James Sillett IT Blog
Tuesday 12 January 2016
Wednesday 4 March 2015
Blackberry Enterprise 12 (BES12) Using ActiveSync Certificate using SCEP
We recently undertook a project to upgrade our Blackberry
Express 5 server to the Blackberry 12 server.
Whilst the big advantage of Blackberry 10 and Blackberry 12 is that it uses
active sync directly over MAPI, one of the biggest disadvantages of BES10 and BES12 is the fact that users need
to enter their active directory passwords.
This feels like a step backwards from the earlier versions of Blackberry
that never required this. The users
already having to enter a password to access their phone and potentially a
second password to access their secure workspace, having to then remember to
change their when it expires on the domain would possibly receive negative
feedback from users. One way to get
around this is to use certificate authentication instead of user name and
password. This involves putting a
certificate onto the Blackberry device that is associated with the user active
directory account and presenting that certificate directly to exchange via the
Blackberry tunnel. The problem is that
you cannot manually load certificates onto the phone and even if this was
possible, the administrative overhead would be significant. Because of this there is a process called
SCEP. This is a process in which a non-domain
trusted device can automatically request a Certificate from the CA. Because the CA does not trust the device,
there has to be a broker service and this is called a SCEP server. The process of the SCEP server is to trust
the non-domain device and then to request the certificate on its behalf and
also to manage the renewal of certificates as appropriate. The process of setting up the SCEP requires
three different configurations.
- The first is to set up exchange active sync to allow it to accept certificates.
- The second part is to set up the SCEP server and connect this to the domain CA.
- The third part is to set up the Blackberry Enterprise server 12 to talk to the SCEP service, then finally to make it all work together.
During this process I found that there was no one complete
article that explained the process from beginning to end and spent a long time
looking at different white papers trying to understand the process. As such, I have created a video that outlines
the process from beginning to end with a full working example.
In the videos there are two commands that need to be run
when setting up the active sync certificates and as such, I have pasted those
commands at the bottom of this article for ease of use. If you have any comments please let me know.
Setting up SSL Host Headers
C:\Windows\System32\Inetsrv\
Wednesday 25 September 2013
BES 10.1 Part 2
So after spending many hours
banging my head against a brick wall in trying to get the push notification
working I eventually got it working. I found that the password that the push
notification uses for the account that is associated with the accessing push
notification cannot have any capital letters in it.
I have also read posts that certain special
characters have problems so for example we found that password.1 worked well. (clearly
a more secure version of this would be needed). I then found a separate problem that
exchange was not routing the responses to the push notification subscription to the BES
server and was being routed via a proxy server.
Once this corrected the push notification worked.
Blackbery BES 10.1
Blackberry Universal
Device Control
Recently Blackberry have released
their secure workspace product which will allow the putting of emails into a
sandbox application that can be installed on android and IOS devices. This is integrated as part of the BES 10.1
Server
For people who have only ever run
the BES 5 Servers you will be aware that the Blackberry Servers communicate
with exchange through MAPI. As of the BES 10 both the connection for the
non-Blackberry devices and the Blackberry 10 devices are all carried out
directly through active sync. Blackberry
have stated that they are moving away from the MAPI connection and this in
itself poses some interesting challenges.
With the current BES 5 Servers if
we have any issues relating to emails being populated twice or emails not syncing
then Blackberry Support are responsible
for identifying the issue, with active sync
Blackberry support have stated to us that they will ask us to refer
problems in synchronisation to Microsoft.
For SMB firms that do not have a support contract with Microsoft they will
be liable for additional costs on top of the Blackberry Support if such issue
arise.
With the active sync technology
users are required to present their network password on the end device, this is
a significant change from the standard BES 5 in which the user’s password are
not required. In many organisations that
follow Microsoft’s best practices passwords are changed every thirty days and
this is an additional inconvenience and seems a step backwards for our
users. This problem can be overcome by
using the SCEP technology but this requires additional configuration and again
is something that would have to be supported in house and not part of the
Blackberry infrastructure.
Blackberry heavily relies on
certificate technology to carry out the authentication between the
non-Blackberry device and its Blackberry infrastructure; and while it can be
argued what Blackberry are providing could easily be provided with your own
internal VPN infrastructure the added complication of certificates is handled
very nicely through the Blackberry product and takes a significant learning
curve away from smaller IT departments.
That said one of the biggest
drawbacks on using IOS is that the Apple does not allow external parties to
connect directly to the iPhones and therefore pushing out emails as they come
in is not an option. In order to allow
push notification your internal Blackberry server will have to notify the Apple
Notification Service (APN) which in turn will notify your device and your
device will then request the latest emails from Blackberry. We have had significant problems in getting
this working (see part 2)
Friday 12 April 2013
Reinstall Systems Centre Operations Manager 2012 SP1 Issues (SCOM)
I recently had to reinstall
Systems Centre Operations Manager 2012, the initial install was done on the candidate release had no
problems however on removing and reinstalling from the SP1 one release I thought I
would share with you a couple of issues that arose.
