05-17-2013 10:31 AM - edited 05-17-2013 10:34 AM
Thats what i found in the IIS Log:
2013-05-17 07:46:50 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1343
2013-05-17 07:46:54 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5C
duckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1421
2013-05-17 07:47:03 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234
2013-05-17 07:47:07 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234
2013-05-17 07:47:10 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5C
duckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1218
That is really not much to read out of it. But i see always the IP from the BDS Server. do i have to give this Server Permission for something?
i also notice that after a IIS-Admin Service restart the below setted option turn back to false
Does your UPN equal your SMTP address? You can find this for a user by going to a command prompt in newer versions of windows and typing: whoami /UPN
05-17-2013 11:46 AM
The client CertifcateMappingAuthentication setting has to be set to "true" and stayed "true" for ActiveSync virtual directory. Make sure that you follow the configuration guide step-by-step and in correct order, especially for steps 3 and 4. If you did not configure in that order, the setting migt be changed back to "false".
Your IIS log shows that http 403.13 error was returned. Per Microsoft KB 907274, this error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority. So try to start troubleshooting from there. See if microsoft kb 294305 and kb 248058 could help.
05-17-2013 12:18 PM
i saw in your log that you have no blank after the comma.
SubjectDN = CN=Yan\,Polin,
in my case i have a blank between comma and Donald
SubjectDN = CN=Duck\, Donald,
Maybe it is not the comma, maybe it is the combination comma and blank
I thought the same thing as well, but in my testing a comma w/o the space still fails. I tried the exact same handheld code (10.0.10.822) and BDS 10 & 10.1 and in all cases it failed. So I'm not quite sure why the failure isn't happening there.
So the difference here was that Polinyan was running BDS 6.2.0 (b45). I just installed that version and successfully completed the SCEP enrollment with a comma in my Common Name.
05-21-2013 09:07 AM
I Finally got it :-D
It was the SCEP-Service Account which had have not enough permission in the CA! the account needs the Permission
- issue and manage certificates
- request certificates
- manage ca
In case the Problem was the SCEP-Service issued a cert for his Serviceaccount-User and not for the Blackberry-User.
After changing the permission the SCEP-Service issues the Cert to the requested Blackberry-User and the Authentication was successful
I´m really happy now so the roll out can begin ;-)
Thank you a lot for your Support it helped me a lot
05-23-2013 03:34 AM
hope someone can help me out.
We are also trying to deploy Certificate Based Authentication (CBA). We could successfull configure NDES and copy template grant rights and configure SCEP Profile on BDS.
The activation runs through without an error and also without prompting an account password (AD). But aprox. 2min after of successeffull activation the device prompts with the message: Your login information for account (firstname.lastname@example.org) has changed or is incorrect. Update your login information and try again.
The strange thing is, I can see in the CA that the certificate was issued successfuly.
Has anybody any idea what went wrong? Did we used the worng Template? UPN is same as mail address.
Any help would be appreciated.
05-23-2013 04:23 AM
I also had this issue. But i´m not sure what i have done to solve the Problem.
I remember even if update your login-information with a correct password it won´t go.
Which template is used for your enrolled cert? Did you change your regedit value on your NDES-Server for using the correct Template?
In regedit in the KEY: HKEY_LM\Software\Microsoft\Cryptography\MSCEP you have to update following Key with the name of your copyed Template
I hope that is working for you.
05-23-2013 06:57 AM - edited 05-23-2013 06:57 AM
Thanks for reply.
We used the "computer" certificate (see 1) as template.
The name of the Certificate is simple SCEP (see 2).
We also renamed the Data in the Keys with the name of the Certificate (see 3) as in your example.
In my case if I manualy type in the current AD password of the user on device emails are shown on my Z10 immidiately. Which template did you use?
05-23-2013 07:16 AM
i sadly can not see you Pictures.
I copyed the IPSec (Offline request)-Template and added a few Options like Polinyan posted a few days ago in this post.
After that i restarted my CA-Server and i tried i again (surely just restarting the services should also working)
The computer-template you used is only for Client and Server Authentication, if you not added this Options on top.
05-23-2013 09:17 AM - edited 05-23-2013 09:23 AM
we have now used the template you suggested. It is still not working :-(
One question, can you see the issued SCEP Certificate on your blackberry device?
06-19-2013 08:05 PM
Sorry for the late reply...
@Polinyan - thanks very much for your detailed info in this thread. We were 90% of the way there with getting CBA working with BES10 and your posts provided the missing 10%. We've now got CBA working almost flawlessly with our Z10s and BES10.1 against our internal MS PKI / NDES setup.
@Hape - no, you can't see the cert issued by SCEP for the user on the device. Not sure why this is - I'd expect to see it somewhere but can't. The root CA and any intermediate CA's certs are visible but not the one issued for the end user.
A few small tips from our experience to add to the excellent info from Polinyan: