Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
chasdrury
Posts: 43
Registered: ‎05-22-2013
My Device: Blackberry Z10

SCEP in UDS

Hi

 

I've got SCEP up and running in BDS with no issues, but obviously i need to get certificate auth working in UDS now as the Exchange servers are all set to SCEP only!

 

Has anyone got this working in UDS< yet?

Chas

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: SCEP in UDS

Saw that you have been successful in configuring SCEP (Certificate based auth) for BB 10 devices under BDS.

 

I have been struggling for past 2 weeks to get this setup. no luck so far

 

Can you help me by giving some pointers.

 

1. I have setup the Exchange CAS, IIS for CBA as per the technet blogs

2. I have set up NDES on win 2k8 r2 and created a SCEP profile on BES 10

3. I can see that a cert is being issued by the CA while enrolling the device

4. However at the end of activation process it still asks for AD user name and password

 

Please help me head in the right direction.

 

Note: at the end of activation, i get a prompt that the email provider may not be trustworthy before the AD username and password prompt. I have tried to add the CA root cert to the BAS share and tried to import it to the device using the USB cable as well. still no luck

 

Help please

Please use plain text.
Enterprise SME
-BD-
Posts: 525
Registered: ‎05-15-2008
My Device: Z10

Re: SCEP in UDS

[ Edited ]

Make sure that the cert is added to the Enterprise share.

 

For the Exchange setup what blog did you follow?  Check in IIS on the CAS to make sure that:

 

1) Active Directory Client Certificate Authnetication is enabled in the authentication setting at the top level

2) Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->SSL Settings and verify that accept or require certificates is set.

3)Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->Configuration Editor->system.webServer->Security->authentication->clientCertfiicateMappingAuthentication and verify this is set to true.

 

If all these are set CAS should be enabled for cert-based authentication.  When the user attempts to connect IIS will log something like this (default location is: C:\inetpub\logs\LogFiles\W3SVC1) :

 

2014-01-29 16:34:20 10.91.33.224 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 10.91.33.235 RIM-Z10-STL100-3/10.2.1.1925 - 403 16 2148204809 1653

In this case we see a 403.16 being returned.  Looking that up on microsoft's website we can see this kb:

 

http://support.microsoft.com/kb/252657

 

which states that this error means:  HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid.

 

So that error would usually be because the root certificate is untrusted on the Exchange server.

 

So basically if Exchange is correctly setup for cert-based auth you will want to find out what http code is being returned when the device tries to connect and troubleshoot from there.

 

 

*edit*

Also make sure that the certifciates you are issuing are valid for user authentication.  Make sure that the Enhanced Key Usage in the cert shows Client Authentication

Please use plain text.
Contributor
Sidjustice
Posts: 11
Registered: ‎01-29-2014
My Device: Q10

Re: SCEP in UDS

Thanks for the reply

 

The blog i followed for Exchange CBA is https://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-f...

 

Everytime i try a device activation of a user with SCEP profile attached. the certificate that is issued by the CA has the following under the enhanced key usage

 

Encryption file system

client authentication

certificate request agent

secure email

ip security ike intermediate

 

the root cert of the CA is trusted by all exchange server as we use certs from the same CA for other purposes like Outlook Anywhere, OWA, etc.

 

However i will try the device activation again and check the IIS logs and look for any HTTP codes. I wasn't sure about where to look for these auth logs. thanks for that info.

 

I will get back to you with the progress.

 

Many thanks

 

 

 

Please use plain text.
Super Contributor
fermanagh
Posts: 278
Registered: ‎04-01-2008
My Device: Z30

Re: SCEP in UDS

Hi,

 

I've successfully setup CBA with Exchange. If was tough going bug I'm pretty much clued up on it now.

 

You need to make sure that the cert is in the WWW folder, not the enterprise one. You won't get prompted once it's in there.

 

With regards to the error, you need to check under the inetpub folder on the CAS. Type in 'Active' and let me know the error, it's usually a 400 or 500 related to authentication.

Don't forget to hit like if I resolved your issue! :smileyhappy:
Please use plain text.