Firstly the databases that are selected need
to have a trading slash otherwise the install will fail as show below
Secondly I continue to have a problem where
the date warehouse would not install properly on examining the logs there was
an issue with the data access layer. I
found the solution to this was to change the data access account from a local
user account to a domain user account.
After making these changes the install completed successfully.
[22:10:45]: Info: :Info:trying to connect with server xxxxx
[22:10:52]: Info: :Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :Couldn't connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :StackTrace: at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
[22:10:52]: Info: :Info:Error while connecting to management server: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :Couldn't connect to mgt server stack: : Threw Exception.Type: Microsoft.EnterpriseManagement.Common.ServiceNotRunningException, Exception Error Code: 0x80131500, Exception.Message: The Data Access service is either not running or not yet initialized. Check the event log for more information.
[22:10:52]: Error: :StackTrace: at Microsoft.EnterpriseManagement.Common.Internal.ExceptionHandlers.HandleChannelExceptions(Exception ex)
at Microsoft.EnterpriseManagement.Common.Internal.SdkDataLayerProxyCore.CreateEndpoint[T](EnterpriseManagementConnectionSettings connectionSettings, SdkChannelObject`1 channelObjectDispatcherService)
Reinstalling SQL Reporting Services for Systems Centre Operations Manager 2012 (SCOM)
I recently had to reinstall the
reporting component of Systems Centre Operations Manager.
"Report Server (MSSQLSERVER_ cannon load the Windows extension"
After some research I found the solution was the run the Resetsrs that can be found on the Systems Centre Operations Manager CD under SupportTools\AMD64\ResetSRS.exe
. This resolved the reporting service instance problem and was able to re-install the reporting services module.
Friday 5 April 2013
Veeam Replication
VEEAM is a host-based backup
solution requires snapshots to be taken at the guest level. This has a number
of challenges as they should not be taken on high I/O servers and are also not
supported by Microsoft. On the positive side of VEEAM it is a very good
technology for taking multiple incremental backups. VEEAM works via a
technology called reverse backup whereas traditional incremental backups using
software such as Backup Exec we would have to restore a master backup and then
create smaller incremental afterwards, VEEAM works by creating a master file
when it then takes the next backup the master file is updated and the changes
are pushed down to a smaller incremental file, when restoring a backup from VEEAM
you are able to store the single backup file and not need to restore
intermediate incremental backup, but in addition this allows you to roll back
to previous versions and VEEAM will then apply the incremental to get a backup
from whatever point in time you require.
The VEEAM technology uses change
block tracking when used with VMware means that the underlying VMware
hypervisor tracks the changes made vastly speeding up the time to take a
Incremental backup. VEEAM working at the hypervisor level also means that the load put on
the host is uniform and does not impact any performance so if it wasn’t for the
snapshot problem there would be no issue in running backups during the day.
VEEAM is a byte level backup technology as opposed to a bit level, the amount
of data that is replicated is more than the Doubletake solution. VEEAM has the
ability to QueueSQ the underlying guest operating system before it takes a
snapshot allowing it to make use of the built in shadow copy functionality of
Windows to QS the exchange and SQL databases before the snapshot is taken.
As a backup technology VEEAM is
able to save individual files to a hard disk and then this can either be copied
onto a removable drive or transferred to tape by using a product such as Backup
Exec. The disadvantage of doing this is that you are putting all your reliance
into a single flat file. If that file becomes corrupt either through copying to
tape or at the point of backup you will not know this and will not be able to
restore any part of the VM. Therefore to be confident that these files are not
corrupted we need to find a way of being able to mount them and test them in a
lab environment to confirm a bootable backup.
VEEAM has a number of different
ways of restoring data from a flat file backup in the event of recovery. VEEAM
has a technology called instant restore that allows you to mount the backup in
an emulated environment. While this allows for instant access to the VM it puts
a significant load on the server as it is having to emulate the VMDKs.
VEEAM has a traditional restore
that allows you to restore the flat file backup into the original VMDKs. This
will take a significant amount of time depending on the size of the VMDK.
VEEAM also allows us single file
restore. In a single file restore VEEAM will mount the VMDK behind the scenes
and give an explorer style access to the available drives. This is a good
technique for making sure that the flat file backup is not corrupt. As VEEAM
takes multiple numbers of snapshots the further back you go in snapshots the
more increments are need to be combined to produce the file.
VEEAM Enterprise has the ability
for application level restores. This allows for restoring individual databases,
individual exchange items and individual active directory objects. This product
is great for less intense I/O Servers
Subscribe to:
Posts (Atom)