Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

@Hape / BB-SH,

 

Increasing the uploadReadAheadSize value is less than ideal - from my earlier post in this thread:

 


jacobl wrote:

To avoid issues with sending email over 47KB you need to either a) increase the "uploadReadAheadSize" value in the IIS config for the ActiveSync web application to whatever your max email size should be, or b) re-bind your SSL cert to the ActiveSync IP using netsh with "Negotiate Client Certificate = Enabled". The latter is the best option as it avoids expensive renegotiation entirely and limits the ability to DoS your CAS endpoint with renegotiation traffic. Bear in mind this binding is done at an IP level - so if you're using the default config for EAS your ActiveSync IP is likely shared with your OWA/EWS binding and you'd be forcing those services to also require CBA. If this isn't suitable create a new ActiveSync website with a different IP and do the re-binding just on that.



 By doing a) you open your CAS endpoint up to potential DoS and the performance cost of establishing each new HTTPS session increases due to renegotatiation being required each time a client connects.

 

Regards,

 

Jacob

Trusted Contributor
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: E-Mail Authentication with certificate successful solved?

Hi jacobl,

 

thanks a lot for that. I am trying to find out in what situation DoS could happen in our environment using BB.

We have about 300Users and as far as I understood you, to be a DoS victim, in our case all of our 300 users must send 10MB messages at the same time. Is this correct?

 

I am not deeply familiar with certificates and IIS. Are there any whithepapers how to create a new Website and assign new IP? Because we are using default site with OWA/EWS and EAS.

 

Regards,

hape

 

 

 

 

 

 

Contributor
Posts: 38
Registered: ‎04-21-2011
My Device: BES 5.x

Re: E-Mail Authentication with certificate successful solved?

Hi Hape,

  The DoS scenario is possible anytime - the uploadReadAheadSize parameter controls how much data from a client request IIS will buffer before handing it off to the web app running the website (the EAS ISAPI filter in this case). By increasing this you give potentially malicious clients the ability to consume more of your CAS server resources with their requests before the web app starts to validate them (and potentialy reject them, etc.). It won't make DoS any more likely but lowers the bar for how many clients/how much data would be required should someone start smashing your CAS servers with traffic.

 

You'd have to raise this value as high as your max email size which is probably 10MB in most places - that's a lot of potential HTTP data sitting unvalidated in your CAS server memory when multiplied by your possible number of clients.

 

If your CAS servers are only exposed internally then the likelihood of malicious attack is probably fairly low (hopefully Smiley Happy), but better to close off this vector as much as possible.

 

The main reason though I'd not do this is the renegotation - when you set an IIS site to Require Client Certificates (and haven't re-bound your SSL cert to the server IP with Negotiate Client Certificate = Enabled) the server initiates renegotiation of the SSL session after the client first tries to connect, even if the client already presented a client cert on the initial request. This has two problems: a) there's the performance cost of another HTTP roundtrip and b) allowing client renegotiation is generally a bad idea from a security perspective due to a number of flaws in TLS/SSL that can be exploited by renegotiation (e.g. http://technet.microsoft.com/en-us/security/bulletin/MS10-049).

 

The solution is to make IIS accept a client cert on the initial client request - the BES server when configured for ActiveSync using CBA will be presenting the users' client certs to your CAS server on each request anyway, so no need for SSL renegotation.

 

In IIS6 you could do this (force the "always negotate client cert" setting) in the IIS metabase using adsutil.vbs (http://stackoverflow.com/questions/2518314/make-iis-require-ssl-client-certificate-during-initial-ha...) but in IIS7 since HTTP requests are handled by a kernel-mode driver (http.sys) you need to make this change on the network stack using netsh.

 

This is a good discussion on the SSL handshake:

http://stackoverflow.com/questions/6131458/403-7-iis-7-5-ssl-client-certificate-authentication-issue

 

Actually changing the stack to rebind the cert with always negotatiate client cert" is fairly simple - look at the post here, about halfway down the page, from "jmarckel": https://discussions.apple.com/thread/2409942?start=30&tstart=0

 

In your case, setup a new IIS website on your CAS servers and configure it as an EAS site, with a different IP than your main OWA/EWS/etc. sites (since you don't want those forced to use client certs). Then rebind the cert to  new site's IP (netsh delete/add) with the clientcertnegotiation=enable property set.

 

Good luck!

 

Regards,

 

Jacob

 

http://security.stackexchange.com/questions/4039/ssl-handshake-failure-modes

Trusted Contributor
Posts: 146
Registered: ‎08-18-2010
My Device: Z10
My Carrier: Vodafone.de

Re: E-Mail Authentication with certificate successful solved?

