07-05-2013 04:55 PM
That was a good one. Still isn't working but found that the phone was attached to a couple of different users. Had to use the shell to remove the ActiveSyncDevice as EMC gave me an error.
Still get the 403.7 errors. Verified the following:
Correct certs are on the BAS share in the proper folders. Worked with RIM on that one. Verified by using Work Browser to our owa site. First time, got cert warnings. Retrieved proper intermediate cert and now that works without warning.
Also had an issue on BES Server connecting to Autodiscover. It kept prompting for credentials. Discovered that IE settings on the BES server did not have our internal domain in Intranet zone. Got that working. One strange thing is we are getting MDS errors trying to use autodiscover.casarray_FQDN which is not correct. It seems like BES is simply prepending "autodiscover." to the server name value in the Email Profile and trying to use that (instead of obtaining the Autodiscover URL from DNS). RIM said it shouldn't really affect the authentication. (Heard that one before).
As far as cert templates,
Verified except that the Root cert is not present here, just the issuing CA's cert is present (Intermediate).
Another thing I noticed on our Exchange servers is that Root CA cert is not located within the Intermediate Certificate Authority\Certificate area (Using certmgr) . It is present in that location on the BES Server for some reason. Note, the root cert is located within the Trusted Root Certificate Authority\Certificates area on both Exchange and BES.
As far as EAS using CBA, I have verified the correct settings are there in IIS.
This is driving me nuts. It is probably one thing that I'm missing.
07-05-2013 05:43 PM
Just tried that and still no go.
Also added Allow Blackberry DeviceType to EAS Policy.
Gonna try bypassing the F5 CASArray and connect directly to the Exchange server in the Email Profile.
07-05-2013 06:24 PM
Well, it's finally working. Had to bypass our HLB CASArray which was re-encrypting the SSL on the server vLAN. Thanks for all responses. This site has some awesome contributors.
07-06-2013 07:30 PM
I had my enterprise CA role and NDES role installed on different Windows 2008 R2 servers and email CBA was working fine until sometime last month I could not activate new devices anymore. I got the Certificate Authority Profile error during device activation. There was an event id 31 recorded in application log for each failed activation attempt on my NDES/SCEP server. By searching this event id, I came across Microsoft kb 2633200 and kb 2799925. Installing the hotfix resolved my issue. Hope this can help someone with the similar issue and configuration.
07-08-2013 02:48 PM
Ensure that the Z10 or Q10 device OS is at least 10.1.x.xxxx. We had some devices with 10.0.1.xxxx OS and it wasn't able to get a SCEP cert until we updated the device OS to 10.1
07-18-2013 08:46 AM
Can anybody of those who successfull configured certificate based authentication try to send a message with an attachment.
I am unable to send messages with attachment when when using certificate based authentification....
When I send a message with an attachment then I immidiately got a "no throgh" sign status...
Receiving messages with attachment is possible.
I am not sure if this is an BES or Exchange issue. I could not find any error in the logs.
We are running BES 10.1.1 and Exchange 2010 SP1.
When I configure an email profile using no SCEP (certificate based authentication) then sending with attachment is possible....
07-18-2013 08:54 AM
just have a Look in this Post i was having the same issue but i could fix it with this help: