any problem with the SCEP setup. Last time I saw it in our BES10.1/SCEP/Exchange CBA environment was when the CRL for the CA that issues the SCEP user certs and NDES server certs expired. If there is any problem with the BES server's ability to validate the cert chains you'll get this error message. In our case once we renewed and republished the CRL it worked fine. Check for any cert chain validation errors using certutil.exe.

 

Regards,

 

Jacob

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Hi Jakobl,

 

Thank you for your reply.

 

[quote]Check for any cert chain validation errors using certutil.exe.[/quote]

 

I am sorry, but I don't know how to do that... should I run this command on the BAS? on the CA? ...and which options should I use?

 

I am not familiar with this whole cretificates issuing SCEP stuff, I tried to read the technet article about certutil.exe, but it's all elvish to me.

 

Thanks again

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10

[ Edited ]

Hi Romax,

   Sorry I've just re-read your earlier posts - are you saying you have never got the SCEP/CBA auth working before? If so there are a whole pile of things that need to be configured correctly for it to work. Check out this long thread for details: http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Service-10/E-Mail-Authentication-with-c...

 

If you have got it working before and this error is new it may be what I suggested - a cert chain validation problem due to expired cert/CRL or similar. First thing I would do here is grab a copy of the NDES server's SSL cert used to secure the NDES enrolment URL - this is typically something like https://[NDES_SERVER_HOSTNAME]/CertSrv/mscep/mscep.dll.

 

  1. Browse to that URL in Internet Explorer - you should get the HTTPS "lock" icon next to the URL. Click that to show the cert details then press "View Certificates" there to see the full details of the cert (I'm assuming IE10 here). Switch to the "Details" tab on the cert window then press the "Copy to File..." button. This will start the cert export wizard. Go Next --> choose DER encoded binary format --> Next --> choose a local folder and file name to save the cert to eg "C:\MyFolder\NDES_cert.cer" --> Next --> Finish. 
  2. You've now got a copy of the NDES server enrollment SSL cert as a file. Move that file over to your BES server, and login to the BES server.
  3. Open up an admin command prompt on the BES server and run this:

certutil -urlfetch -verify c:\MyFolder\NDES_cert.cer

 

Assuming you copied the cert to C:\MyFolder on the BES server. This will attempt to verify the cert - the "-urlfetch" switch tells it to also download and verify the CRL and AIA targets.

 

Check that there are no failures to verify the any of the cert, CRL or AIA CDPs. You want to see something like this for each cert in the chain:

 

---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] http://[YOUR_CDP_URL]/aia/CA02-CA(1).crt

---------------- Certificate CDP ----------------
Verified "Base CRL (0369)" Time: 0
[0.0] http://[YOUR_CDP_URL]/cdp/CA02-CA.crl

Verified "Delta CRL (0369)" Time: 0
[0.0.0] http://[YOUR_CDP_URL]/cdp/CA02-CA+.crl

---------------- Base CRL CDP ----------------
OK "Delta CRL (036b)" Time: 0
[0.0] http://[YOUR_CDP_URL]/cdp/CA02-CA+.crl

 

Regards,

 

Jacob

 

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Hi Jacob,

 

Thank you for your help!

 

1. Indeed, I have never had it to work.

I have read this topic dozens of times, but I can't find anything useful for my case.

 

2. The url to my mscep.dll file is not https... just http. Is there a way I could export the exact same certificate from the mmc console? Could it be that this is the issue?

 

Thanks

 

Max

 

 

 

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: Configuring SCEP server with BB10

Max,

 

Unfortunately SCEP is not a BlackBerry component and there are many ways of implementing it.

 

You need to check your SCEP server.


1. What OS are you using?

2. What certficate template are you using?

3. Is your enrollment challenge password static (UseSinglePassword)?

4. What service account are you using?


If you have some background on PKI, here's some great information on SCEP:

 

http://media.ch9.ms/teched/na/2011/ppt/SIM329.pptx
http://media.ch9.ms/teched/na/2011/wmv/SIM329.wmv

 

Mike

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10

[ Edited ]

Romax wrote:

...

 1. Indeed, I have never had it to work.

I have read this topic dozens of times, but I can't find anything useful for my case.

