Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

You can duplicate the default cert template used in NDES and add the needed application policies to your duplicated cert template. I tried to upload some screenshots showing where to add those application policies but could not find the link to upload them from my computer. I think my current status as a visitor does not allow me to upload pictures yet.

 

As a reference, you can watch the following Youtube video for setting up a NDES server on a windows 2008 or 2008 R2 server:

http://www.youtube.com/watch?v=387OccoWDQQ

 

If you get an error accessing NDES/SCEP admin password page after you changed "UseSinglePassword" registry key value to 1, you just need to log in your NDES/SCEP server using the NDES service account and have that user's profile created on the server. This should fix the Server 500 error. See the link below for this fix:

http://www.symantec.com/docs/TECH177406

 

Once my status allows me to upload pictures, I will upload some screenshots showing my lab SCEP Profile setting on BDS.

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

To add an application policy to your template, right click the cert template -> properties->extensions->application policies->edit->add. See screenshot below:

 

certtmpl.PNG

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

If single enrollment password is enabled correctly, you should see the following web page from your NDES server. The highlighted line confirms that the password can be used multiple times and will never expire.

 

ndesadmin.PNG

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

The following is the SCEP profile setting from my lab BDS server.

 

scepconfig.PNG

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

When you activate a blackberry 10 user account successfully on a blackberry 10 smartphone, from your enterprise CA, you can see a certificate is issued. See screenshot below for detail.

 

certIssued.PNG

 

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Hello Polinyan,

 

you really help me a lot with the Screenshots. I found the issue why i could not get an issued Cert.

The BDS muss have a issue with cn name for the AD with comma: look at the errorlog:

 

[ERROR] (05/08 08:51:32:263):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.690 EMA/10.0.10.690 IMEI/XXXXXXXXXXXXX PIN/XXXXXXXXXX PerimeterId/96ca917c-caa4-4aef-a011-71e2c3e81255.Duck, Donald.35}:smileyfrustrated:ubjectDN = CN=Duck\, Donald,OU=EDV,OU=Abteilungen,OU=Company Benutzer,DC=Company,DC=LAN, Internal SCEP Exception Occoured.

 

Underlying Cause: improperly specified input name: CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN

 

Underlying Cause: Quoted string did not end in quote CsrSubjectDn=CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN, CsrEmails=[Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de]

 

 

com.rim.security.scep.engine.impl.InternalScepException:

CsrSubjectDn=CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN, CsrEmails=[Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de]  at com.rim.security.scep.engine.impl.DefaultScepEngine.verifyClientIdentity(DefaultScepEngine.java:567)  at com.rim.security.scep.engine.impl.DefaultScepEngine.processCsrMessage(DefaultScepEngine.java:352)  at com.rim.security.scep.engine.impl.DefaultScepEngine.processRequest(DefaultScepEngine.java:131)  at com.rim.mdm.server.scep.ScepEngineHandler.processScepRequest(ScepEngineHandler.java:57)  at com.rim.mdm.server.CommandHandler.handleScepEngine(CommandHandler.java:291)  at com.rim.mdm.mws.MWSHandler.postScepEngine(MWSHandler.java:2204)  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)  ..........

 

the red marked text shows that when a comma is in the cn the scep-Engine throws an error because he cuts the cn-name after the first comma.

 

And a have a other issue with my CA because i can´t Issue an modifyed Cert Template because our CA is run on Windows 2008 will move it to windows 2008 R2 Enterprise and then hopefully i can issue the right cert template for the authencation

 

 

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 486
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: E-Mail Authentication with certificate successful solved?


BB-SH wrote:

Hello Polinyan,

 

you really help me a lot with the Screenshots. I found the issue why i could not get an issued Cert.

The BDS muss have a issue with cn name for the AD with comma: look at the errorlog:

 

[ERROR] (05/08 08:51:32:263):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.690 EMA/10.0.10.690 IMEI/XXXXXXXXXXXXX PIN/XXXXXXXXXX PerimeterId/96ca917c-caa4-4aef-a011-71e2c3e81255.Duck, Donald.35}:smileyfrustrated:ubjectDN = CN=Duck\, Donald,OU=EDV,OU=Abteilungen,OU=Company Benutzer,DC=Company,DC=LAN, Internal SCEP Exception Occoured.

 

Underlying Cause: improperly specified input name: CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN

 

Underlying Cause: Quoted string did not end in quote CsrSubjectDn=CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN, CsrEmails=[Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de]

 

 

com.rim.security.scep.engine.impl.InternalScepException:

CsrSubjectDn=CN="Duck\", OU=EDV, OU=Abteilungen, OU=Company Benutzer, DC=Company, DC=LAN, CsrEmails=[Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de, Donald.Duck@Company.de]  at com.rim.security.scep.engine.impl.DefaultScepEngine.verifyClientIdentity(DefaultScepEngine.java:567)  at com.rim.security.scep.engine.impl.DefaultScepEngine.processCsrMessage(DefaultScepEngine.java:352)  at com.rim.security.scep.engine.impl.DefaultScepEngine.processRequest(DefaultScepEngine.java:131)  at com.rim.mdm.server.scep.ScepEngineHandler.processScepRequest(ScepEngineHandler.java:57)  at com.rim.mdm.server.CommandHandler.handleScepEngine(CommandHandler.java:291)  at com.rim.mdm.mws.MWSHandler.postScepEngine(MWSHandler.java:2204)  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)  ..........

 

the red marked text shows that when a comma is in the cn the scep-Engine throws an error because he cuts the cn-name after the first comma.

 

And a have a other issue with my CA because i can´t Issue an modifyed Cert Template because our CA is run on Windows 2008 will move it to windows 2008 R2 Enterprise and then hopefully i can issue the right cert template for the authencation

 

 


Thanks for the report.  I was able to reproduce this issue with a comma.

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

Hello BB-SH,

 

Out of curiosity after reading your post, I created a user account with comma in CN and I was able to active this user account on a BB 10 smartphone and I saw the cert was issued from NDES/SCEP server. So it looks like something went wrong from your own server. Where did you find those error logs? When I get errors regarding Certficate Authority and certificate issuance, I start troubleshooting by checking IIS logs and windows application logs on CA first.

 

AduserCN.PNG

 

newcert.PNG

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 486
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: E-Mail Authentication with certificate successful solved?

To clarify here it is not the Display Name that caused this.  It was the Full Name.  When you first create a user in AD it automatically sets the Full Name to be the same as the Display Name.  If you later change the Display Name it does not automatically update the Full Name. 

 

When I had a comma in the Full Name this happened.  When I had no comma in the Full Name and a comma in the Display Name it activated fine.

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Yes that right the issue happen only with comma in the Full Name!

I was able to actived a User with comma in the displayname
Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.