Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers
Accepted Solution

SCEP sometimes not getting the right UPN (userPrinciplaName)

I have been working to add certificates to our blackberries using MS 2008 R2 NDES server to deploy the certificates to each handset.  I was successful with seting up the service and now our blackberries are recieving certs that they can use to access the internal wireless network where I work for the most part. 

 

The issue I am having is sometimes the cert will have the UPN listed in AD and sometimes it will have the mail address.  It is causing an issue with authentication because our upn is :

 

<firstinitial><lastname>@<corporate name>.<company name>.<country>

jblow@inside.company.com

 

While the mail address is :

 

<firstname>.<lastname>@<companyname>.<country>

joe.blow@company.com

 

I have opened adsiedit and looked at the UPN for users that only get the mail address and their UPNs are correct in AD.  I also checked and in the Microsoft Active directory integration section of the BES 10 console under attribute mappings "UPN for SCEP" is mapped to the external attribute "userPrincipalName".  Has anyone seen this before or know how to fix this?   I can provide more details.

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

what version of device code are the users running when they get teh mail address?  This was an issue in pre-10.1 device code.

New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

To make sure I understand your reference to device code, do you mean the version of the blackberry handset OS?  If so the user I am focusing on now has version 10.2.0.1803 according to the BES 10 console.  In programs and features on the BES it has Blackberry Enterprise Service 10 listed as version 10.1.0 (bundle 73).

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

Yes I did mean the device code. However both the server and device needed to be at 10.1 for UPN!=SMTP to work correctly. 

 

It sounds like you meet this criteria.  What does the EMWS log show for this user when they enrol?  Look for the log line like this example:

 

EMA/10.x.x.xxxx IMEI/xxxxxxxxxxxxxxxxx PIN/xxxxxxxxxxx PerimeterId/5ca96c14-3b17-4fee-ab93-0763d7214bd9.Joe User.16}Smiley FrustratedubjectDN = CN=Joe User,OU=Users,DC=RIM,DC=NET, Email=joe@rim.net, UPN=joeuser@rim.net

 

This is what is being used for the CSR request.

 

Also just as an FYI on the server version you are using you can't have comma's in the users common name.  KB34317

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

Also if this is different from what you see in AD then you can try synchronizing the user in BAS.  Go to Manage Users-><affected user> and under Status select Synchronize User.  This will refresh the user's information from AD.

Highlighted
New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

I have tried the Synchronize User button earlier on the user I am working with and it did not seem to make a difference.  Is there a time period I should be waiting after I hit synch before adding the profile back to my user?

 

 I am setting up the debug traces and trying to get a cert. request to happen before the end of the day.  I will post back when I get results.  I am also going to be opening an official ticket with BB support on Monday if I can't get this one solved by then.

New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

[DEBUG] (11/29 11:52:58:843):{http-8444-exec-103} ScepEngine:{BlackBerry/10.2.0.1803 EMA/10.2.0.1803 IMEI/xxxxxxxxxxxxx PIN/xxxxxxxx PerimeterId/6abaf3ae-d85a-47a3-b48a-5b4d2dca7c7f.Doxxxxx Cosexxxxx.95}: SubjectDN = CN=Doxxxxx Cosexxxxx, OU=Accounts,OU=xxxxx,OU=xxxxx,OU=Offices,DC=xxxxx,DC=xxxxxx,DC=ca, Email=doxxxxx.cosxxxxx@xxxxxxx.ca, UPN=null

 

 

 

Using adsiedit I can see the proper upn in the users userPrincipalName attribute, Doxxxxx.Cosexxxxx@xxxxxx.xxxxxx.ca

BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

Is this a user that was activated when the server was running 10.0? 

New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

I am not sure when the user was added.  I am not the bes admin for the company I work for, rather one of the IT operations team members helping out with the bes admin.  They may have gone home for the day but I will try to get in touch with them to find out.  I may not have a reply till monday.

 

thanks for the help.

New Contributor
Posts: 6
Registered: ‎11-29-2013
My Device: z10
My Carrier: rogers

Re: SCEP sometimes not getting the right UPN (userPrinciplaName)

Thanks for your help BD!  I have re-added my user to the system and they are now getting the proper name in their certificate.