 

2. The url to my mscep.dll file is not https... just http. Is there a way I could export the exact same certificate from the mmc console? Could it be that this is the issue?

... 


Hi Romax,

  In that case I doubt your issue is what I was suggesting. To answer your #2 question - no, having your enrollment URL available over plain HTTP is absolutely fine. If you're not using HTTPS there the issue I was describing won't apply (though you still could have cert chain validation problems elsewhere in the solution, still worth checking all certs used including your ActiveSync server certs).

 

Without knowing more about your whole setup I can't really begin to speculate on the cause for your issue since you've not got it working at all before. In that thread I referenced polinyan has some good videos he linked to showing the NDES server setup, etc. I'd start there, and check pretty much everything that the various posters suggest in the thread.

 

Regards,

 

Jacob

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: Configuring SCEP server with BB10



Romax wrote:

...

 Is there a way I could export the exact same certificate from the mmc console? Could it be that this is the issue?

... 


 

And sorry, didn't answer this one. Yes, you can use the Certificates MMC snapin to do the export - you can do that for any cert hosted on any server in the solution (BES, Exchange CAS, etc.), or even from the CA snapin on your issuing CA, or using the certreq.exe command line tool. The IE method I described is just a convenient way, it's not required.

 

Regards,

 

Jacob

 

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

[ Edited ]

Thank you for all the answers.

 

Please note that our SCEP is working fine with MobileIron (as we let our users choose between a BB or an iphone).

I have used the same settings on the BES.

So the configuration of the SCEP and the CA are correct, however, I am not sure if BES requires any particular setting.

 

1. I was thinking today, the SHA1 thumbprint that needs to be entered in the SCEP profile, it should be the one form the Root certificate? ...or from the CA issued certificate?

 

2. I have checked the cert chain using certutil on the BES, and I got no errors.

 

 answers to these points below:

1. What OS are you using?

 

Windows 2008 R2

 

2. What certficate template are you using?

 

Not sure what do you mean here, but in registry:

 

Encryption template - IPSECIntermediateOffline

GeneralPurposeTemplate - MobileIron

Signature Template - IPSECIntermediateOffline

 

3. Is your enrollment challenge password static (UseSinglePassword)?

 

Yes

 

4. What service account are you using?

 

Not sure what do you mean, but the permissions are as allow read, enroll and autoenroll.

 

 EDIT

I found this on the other topic:

Quote

"

If your UPN does not equal your SMTP address currently you will not be able to use cert-based authentication for ActiveSync with BDS.  This is being corrected in an upcoming release.  If your UPN is equal to your SMTP address then cert-based auth with ActiveSync should be possible.  In newer versions of windows you can check you UPN by going to a cmd prompt and typing: whoami /UPN"

Unquote

 

In our environment, the UPN is not the same as the SMTP address... has this been fixed?

Please use plain text.
Contributor
Romax
Posts: 24
Registered: ‎08-08-2013
My Device: Z10
My Carrier: Swisscom

Re: Configuring SCEP server with BB10

Hi everyone,

 

Sorry, I am double-posting, but I have advanced a bit...

 

I managed to activate the device (the problem was that the erollement password was dynamic... I am sorry for my mistake before).

 

However, I have another issue now.

Exchange doesn't seem to be able to accept the certificate.

 

I don't see the certificate in the "certificates" section in the settings on the device, and I had to enter all passwords after the activation process manually.

 

I will check the logs on the CA, and post again.

 

Thanks for the help!

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: Configuring SCEP server with BB10

 

Max, thanks for the update. that really helps narrow it down.

 

So you dont see the certificate issued on the device? What about from the CA, does it show the certificate as issued?

 

Did you point your "BlackBerry Administration Service shared network drive" setting to the UNC path of your share? The BES service account must have write access to that share and the subfolders are created automatically by BES. Copy your root certs, intermediate certs, and wallpapers in this share and they will be pushed out to the device.

 

Regarding your question about UPN not the same as email address. This is very common. If your certificate template, has the UPN and email address as SANs they will work fine.

 

Regarding the SHA1 thumbprint, this is the thumbrint (hash value) for the CA certificate. You can see this when you go to the SCEP Admin URL. Remove the spaces, of course.

 

 

Please use plain text.