Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
Accepted Solution

E-Mail Authentication with certificate successful solved?

Hello Community,

 

has somebody already had success to authenticate email with certificate over BDS?

i Have a Exchange 2010 Sp3, Enterprise CA windows 2008 Enterprise edition with SCEP Services

 

If have tried to import the Certificates via USB, Network share or enrollment with a SCEP Profile in the BDS.

I also checked the configuraton for my exchange server and i change the config like in this link below:

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

I really don´t know what to do else so i wanna ask if somebody has a short Howto, Screenshots or Dokumentation how to configure this. Please don´t tell me to look in the Blackberry Administration Guide because this Dokumention is not really usable!!!

 

Thank you

Greets BB-SH 

 

 

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
New Member
Kaffeetasse
Posts: 1
Registered: ‎04-17-2013
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

Hello,

 

we spent a lot of time in the certificate based authentication Z10 / Exchange 2010.

But it isn't working yet. We are using a Microsoft 2008R2-based PKI and NDES (SCEP).

 

We get a certificate on the device for VPN- or WiFi- usage over the SCEP (NDES)- Server.

But we get no user-certificate on the device. The device generates the CSR, SCEP transfers it to the issuing CA. The request will be issued automatically, but not associated to the AD-useraccount. The subject alternative name in the CSR is not the UPN, it's the mailaddress. Perhaps that is the problem? I have not found how to change the SPN in the CSR.

 

Blackberry gives no detailed information about using SCEP (or Microsoft NDES). I think that CBA is not really implemented yet, I hope it's comming in BES 10.1 in the next weeks. I can use the client-certificate on a iPhone for CBA, so I sure that we have the right certificate template.

 

If someone is using certificate based authentication on ActiveSync, please let us know who it works!

 

 

Enterprise SME
-BD-
Posts: 552
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

Kaffeetasse wrote:

Hello,

 

we spent a lot of time in the certificate based authentication Z10 / Exchange 2010.

But it isn't working yet. We are using a Microsoft 2008R2-based PKI and NDES (SCEP).

 

We get a certificate on the device for VPN- or WiFi- usage over the SCEP (NDES)- Server.

But we get no user-certificate on the device. The device generates the CSR, SCEP transfers it to the issuing CA. The request will be issued automatically, but not associated to the AD-useraccount. The subject alternative name in the CSR is not the UPN, it's the mailaddress. Perhaps that is the problem? I have not found how to change the SPN in the CSR.

 

Blackberry gives no detailed information about using SCEP (or Microsoft NDES). I think that CBA is not really implemented yet, I hope it's comming in BES 10.1 in the next weeks. I can use the client-certificate on a iPhone for CBA, so I sure that we have the right certificate template.

 

If someone is using certificate based authentication on ActiveSync, please let us know who it works!

 

 


If your UPN does not equal your SMTP address currently you will not be able to use cert-based authentication for ActiveSync with BDS.  This is being corrected in an upcoming release.  If your UPN is equal to your SMTP address then cert-based auth with ActiveSync should be possible.  In newer versions of windows you can check you UPN by going to a cmd prompt and typing: whoami /UPN

Enterprise SME
-BD-
Posts: 552
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?


BB-SH wrote:

Hello Community,

 

has somebody already had success to authenticate email with certificate over BDS?

i Have a Exchange 2010 Sp3, Enterprise CA windows 2008 Enterprise edition with SCEP Services

 

If have tried to import the Certificates via USB, Network share or enrollment with a SCEP Profile in the BDS.

I also checked the configuraton for my exchange server and i change the config like in this link below:

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

I really don´t know what to do else so i wanna ask if somebody has a short Howto, Screenshots or Dokumentation how to configure this. Please don´t tell me to look in the Blackberry Administration Guide because this Dokumention is not really usable!!!

 

Thank you

Greets BB-SH 

 

 


The cert must be enrolled through a SCEP profile that is associated with the corresponding VPN/WIFI/EAS profilen

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

Hallo -BD-

 

thank you for the idea but i already linked my SCEP-Profile with my E-Mail Profile.

 

i always get a error message on my BB when i reactiving my Email-Mailbox "ERROR with setting up the Certificat-Profile"

 

But the point with the correct UPN is maybe a good point because we use a NLB to access our Exchange Servers (2 Cas Server)

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Enterprise SME
-BD-
Posts: 552
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?


BB-SH wrote:

Hallo -BD-

 

thank you for the idea but i already linked my SCEP-Profile with my E-Mail Profile.

 

i always get a error message on my BB when i reactiving my Email-Mailbox "ERROR with setting up the Certificat-Profile"

 

But the point with the correct UPN is maybe a good point because we use a NLB to access our Exchange Servers (2 Cas Server)


If you're getting an error it doesn't sound like the SCEP cert is successfully issued.  Do you see an issued cert on your CA?  If not you'd have to look at your EMWS logs to try and find out why it is failing.

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

Yes i think you are maybe rigth that it has to do with the CA.

Because i have to change the challenge Passwort everytime because i can´t set this value in registry (not present) 

 

UseSinglePassword \ UseSinglePassword

DWORD

0x0

When set to 0x1, only one password is issued by NDES for all device certificate requests.

When using a single password, it is recommended to increase the PasswordLength setting.

 

No i don´t see a issued Cert in CA. No i haven´t looked into this logs because i didn´t know where to look so thank for that i will look at it and maybe i found something out.

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Enterprise SME
-BD-
Posts: 552
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

That key is not present by default on the server hosting NDES.  It needs to be manually added and then bounce the service.  You can verify that it took effect by going to the NDES admin URL afterwards.

Contributor
polinyan
Posts: 15
Registered: ‎04-30-2013
My Device: BES10, BDS

Re: E-Mail Authentication with certificate successful solved?

I got it working by creating a scep profile and linking it to the email profile in BDS. I had the NDES role service installed on the enterprise root CA in my lab, and had it installed on a different computer in production. Certication based authentication of BDS works fine in both environments. Below is a list of settings I used in my setup:

 

1) added the following application policies to the certificate template. The certificate subject type is Computer..

        client authentication,

        certifcate request agent,

        encryption file system,

        secure email, and

        IP security IKE intermediate

 

2) enabled single enrollment challenge password for NDES.

 

3) in BDS SCEP profile setting, the Certificate Authority Identifier is the common name of the registration authority (RA). Do not use the common name of CA.

 

4) A blackberry user's upn (user principal name) should match its email address.

 

Once the SCEP profile is set up correct, when activating a blackberry device, i just need to enter the user's email address and it goes through without prompting for the user's password. It does not matter when a user changes his AD account password. When I check the issued certificates folder on the enterprise root CA, I see the certifcate is issued. The certificate requestor is the service account for NDES, and the subject name of the certificate is the blackberry user's distinguished name.

 

Hope this can help someone. BDS admin guide does not help at all when it comes to SCEP profile configuration.

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

Hallo Polinyan,

 

that´s good to hear that someone get it to work. i have some questions.

 

Which certificate template you used/copied where you added client authentication, certifcate request agent, encryption file system, secure email, and IP security IKE intermediate ?

 

I have changed the regedit value for UseSinglePassword but than i got an error message on the website when i try to get an challenge password? Maybe you can give me a short explanation how you active this and where you get the password.

 

and if it is possible to send me a screenshot from your SCEP-Profile in BDS?

 

i would be every happy if you could send me this Informations even in a short PM.

 

Best Regards

Sascha

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20