07-02-2013 08:45 AM
I'm now getting through activation and I'm seeing the certificates generated on the CA. The issue I'm having now is that a few moments after activation I'm still prompted to enter my domain credentials. I've enabled cert based auth in IIS on Exchange and I've also set the system.webServer/security/authentication/clientCer
07-02-2013 07:33 PM
I'd go back and check every item in this thread. Your issue could be any of:
And probably others...
07-03-2013 01:47 PM
1) Are your user certs being issued with the correct details in subject/SAN and are they issued for the correct purposes?
Subject has the users CN listed.
SAN = Other Name: Principal Nameemail@example.com
2) Are your CAs in the trusted cert stores on your CAS servers?
Yes, the CA is trusted.
3) Do certs issued by them chain fully up to the root without error on the CAS servers?
Yes, everything is fully trusted.
4) Are you using the AlternateSignatureAlgorithm?
No, Signature Algorithm = sha1RSA
5) Have you disabled basic auth (and any other types of auth) on the ActiveSync web app?
07-04-2013 01:51 AM
Did you enable Certifiate Based Authentification for Active Sync on the Exchange Console?
On the CAS in the Exchange Console in -> Server Configuration -> Client Access -> Exchange ActiveSync TAB -> open your ActiveSync Config.
On the 2nd Tab (Authentification) i choose accept Clientcertificate.
maybe that could help you
07-05-2013 10:21 AM
I'm in the same boat. We had Exchange ActiveSync (EAS) working with the Z10 prior to implementing Cert Based Auth (CBA)
I had a change control last night to switch EAS to CBA following the steps in this thread. We had set EAS to Require Client Certificates. When activating with the Z10, I would get a HTTP 403.7 error in the EAS IIS log. (Forbidden - SSL Certificate required). I then changed the authentication to Accept Certificates. Now when activating with the Z10, it prompts me for a password. After entering the correct password I get cannot be authenticated with my service provider. Now The EAS IIS log reads a HTTP 401.2 error.
The cert is issued, I have the root and intermediate cert on the device. Obviously, I'm missing something but confirmed that all that has been mentioned within this thread has been implemented.
07-05-2013 11:54 AM
According to the Advanced Admin Guide, you need to create a shared network folder (page 49) and then send your root certificates to the devices (page 97).
Also check out anzoro's post at http://supportforums.blackberry.com/t5/BlackBerry-
07-05-2013 03:45 PM
ebak123: had the same issue your having. Remove any BES10 device from the users Exchange ActiveSync profile and try it again. EMC > Manage Mobile Phone > Remove.