Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

That was a good one. Still isn't working but found that the phone was attached to a couple of different users. Had to use the shell to remove the ActiveSyncDevice as EMC gave me an error.

Still get the 403.7 errors. Verified the following:

Correct certs are on the BAS share in the proper folders. Worked with RIM on that one. Verified by using Work Browser to our owa site. First time, got cert warnings. Retrieved proper intermediate cert and now that works without warning.

 

Also had an issue on BES Server connecting to Autodiscover. It kept prompting for credentials. Discovered that IE settings on the BES server did not have our internal domain in Intranet zone. Got that working. One strange thing is we are getting MDS errors trying to use autodiscover.casarray_FQDN which is not correct. It seems like BES is simply prepending "autodiscover." to the server name value in the Email Profile and trying to use that (instead of obtaining the Autodiscover URL from DNS). RIM said it shouldn't really affect the authentication. (Heard that one before).

 

As far as cert templates,

  • The template you use for the user BB certs only needs "Client Authentication","IP security IKE intermediate" and "Secure Email" application policies, not "Certificate Request Agent" and "Encrypting File System".

Verified

 

  • The NDES service account only needs "Request Certificates" permission on the issuing CA, and "Read" and "Autoenroll" on the BES SCEP user cert template.

Verified

 

  • Your issuing CA must NOT use the "Alternative Signature Algorithm" (eg RSASSA-PSS). In spite of the JRE 7 supporting this the BES SCEP enrollment process doesn't work with it - you need to use a traditional "sha256RSA" or similar.

Verified

 

  • The issuing CA's cert must be present in the local NTAuth cert store on each ActiveSync CAS server the BES is configured to use for the mail profile. It's not enough to simply have it in the AD cert authority store - check that it's also presently locally in NTAuth on each CAS server ("certutil -enterprise -viewstore NTAuth").

Verified except that the Root cert is not present here, just the issuing CA's cert is present (Intermediate).

Another thing I noticed on our Exchange servers is that Root CA cert is not located within the Intermediate Certificate Authority\Certificate area (Using certmgr) . It is present in that location on the BES Server for some reason. Note, the root cert is located within the Trusted Root Certificate Authority\Certificates area on both Exchange and BES.

 

As far as EAS using CBA, I have verified the correct settings are there in IIS.

 

This is driving me nuts. It is probably one thing that I'm missing.

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Have you tried adding "Server Authentication" to your template's Application Policy Extension.

Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Just tried that and still no go.

Also added Allow Blackberry DeviceType to EAS Policy.

 

Gonna try bypassing the F5 CASArray and connect directly to the Exchange server in the Email Profile.

Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Well, it's finally working. Had to bypass our HLB CASArray which was re-encrypting the SSL on the server vLAN. Thanks for all responses. This site has some awesome contributors.

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Device: BES10, BDS
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

I had my enterprise CA role and NDES role installed on different Windows 2008 R2 servers and email CBA was working fine until sometime last month I could not activate new devices anymore. I got the Certificate Authority Profile error during device activation. There was an event id 31 recorded in application log for each failed activation attempt on my NDES/SCEP server. By searching this event id, I came across Microsoft kb 2633200 and kb 2799925. Installing the hotfix resolved my issue. Hope this can help someone with the similar issue and configuration.

Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Ensure that the Z10 or Q10 device OS is at least 10.1.x.xxxx. We had some devices with 10.0.1.xxxx OS and it wasn't able to get a SCEP cert until we updated the device OS to 10.1

Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: E-Mail Authentication with certificate successful solved?

Can anybody of those who successfull configured certificate based authentication try to send a message with an attachment.

 

I am unable to send messages with attachment when when using certificate based authentification....

When I send a message with an attachment then I immidiately got a "no throgh" sign status...

Receiving messages with attachment is possible.

 

I am not sure if this is an BES or Exchange issue. I could not find any error in the logs.

 

We are running BES 10.1.1 and Exchange 2010 SP1.

When I configure an email profile using no SCEP (certificate based authentication) then sending with attachment is possible....

 

Regards,

hape

 

Na.jpg

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Hello Hape,

 

just have a Look in this Post i was having the same issue but i could fix it with this help:

http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Service-10/BB10-Exchange-ActiveSync-Iss...

 

greez BB-SH

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: E-Mail Authentication with certificate successful solved?

Thanks BB-SH..... You saved my day :-)

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

No Problem - I´m glad i could help :Yes:

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.