Wednesday 4 March 2015

Blackberry Enterprise 12 (BES12) Using ActiveSync Certificate using SCEP


We recently undertook a project to upgrade our Blackberry Express 5 server to the Blackberry 12 server.  Whilst the big advantage of Blackberry 10 and Blackberry 12 is that it uses active sync directly over MAPI, one of the biggest disadvantages of  BES10 and BES12 is the fact that users need to enter their active directory passwords.  This feels like a step backwards from the earlier versions of Blackberry that never required this.  The users already having to enter a password to access their phone and potentially a second password to access their secure workspace, having to then remember to change their when it expires on the domain would possibly receive negative feedback from users.  One way to get around this is to use certificate authentication instead of user name and password.  This involves putting a certificate onto the Blackberry device that is associated with the user active directory account and presenting that certificate directly to exchange via the Blackberry tunnel.  The problem is that you cannot manually load certificates onto the phone and even if this was possible, the administrative overhead would be significant.  Because of this there is a process called SCEP.  This is a process in which a non-domain trusted device can automatically request a Certificate from the CA.  Because the CA does not trust the device, there has to be a broker service and this is called a SCEP server.  The process of the SCEP server is to trust the non-domain device and then to request the certificate on its behalf and also to manage the renewal of certificates as appropriate.  The process of setting up the SCEP requires three different configurations.

  • The first is to set up exchange active sync to allow it to accept certificates.
  • The second part is to set up the SCEP server and connect this to the domain CA.
  • The third part is to set up the Blackberry Enterprise server 12 to talk to the SCEP service, then finally to make it all work together.
During this process I found that there was no one complete article that explained the process from beginning to end and spent a long time looking at different white papers trying to understand the process.  As such, I have created a video that outlines the process from beginning to end with a full working example. 
 
In the videos there are two commands that need to be run when setting up the active sync certificates and as such, I have pasted those commands at the bottom of this article for ease of use.  If you have any comments please let me know.
Setting up SSL Host Headers
 
C:\Windows\System32\Inetsrv\
 
 appcmd set site /site.name:"Name of Website in IIS" /+bindings.[protocol='https',bindingInformation='*:443:Host Header']
Setting up Certificates on the virtual directory
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphost
 
 
 

1 comment:

  1. James, thanks for this, it is really helpful. I could set up BES12 SCEP with this help. Excellent! I just want to add that now with BES12.2, you can use dynamic challenge passwords to request certficates, which is considered to be more secure. This works for us.

    ReplyDelete