Hi jacobl,

 

thank you very much for this very detailled Information/instruction. Our CAS servers are only exposed internally so the risk of DoS should be low. But you are right, each potential vector is a risk so we should do our best. I will discuss with my exchange team and let them decide how to proceed.

 

Thank you again.

 

Regards,

hape

New Contributor
Posts: 8
Registered: ‎04-10-2013
My Device: Z10
My Carrier: LuxGSM

Re: E-Mail Authentication with certificate successful solved?

Hi guys,

 

When deploying the SCEP Profile to a user, i found this in the EMWS logs :

 

"Message: Failed to encode unicode string ‎387a7c5e640a2415zb6b4f344f1291e2beb5f379 from ascii to ascii: 'ascii' codec can't encode character '\u200e' in position 0: ordinal not in range(128)"

 

where "387a7c5e640a2415zb6b4f344f1291e2beb5f379" is the thumbprint of my root certificate.

 

Any idea?

Regards.

Trusted Contributor
Posts: 185
Registered: ‎07-31-2008
My Device: RIM Z10
My Carrier: PLUS (Poland)

Re: E-Mail Authentication with certificate successful solved?

Hi. I setup bb10.1.3 and scep and active sync but when i check on active sync serwer that certifcate is required and disable basic authentication on my bb it ask me to provide a password. So is this possible to repair this? I can activate my device without password and after that it prompt me to provide a password.
This not make mistakes, who does nothing.
Włodzimierz Lenin

BES 5.0.4,BES 10.2
Visitor
Posts: 1
Registered: ‎01-17-2014
My Device: bold 9900
My Carrier: bell mobility

Re: E-Mail Authentication with certificate successful solved?

 


schlauby wrote:

Hi,

 

i've a 2007 Exchange on a 2003 Server & BES10.1.

I did all steps in this thread. I can activate a Z10 device until the point when the device save the E-Mail settings.

After that a message comes up which means:  "your account name@domain.com can't authenticate by service provider. check your account settings"

After you confirm this message with "OK" , you see the accountsettings with the notice "not connected - password required". When you enter the passwort, then works.

 

I can see a certificate is issued proper for this user.

 

In the EMWS BES log are just one error

" [ERROR] (06/26 16:01:30:755):{http-38084-exec-3} MWSHandler:{BlackBerry/10.1.0.2354 EMA/10.1.0.2354 IMEI/xxxxxxxxxxxxx PIN/xxxxxxxxxxx}:Certificate attribute of request is null" (not sure if this is a problem)

 

It looks to me, that i have somewhere a problem in Exchange. But i don't know where?

Some of your how to's refer to IIS 7.x, but i have IIS 6

 

Has anybody maybe an idea?

 

Thanks

 

 

 

 

@schlauby;
Did you ever get your cba working on iis6?
Thanks.

 

Highlighted
New Contributor
Posts: 3
Registered: ‎04-16-2013
My Device: Z10
My Carrier: T-Mobile

Re: E-Mail Authentication with certificate successful solved?

Unfortunately not.

 

Greetings

New Contributor
Posts: 6
Registered: ‎07-15-2014
My Device: Z10
My Carrier: Bell

Re: E-Mail Authentication with certificate successful solved?

I was tasked with implementing SCEP into our organization and having found hardly any documentation and after a few calls to BB tech support this post seems to have the most details on setting up scep.

we have about 10 apple iphone and ipads on UDS plus a mix of 9xxx and z10 and z30 phones on BES5 and BES10.

 

We are using the secure work space on the ios devices to connect them to our exchange, according to this article;

SCEP on iOS

its not possible to use scep with secure workspace, which means that on our main CAS that handles activesync we can't turn on the 'Require client certificates' on the authentication of activesync because that would disconnect all our iOS devices.

 

My question is has anyone been able to use SCEP for the BDS, ie the Z10 & Z30s, while at the same time support the iOS devices?

 

I tried 'accept client certificates' but it stops communications with the blackberry devices with the following error;

Your account user@domain.com cannot be authenticated with your service provider. Please make sure that the account settings are correct.

I can't really find any other logs that give more details on what the error could be, but in one post i saw, the person said that it was all or nothing situation, ie either everything is on certificates or username/password.

Granted i haven't set the clientCertificateMappingAuthentication setting to true on the activedirectory virtual directory on the CAS IIS but as i said if i do that i think i will disconnect all the iOS devices.

 

If anyone has been down this road i would love any input you can provide.

 

thanks

 

Regular Contributor
Posts: 53
Registered: ‎05-22-2013
My Device: Blackberry Z10
My Carrier: EE

Re: E-Mail Authentication with certificate successful solved?

Hi

 

Yes, we built another CAS server allowing basic authentication. That's the only way until the bug with SCEP in secure workspace is fixed...

 

Chas