Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
schlauby
Posts: 3
Registered: ‎04-16-2013
My Device: Z10
My Carrier: T-Mobile

Re: E-Mail Authentication with certificate successful solved?

Hi,

 

i've a 2007 Exchange on a 2003 Server & BES10.1.

I did all steps in this thread. I can activate a Z10 device until the point when the device save the E-Mail settings.

After that a message comes up which means:  "your account name@domain.com can't authenticate by service provider. check your account settings"

After you confirm this message with "OK" , you see the accountsettings with the notice "not connected - password required". When you enter the passwort, then works.

 

I can see a certificate is issued proper for this user.

 

In the EMWS BES log are just one error

" [ERROR] (06/26 16:01:30:755):{http-38084-exec-3} MWSHandler:{BlackBerry/10.1.0.2354 EMA/10.1.0.2354 IMEI/xxxxxxxxxxxxx PIN/xxxxxxxxxxx}:Certificate attribute of request is null" (not sure if this is a problem)

 

It looks to me, that i have somewhere a problem in Exchange. But i don't know where?

Some of your how to's refer to IIS 7.x, but i have IIS 6

 

Has anybody maybe an idea?

 

Thanks

 

 

 

 

Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Quick question for those that have their device working with cert based authentication - Does the issued scep certificate need to be published to Active Directory before it can be used by the device for EAS authentication? We have the certificates being issued correctly and we are ready to change EAS to use CBA, however I was told by RIM to publish the cert to AD (by check marking the cert template option to Publish to Active Directory). However, when I checkmark this option on the cert template to publish to AD, it publishes it under the NDES service account object, not the user account object.

 

I'm thinking as long as the cert is issued and has the correct info in it, it will authenticate to EAS.

Please use plain text.
Contributor
chasdrury
Posts: 42
Registered: ‎05-22-2013
My Device: Blackberry Z10
My Carrier: EE

Re: E-Mail Authentication with certificate successful solved?


ebak123 wrote:

Quick question for those that have their device working with cert based authentication - Does the issued scep certificate need to be published to Active Directory before it can be used by the device for EAS authentication? We have the certificates being issued correctly and we are ready to change EAS to use CBA, however I was told by RIM to publish the cert to AD (by check marking the cert template option to Publish to Active Directory). However, when I checkmark this option on the cert template to publish to AD, it publishes it under the NDES service account object, not the user account object.

 

I'm thinking as long as the cert is issued and has the correct info in it, it will authenticate to EAS.


No, we didn't check this....

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 494
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

ebak123 wrote:

Quick question for those that have their device working with cert based authentication - Does the issued scep certificate need to be published to Active Directory before it can be used by the device for EAS authentication? We have the certificates being issued correctly and we are ready to change EAS to use CBA, however I was told by RIM to publish the cert to AD (by check marking the cert template option to Publish to Active Directory). However, when I checkmark this option on the cert template to publish to AD, it publishes it under the NDES service account object, not the user account object.

 

I'm thinking as long as the cert is issued and has the correct info in it, it will authenticate to EAS.


With Exchange it is using the Principal Name in the SAN of the certificate to authenticate with so there is no need to publish the certs to AD,  Also all of the certs that are issued will be requested by the service account used to install the BES10 server.  So if you choose to publish them to AD it would be publishing it to that account. 

 

 

Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Thanks for clarifying this. I'm not sure why RIM support told me to checkmark the Publish to Active Directory option. I feel like I wasted a couple of days trying to understand why it wasn't publishing to the user AD account.

 

The scep cert is actually being requested by the NDES service account (used to install the NDES server), not the BesAdmin service account (used to install BES 10 server)

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 494
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: E-Mail Authentication with certificate successful solved?


ebak123 wrote:

Thanks for clarifying this. I'm not sure why RIM support told me to checkmark the Publish to Active Directory option. I feel like I wasted a couple of days trying to understand why it wasn't publishing to the user AD account.

 

The scep cert is actually being requested by the NDES service account (used to install the NDES server), not the BesAdmin service account (used to install BES 10 server)


I just double-checked my server and it looks like you are right.  My requester name wasn't my BES service account.

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

No you don't need to publish the user certs into AD - as long as they are a) issued by a CA that chains to a root CA that's in the "Certification Authorities Container" AD container (eg an Enteprise CA) and b) the SAN field contains a mapping to the user's UPN.

 

Regards,

 

Jacob

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

ebak123 wrote:

Thanks for clarifying this. I'm not sure why RIM support told me to checkmark the Publish to Active Directory option. I feel like I wasted a couple of days trying to understand why it wasn't publishing to the user AD account.

 

The scep cert is actually being requested by the NDES service account (used to install the NDES server), not the BesAdmin service account (used to install BES 10 server)


Yeah this sounds like generally bad advice - ticking the "Publish to Active Directory" checkbox is only for a scenario where the certs are being requested by the AD users themselves, not a proxy account like the NDES service account. They may be getting mixed up with the other way of manually mapping certs to AD users (in ADUC with the "Name Mappings..." action in the right-click context menu on a user object) - but still even that is not required in a BES-SCEP scenario if your CAs are enterprise CAs and are thus trusted to issue user certs by all domain members.

 

Regards,


Jacob

Please use plain text.
Contributor
anotherITguy
Posts: 39
Registered: ‎04-08-2010
My Device: 8830
My Carrier: Verizon

Re: E-Mail Authentication with certificate successful solved?

[ Edited ]

I've set everything up according to the posts in this thread.  When I try to active my device I get all the way through activation until the very end where it says "During activation the following configurations experienced errors: certificate authority profiles".  Has anyone seen this error before?

 

I'm also not seeing any requests on my CA, either failed or issued...

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

@ anotherITguy:

 

Do you have your root and issuing CA certs present in the shared "Certificates\WWW" folder, in the correct format?

 

Pages 41 & 42 of the Security Technical Overview doc: http://docs.blackberry.com/en/admin/deliverables/52722/BlackBerry_Enterprise_Service_10_version_10.1...

 

Regards,

 

Jacob

Please use plain text.