Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Regular Contributor
Posts: 53
Registered: ‎05-22-2013
My Device: Blackberry Z10
My Carrier: EE




I've got SCEP up and running in BDS with no issues, but obviously i need to get certificate auth working in UDS now as the Exchange servers are all set to SCEP only!


Has anyone got this working in UDS< yet?


Posts: 11
Registered: ‎01-29-2014
My Device: Q10
My Carrier: Etisalat


Saw that you have been successful in configuring SCEP (Certificate based auth) for BB 10 devices under BDS.


I have been struggling for past 2 weeks to get this setup. no luck so far


Can you help me by giving some pointers.


1. I have setup the Exchange CAS, IIS for CBA as per the technet blogs

2. I have set up NDES on win 2k8 r2 and created a SCEP profile on BES 10

3. I can see that a cert is being issued by the CA while enrolling the device

4. However at the end of activation process it still asks for AD user name and password


Please help me head in the right direction.


Note: at the end of activation, i get a prompt that the email provider may not be trustworthy before the AD username and password prompt. I have tried to add the CA root cert to the BAS share and tried to import it to the device using the USB cable as well. still no luck


Help please

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers


[ Edited ]

Make sure that the cert is added to the Enterprise share.


For the Exchange setup what blog did you follow?  Check in IIS on the CAS to make sure that:


1) Active Directory Client Certificate Authnetication is enabled in the authentication setting at the top level

2) Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->SSL Settings and verify that accept or require certificates is set.

3)Drill down to Sites->Default Web Site->Microsoft-Server-ActiveSync->Configuration Editor->system.webServer->Security->authentication->clientCertfiicateMappingAuthentication and verify this is set to true.


If all these are set CAS should be enabled for cert-based authentication.  When the user attempts to connect IIS will log something like this (default location is: C:\inetpub\logs\LogFiles\W3SVC1) :


2014-01-29 16:34:20 OPTIONS /Microsoft-Server-ActiveSync/default.eas - 443 - RIM-Z10-STL100-3/ - 403 16 2148204809 1653

In this case we see a 403.16 being returned.  Looking that up on microsoft's website we can see this kb:




which states that this error means:  HTTP 403.16 Forbidden: Client Certificate Untrusted or Invalid.


So that error would usually be because the root certificate is untrusted on the Exchange server.


So basically if Exchange is correctly setup for cert-based auth you will want to find out what http code is being returned when the device tries to connect and troubleshoot from there.




Also make sure that the certifciates you are issuing are valid for user authentication.  Make sure that the Enhanced Key Usage in the cert shows Client Authentication

Posts: 11
Registered: ‎01-29-2014
My Device: Q10
My Carrier: Etisalat


Thanks for the reply


The blog i followed for Exchange CBA is https://blogs.technet.com/b/exchange/archive/2012/11/28/configure-certificate-based-authentication-f...


Everytime i try a device activation of a user with SCEP profile attached. the certificate that is issued by the CA has the following under the enhanced key usage


Encryption file system

client authentication

certificate request agent

secure email

ip security ike intermediate


the root cert of the CA is trusted by all exchange server as we use certs from the same CA for other purposes like Outlook Anywhere, OWA, etc.


However i will try the device activation again and check the IIS logs and look for any HTTP codes. I wasn't sure about where to look for these auth logs. thanks for that info.


I will get back to you with the progress.


Many thanks




Super Contributor
Posts: 278
Registered: ‎04-01-2008
My Device: Z30




I've successfully setup CBA with Exchange. If was tough going bug I'm pretty much clued up on it now.


You need to make sure that the cert is in the WWW folder, not the enterprise one. You won't get prompted once it's in there.


With regards to the error, you need to check under the inetpub folder on the CAS. Type in 'Active' and let me know the error, it's usually a 400 or 500 related to authentication.

Don't forget to hit like if I resolved your issue! Smiley Happy