Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

THe Full Name filed during creation of a user account is an attribute of AD user object called DisplayName. See the following link for reference:

http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

 

I created another new user account and modified its full name by adding a comma in the Full Name field during the account creation. And I was able to activate this account successfully as well.  See screenshot below the name attribute comparison between the two users. Somehow I could not re-produce the error reported by BB-SH and BD.

 

2UserNames.PNG

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

And the logs below show that the scep cert requests for both users above were processed  and completed successfully;

 

Logs for processing scep cert request for SubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, 

 

[INFO ] (05/13 14:02:19:627):{http-8444-exec-2} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:Start processing: POST /9a2fbea2-e066-4277-ab84-11d281a1575f/scepEngine
[INFO ] (05/13 14:02:19:690):{http-8444-exec-2} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:Processing SCEP request for user=[CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com]
[INFO ] (05/13 14:02:19:690):{http-8444-exec-2} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:smileyfrustrated:ubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Scep Message Received.
[DEBUG] (05/13 14:02:19:690):{http-8444-exec-2} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:smileyfrustrated:ubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Email=PYan2@myTestLab.com
[INFO ] (05/13 14:02:19:690):{http-8444-exec-2} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:smileyfrustrated:ubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Processing CSR Message.
[DEBUG] (05/13 14:02:19:695):{http-8444-exec-2} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:smileyfrustrated:ubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, SCEP PROFILE = Name=ADClientAuth, Thumbprint=382BBBE8AEF86B2C9EE0DAF15C5F84DC, RequestEncryptionAlgorithm=1, HashFunction=1
[INFO ] (05/13 14:02:19:696):{http-8444-exec-2} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:smileyfrustrated:ubjectDN = CN=Yan\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, CSR Signature Response Message Sent.
[INFO ] (05/13 14:02:19:696):{http-8444-exec-2} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/9a2fbea2-e066-4277-ab84-11d281a1575f.Polin Yan2.19}:Complete processing: Status=200


Logs for processing  scep cert request for SubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com,

 

[INFO ] (05/13 17:07:22:138):{http-8444-exec-4} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:Start processing: POST /a51b608a-d7ee-455e-85b3-fa367c8b4ef1/scepEngine
[INFO ] (05/13 17:07:22:208):{http-8444-exec-4} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:Processing SCEP request for user=[CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com]
[INFO ] (05/13 17:07:22:208):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:smileyfrustrated:ubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Scep Message Received.
[DEBUG] (05/13 17:07:22:208):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:smileyfrustrated:ubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Email=PYan3@myTestLab.com
[INFO ] (05/13 17:07:22:209):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:smileyfrustrated:ubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, Processing CSR Message.
[DEBUG] (05/13 17:07:22:214):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:smileyfrustrated:ubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, SCEP PROFILE = Name=ADClientAuth, Thumbprint=382BBBE8AEF86B2C9EE0DAF15C5F84DC, RequestEncryptionAlgorithm=1, HashFunction=1
[INFO ] (05/13 17:07:22:214):{http-8444-exec-4} ScepEngine:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:smileyfrustrated:ubjectDN = CN=Yan3\,Polin,OU=Lab-OU,DC=ad,DC=TestLab,DC=com, CSR Signature Response Message Sent.
[INFO ] (05/13 17:07:22:214):{http-8444-exec-4} MWSHandler:{BlackBerry/10.0.10.822 EMA/10.0.10.822 IMEI/352922051436631 PIN/716678235 PerimeterId/a51b608a-d7ee-455e-85b3-fa367c8b4ef1.Yan3,Polin.20}:Complete processing: Status=200

 

 

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Hello Polinyan,

 

i saw in your log that you have no blank after the comma.

SubjectDN = CN=Yan\,Polin,

 

in my case i have a blank between comma and Donald

SubjectDN = CN=Duck\, Donald,

 

Maybe it is not the comma, maybe it is the combination comma and blank

 

 

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 474
Registered: ‎05-15-2008
My Carrier: Rogers

Re: E-Mail Authentication with certificate successful solved?


BB-SH wrote:

Hello Polinyan,

 

i saw in your log that you have no blank after the comma.

SubjectDN = CN=Yan\,Polin,

 

in my case i have a blank between comma and Donald

SubjectDN = CN=Duck\, Donald,

 

Maybe it is not the comma, maybe it is the combination comma and blank

 

 


I thought the same thing as well, but in my testing a comma w/o the space still fails.  I tried the exact same handheld code (10.0.10.822) and BDS 10 & 10.1 and in all cases it failed.  So I'm not quite sure why the failure isn't happening there. 

Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

I just activated another user account with comma and space in the distinguishName successfully. So in my case, it really does not matter if there is space or comma or a combination of both in the user's CN or DN, all activations were successful. The blackberry dispatcher version on my BDS is 6.2.0.30. 

 

Do you find any error code in your NDES/SCEP server's IIS log, like the following line?

 

2013-04-27 21:24:35 10.0.72.71 GET /certsrv/mscep/mscep.dll ... 80 - 10.0.72.55 BlackBerry/10.0.9.2743+EMA/10.0.9.2743+IMEI/990001241158997+PIN/859608473+PerimeterId/433d4608-f34f-4acf-97e9-43e972199e4b 404 15 0 203

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

I upgraded my ca today from Windows2008 to Windows 2008r2!

Tomorrow i will Test if the issue still there.
Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Hallo polinyan

 

Even after the CA update, the BDS Update 10.1 and Blackberry Device Update 10.1 the issue with the comma still occur.

But without the comma i´m now able to active my Blackberry Z10 and a cert is issued in the CA :Clap:

Now i get a Error after the activation "Service for Account (name@company.com - name@company.com) is not available. Contact your system administrator to regain access. [Error Code: 403]"

i thought this is an exhange but i cannot find the Problem i searched every log BDS, EMWS, Exchange Eventlog, CA Eventlog but nothing.

Strange is that, i can access the mailbox over ActiveSync with an iOS Device

 

Did you have any idea what that could be?

Best regard

Sascha

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
Contributor
polinyan
Posts: 14
Registered: ‎04-30-2013
My Carrier: Verizon Wireless

Re: E-Mail Authentication with certificate successful solved?

Quite likely, the error you are having is due to the misconfiguration in certificate based authentication for Exchange 2010 ActiveSync. Can you verify step by step your Exchange 2010 server's ActiveSync configuration using  instruction the following link?

 

http://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-fo...

 

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

I knew you would send me this Link :-D i already perform all of this steps on our 2 CAS Server.

We talk to our CAS Servers over a NLB (Network Load Balancer) i thought maybe this could be a Problem and i change the Email Profile in BDS the Servername to the FQDN of the first CAS Server but, the ERROR Code 403 still occur.

 

WIKI Def List of HTTP status codes:

403 ForbiddenThe request was a valid request, but the server is refusing to respond to it. Unlike a 401 Unauthorized response, authenticating will make no difference. On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content).

 

So it has to do with the IIS right?!

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Thats what i found in the IIS Log:

 

2013-05-17 07:46:50 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1343


2013-05-17 07:46:54 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5Cduckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1421


2013-05-17 07:47:03 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234


2013-05-17 07:47:07 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234


2013-05-17 07:47:10 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5Cduckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1218

 

That is really not much to read out of it. But i see always the IP from the BDS Server. do i have to give this Server Permission for something?

 

i also notice that after a IIS-Admin Service restart the below setted option turn back to false

 

image

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.