Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Enterprise SME
-BD-
Posts: 551
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

BB-SH wrote:

Thats what i found in the IIS Log:

 

2013-05-17 07:46:50 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1343


2013-05-17 07:46:54 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5Cduckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1421


2013-05-17 07:47:03 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234


2013-05-17 07:47:07 172.16.3.121 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1234


2013-05-17 07:47:10 172.16.3.121 POST /Microsoft-Server-ActiveSync/default.eas Cmd=Provision&DeviceType=BlackBerry&User=Domain%5Cduckd&DeviceId=BBxxxxxxxx 443 - 172.16.3.130 RIM-Z10-STL100-2/10.1.0.1720 403 13 2148081683 1218

 

That is really not much to read out of it. But i see always the IP from the BDS Server. do i have to give this Server Permission for something?

 

i also notice that after a IIS-Admin Service restart the below setted option turn back to false

 

image


Does your UPN equal your SMTP address?  You can find this for a user by going to a command prompt in newer versions of windows and typing:  whoami /UPN

Contributor
polinyan
Posts: 15
Registered: ‎04-30-2013
My Device: BES10, BDS

Re: E-Mail Authentication with certificate successful solved?

Hello BB-SH,

 

The client CertifcateMappingAuthentication setting has to be set to "true" and stayed "true" for ActiveSync virtual directory. Make sure that you follow the configuration guide step-by-step and in correct order, especially for steps 3 and 4. If you did not configure in that order, the setting migt be changed back to "false".

 

Your IIS log shows that http 403.13 error was returned. Per Microsoft KB 907274, this error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority. So try to start troubleshooting from there. See if microsoft kb 294305 and kb 248058 could help.

Enterprise SME
-BD-
Posts: 551
Registered: ‎05-15-2008
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?


-BD- wrote:

BB-SH wrote:

Hello Polinyan,

 

i saw in your log that you have no blank after the comma.

SubjectDN = CN=Yan\,Polin,

 

in my case i have a blank between comma and Donald

SubjectDN = CN=Duck\, Donald,

 

Maybe it is not the comma, maybe it is the combination comma and blank

 

 


I thought the same thing as well, but in my testing a comma w/o the space still fails.  I tried the exact same handheld code (10.0.10.822) and BDS 10 & 10.1 and in all cases it failed.  So I'm not quite sure why the failure isn't happening there. 


So the difference here was that Polinyan was running BDS 6.2.0 (b45).  I just installed that version and successfully completed the SCEP enrollment with a comma in my Common Name.

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

I Finally got it :-D

 

It was the SCEP-Service Account which had have not enough permission in the CA! the account needs the Permission 

- issue and manage certificates

- request certificates

- manage ca

 

In case the Problem was the SCEP-Service issued a cert for his Serviceaccount-User and not for the Blackberry-User.

After changing the permission the SCEP-Service issues the Cert to the requested Blackberry-User and the Authentication was successful :Clap:

 

I´m really happy now so the roll out can begin ;-)

 

Thank you a lot for your Support it helped me a lot

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

Hi,

 

hope someone can help me out.

We are also trying to deploy Certificate Based Authentication (CBA). We could successfull configure NDES and copy template grant rights and configure SCEP Profile on BDS.

 

The activation runs through without an error and also without prompting an account password (AD). But aprox. 2min after of successeffull activation the device prompts with the message:  Your login information for account  (upn@domain.com) has changed or is incorrect. Update your login information and try again.

 

The strange thing is,  I can see in the CA that the certificate was issued successfuly.

 

Has anybody any idea what went wrong? Did we used the worng Template? UPN is same as mail address.

 

Any help would be appreciated.

 

Regards,

Hape

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

Hi Hape,

 

I also had this issue. But i´m not sure what i have done to solve the Problem.

 

I remember even if update your login-information with a correct password it won´t go.

Which template is used for your enrolled cert? Did you change your regedit value on your NDES-Server for using the correct Template?

In regedit in the KEY: HKEY_LM\Software\Microsoft\Cryptography\MSCEP you have to update following Key with the name of your copyed Template

 

Unbenannt.PNG

 

I hope that is working for you.

 

Regards

Sascha

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

Hi Sascha,

 

Thanks for reply.

We used the "computer" certificate (see 1) as template.

The name of the Certificate is simple SCEP (see 2).

We also renamed the Data in the Keys with the name of the Certificate (see 3) as in your example.

CA.jpg

 

In my case if I manualy type in the current AD password of the user on device emails are shown on my Z10 immidiately. Which template did you use?

 

Regards,

Hape

Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354

Re: E-Mail Authentication with certificate successful solved?

Hi Hape,

 

i sadly can not see you Pictures.

I copyed the IPSec (Offline request)-Template and added a few Options like Polinyan posted a few days ago in this post.

original.png

 

After that i restarted my CA-Server and i tried i again (surely just restarting the services should also working)

 

The computer-template you used is only for Client and Server Authentication, if you not added this Options on top.

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Trusted Contributor
Hape
Posts: 146
Registered: ‎08-18-2010
My Device: Z10

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

Hi Sascha,

 

we have now used the template you suggested. It is still not working :-(

 

One question, can you see the issued SCEP Certificate on your blackberry device?

 

Regards,

Hape

 

Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

Sorry for the late reply...

 

@Polinyan - thanks very much for your detailed info in this thread. We were 90% of the way there with getting CBA working with BES10 and your posts provided the missing 10%. We've now got CBA working almost flawlessly with our Z10s and BES10.1 against our internal MS PKI / NDES setup.

 

@Hape - no, you can't see the cert issued by SCEP for the user on the device. Not sure why this is - I'd expect to see it somewhere but can't. The root CA and any intermediate CA's certs are visible but not the one issued for the end user.

 

A few small tips from our experience to add to the excellent info from Polinyan:

 

  • The template you use for the user BB certs only needs "Client Authentication","IP security IKE intermediate" and "Secure Email" application policies, not "Certificate Request Agent" and "Encrypting File System".
  • The NDES service account only needs "Request Certificates" permission on the issuing CA, and "Read" and "Autoenroll" on the BES SCEP user cert template.
  • Your issuing CA must NOT use the "Alternative Signature Algorithm" (eg RSASSA-PSS). In spite of the JRE 7 supporting this the BES SCEP enrollment process doesn't work with it - you need to use a traditional "sha256RSA" or similar.
  • The issuing CA's cert must be present in the local NTAuth cert store on each ActiveSync CAS server the BES is configured to use for the mail profile. It's not enough to simply have it in the AD cert authority store - check that it's also presently locally in NTAuth on each CAS server ("certutil -enterprise -viewstore NTAuth").
  • To avoid issues with sending email over 47KB you need to either a) increase the "uploadReadAheadSize" value in the IIS config for the ActiveSync web application to whatever your max email size should be, or b) re-bind your SSL cert to the ActiveSync IP using netsh with "Negotiate Client Certificate = Enabled". The latter is the best option as it avoids expensive renegotiation entirely and limits the ability to DoS your CAS endpoint with renegotiation traffic. Bear in mind this binding is done at an IP level - so if you're using the default config for EAS your ActiveSync IP is likely shared with your OWA/EWS binding and you'd be forcing those services to also require CBA. If this isn't suitable create a new ActiveSync website with a different IP and do the re-binding just on that.

Regards,

 

Jacob