Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
anotherITguy
Posts: 39
Registered: ‎04-08-2010
My Device: 8830
My Carrier: Verizon

Re: E-Mail Authentication with certificate successful solved?

I'm now getting through activation and I'm seeing the certificates generated on the CA.  The issue I'm having now is that a few moments after activation I'm still prompted to enter my domain credentials.  I've enabled cert based auth in IIS on Exchange and I've also set the system.webServer/security/authentication/clientCertificateMappingAuthentication section to true in the Configuration Editor.  Am I missing anything else?

Please use plain text.
Contributor
jacobl
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

@anotherITguy:

 

I'd go back and check every item in this thread. Your issue could be any of:

 

  1. Are your user certs being issued with the correct details in subject/SAN and are they issued for the correct purposes?
  2. Are your CAs in the trusted cert stores on your CAS servers?
  3. Do certs issued by them chain fully up to the root without error on the CAS servers?
  4. Are you using the AlternateSignatureAlgorithm for your signature algorithm on the issuing CA or any of the CA certs in the chain (you don't want to do this)?
  5. Have you disabled basic auth (and any other types of auth) on the ActiveSync web app?

 

And probably others...

 

 

Regards,

 

Jacob

Please use plain text.
Contributor
anotherITguy
Posts: 39
Registered: ‎04-08-2010
My Device: 8830
My Carrier: Verizon

Re: E-Mail Authentication with certificate successful solved?

1) Are your user certs being issued with the correct details in subject/SAN and are they issued for the correct purposes?
    Subject has the users CN listed.
    SAN =     Other Name: Principal Name=user@domain.com
        RFC822 Name=user@domain.com


2) Are your CAs in the trusted cert stores on your CAS servers?

    Yes, the CA is trusted.

3) Do certs issued by them chain fully up to the root without error on the CAS servers?

    Yes, everything is fully trusted.    

4) Are you using the AlternateSignatureAlgorithm?

    No, Signature Algorithm = sha1RSA

5) Have you disabled basic auth (and any other types of auth) on the ActiveSync web app?

    Yes.

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

did you change the email profile on the BES server to point to the correct CAS server?

Please use plain text.
Contributor
BB-SH
Posts: 31
Registered: ‎04-24-2013
My Device: Blackberry Z10 | STL100-2 | 10.1.0.2354
My Carrier: T-Mobile Germany

Re: E-Mail Authentication with certificate successful solved?

Did you enable Certifiate Based Authentification for Active Sync on the Exchange Console?

 

On the CAS in the Exchange Console in -> Server Configuration -> Client Access -> Exchange ActiveSync TAB -> open your ActiveSync Config.

On the 2nd Tab (Authentification) i choose accept Clientcertificate.

 

maybe that could help you

Blackberry Z10 | STL100-2 | 10.1.0.2354
BDS 10.1.1.20
Please use plain text.
Contributor
ebak123
Posts: 12
Registered: ‎06-26-2013
My Device: Q10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

I'm in the same boat. We had Exchange ActiveSync (EAS) working with the Z10 prior to implementing Cert Based Auth (CBA)

I had a change control last night to switch EAS to CBA following the steps in this thread. We had set EAS to Require Client Certificates. When activating with the Z10, I would get a HTTP 403.7 error in the EAS IIS log. (Forbidden - SSL Certificate required). I then changed the authentication to Accept Certificates. Now when activating with the Z10, it prompts me for a password. After entering the correct password I get cannot be authenticated with my service provider. Now The EAS IIS log reads a HTTP 401.2 error.

 

The cert is issued, I have the root and intermediate cert on the device. Obviously, I'm missing something but confirmed that all that has been mentioned within this thread has been implemented.

Please use plain text.
Contributor
anotherITguy
Posts: 39
Registered: ‎04-08-2010
My Device: 8830
My Carrier: Verizon

Re: E-Mail Authentication with certificate successful solved?

How did you get the root CA on the device?

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

Anotheritguy,

 

According to the Advanced Admin Guide, you need to create a shared network folder (page 49) and then send your root certificates to the devices (page 97).

 

Also check out anzoro's post at http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Service-10/Blackberry-Device-Service-Z1...

 

Mike

 

Please use plain text.
Contributor
marduo1294
Posts: 14
Registered: ‎03-14-2013
My Device: Z10
My Carrier: Telus

Re: E-Mail Authentication with certificate successful solved?

ebak123,

 

1. Verify your custom certificate template

 

2. Verify Exchange server is setup correctly for cert auth

 

Mike

 

Please use plain text.
Contributor
anotherITguy
Posts: 39
Registered: ‎04-08-2010
My Device: 8830
My Carrier: Verizon

Re: E-Mail Authentication with certificate successful solved?

ebak123: had the same issue your having.  Remove any BES10 device from the users Exchange ActiveSync profile and try it again.  EMC > Manage Mobile Phone > Remove.

Please use plain text.