01-20-2014 05:21 AM
I've got SCEP up and running in BDS with no issues, but obviously i need to get certificate auth working in UDS now as the Exchange servers are all set to SCEP only!
Has anyone got this working in UDS< yet?
01-29-2014 02:13 PM
Saw that you have been successful in configuring SCEP (Certificate based auth) for BB 10 devices under BDS.
I have been struggling for past 2 weeks to get this setup. no luck so far
Can you help me by giving some pointers.
1. I have setup the Exchange CAS, IIS for CBA as per the technet blogs
2. I have set up NDES on win 2k8 r2 and created a SCEP profile on BES 10
3. I can see that a cert is being issued by the CA while enrolling the device
4. However at the end of activation process it still asks for AD user name and password
Please help me head in the right direction.
Note: at the end of activation, i get a prompt that the email provider may not be trustworthy before the AD username and password prompt. I have tried to add the CA root cert to the BAS share and tried to import it to the device using the USB cable as well. still no luck
01-30-2014 01:43 PM - edited 01-30-2014 01:46 PM
Make sure that the cert is added to the Enterprise share.
For the Exchange setup what blog did you follow? Check in IIS on the CAS to make sure that:
1) Active Directory Client Certificate Authnetication is enabled in the authentication setting at the top level
2) Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->SSL Settings and verify that accept or require certificates is set.
3)Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->Configuration Editor->system.webServer->Security->authentication
If all these are set CAS should be enabled for cert-based authentication. When the user attempts to connect IIS will log something like this (default location is: C:\inetpub\logs\LogFiles\W3SVC1) :
2014-01-29 16:34:20 10.91.33.224 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - 10.91.33.235 RIM-Z10-STL100-3/10.2.1.1925 - 403 16 2148204809 1653
In this case we see a 403.16 being returned. Looking that up on microsoft's website we can see this kb:
which states that this error means: HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid.
So that error would usually be because the root certificate is untrusted on the Exchange server.
So basically if Exchange is correctly setup for cert-based auth you will want to find out what http code is being returned when the device tries to connect and troubleshoot from there.
Also make sure that the certifciates you are issuing are valid for user authentication. Make sure that the Enhanced Key Usage in the cert shows Client Authentication
02-01-2014 06:12 AM
Thanks for the reply
The blog i followed for Exchange CBA is https://blogs.technet.com/b/exchange/archive/2012/
Everytime i try a device activation of a user with SCEP profile attached. the certificate that is issued by the CA has the following under the enhanced key usage
Encryption file system
certificate request agent
ip security ike intermediate
the root cert of the CA is trusted by all exchange server as we use certs from the same CA for other purposes like Outlook Anywhere, OWA, etc.
However i will try the device activation again and check the IIS logs and look for any HTTP codes. I wasn't sure about where to look for these auth logs. thanks for that info.
I will get back to you with the progress.
02-02-2014 08:45 AM
I've successfully setup CBA with Exchange. If was tough going bug I'm pretty much clued up on it now.
You need to make sure that the cert is in the WWW folder, not the enterprise one. You won't get prompted once it's in there.
With regards to the error, you need to check under the inetpub folder on the CAS. Type in 'Active' and let me know the error, it's usually a 400 or 500 related to authentication.