[BerryBlacky]

Platform:

BES 4.1.6.26
EXC 2003 SP2
AD 2003 SP2

Issue background:

Users are able to send and receive signed and encrypted messages and able to wirelessly retrieve certificates and perform GAL lookups, however, after certificate freshness has expired, are unable to manually check certificate status from device.
Device displays xxx8220;Internal Proxy Provider Errorxxx8221; when attempting to fetch status. To restore S/MIME functions, user connects to BB Desktop Manager and cert statuses are automatically updated, S/MIME function returns to normal.

MDAT LOG:

<2008-07-21 11:14:05.125 EDT>:[315]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, Fetching CRL via LDAP from ldap:///CN=xyz%20Intermediate%20Certification%20Authority, CN=certification,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=xyz,DC=com?certif icateRevocationList?base?objectClass=cRLDistributi onPoint>

<2008-07-21 11:14:05.125 EDT>:[316]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, Parsing Query ldap:///CN=xyz%20Intermediate%20Certification%20Authority, CN=certification,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=xyz,DC=com?certif icateRevocationList?base?objectClass=cRLDistributi onPoint>

<2008-07-21 11:14:05.125 EDT>:[317]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, LDAP Server - Scheme: 'ldap', Auth: '', Path: 'CN=xyz%20Certification%20Authority,CN=certificati on,CN=CDP,CN=Public%20Key%20Services,CN=Services,C N=Configuration,DC=xyz,DC=com', Query: '?certificateRevocationList?base?objectClass=cRLDi stributionPoint'>

<2008-07-21 11:14:05.125 EDT>:[318]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, Starting LDAP query>

<2008-07-21 11:14:05.128 EDT>:[319]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, Parsing LDAP response threw a NamingException:javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece ]; remaining name ''>

The only noted BTSC article about anything related to this issue is when running 4.0.6, however, I'm running 4.1.6, and that issue has long ago been corrected.

Anyone know what the solution to this issue is?

[shayz79]

I am having the same issue, and have been kicking it around for the past few weeks. RIM has yet to give me any valuable advice.

[BerryBlacky]

I've talked to RIM about this also, they haven't gotten back to me as of yet.

[BerryBlacky]

Anyone?

[shayz79]

Well I was able to get it to stop with the proxy error, now it says "unknown status". I will still be kicking this issue around when I find the time.

Here is what I did.

Edited the rimpublic.property file located at
Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\<Server Name>\config

Added the following to the file
application.handler.crl.USE_DEVICE_RESPONDERS=fals e
application.handler.ldap.DEFAULT_AUTH_USERNAME=<us ername>
application.handler.ldap.DEFAULT_AUTH_PASSWORD=<pa ssword>


Restarted MDS services, took about 10 min for it to take affect.

i gathered this information from the RIM website, but i no longer have the link if come access it again i will post it.

[BerryBlacky]

Thanks, I'll give this a shot since I'm ready to try anything at this point.

[shayz79]

looks like we are SOL on this issue, check out the blackberry support site for SDR150139

[BerryBlacky]

I think its time to switch to using OCSP responders. WS2K8 has built in native support for this, no third-party software or plugins needed, therefore less of headache, lower cost, more secure.

[bdj6020]

I am having this same problem. Has anyone found a solution?

[BerryBlacky]

There are no workarounds to this issue.

Also, I think the root of this problem is related to the way the MDS-CS uses authentication to perform this query. It should use 'simple' authentication, but for this particular query, it uses no authentication at all and performs it anonymously. Windows Server 2003 does not allow anonymous LDAP queries by default.

To understand this better, you guys should also try this out for personal verification. Run the ldp.exe utility from the BES and perform the exact same query the MDS-CS does when fetching a certificate's status, first with the default ldp.exe authentication method, then with anonymous, then with the 'simple' authentication method. The exact same connection binding error is returned on the query if any other method of authentication is used other than 'simple'. (Don't forget to pre-bind using AD registered credentials for any other methods except anonymous.)

Perhaps there is a way to force the MDS-CS to use 'simple' authentication instead of anonymous.

[BerryBlacky]

The solution to this problem has been found.

As many of us suspected earlier, though the MDS-CS debug log clearly indicates that its query for certificate status checks uses the pre-defined LDAP scheme, it actually does not do so and uses anonymous credentials to check certificate status.

For example, when performing a certificate lookup, the debug log clearly references the pre-defined LDAP scheme:

----------------------------------------------------------------------
<= IPPP, HANDLER = LDAP, Starting query request: ldap:///?givenname,cn,sn,mail,usercertificate,usercertific ate;binary?sub?(&(|(givenname=Richard*)(cn=Richard *))(|(usercertificate=*)(usercertificate;binary=*) ))>
<= IPPP, HANDLER = LDAP, Using default server: hq.xyz.com>
<= IPPP, HANDLER = LDAP, Using default port: 389>
<= IPPP, HANDLER = LDAP, Using default query: DC=xyz,DC=com>
<= IPPP, HANDLER = LDAP, Using default authentication username and password>
<= IPPP, HANDLER = LDAP, scheme: 'ldap'>
<= IPPP, HANDLER = LDAP, auth: 'hq.xyz.com:389'>
<= IPPP, HANDLER = LDAP, path: 'DC=xyz,DC=com'>
<= IPPP, HANDLER = LDAP, query: '?givenname,cn,sn,mail,usercertificate,usercertifi cate;binary?sub?(&(|(givenname=Richard*)(cn=Richar d*))(|(usercertificate=*)(usercertificate;binary=* )))'>
<= IPPP, HANDLER = LDAP, attributes: 'givenname,cn,sn,mail,usercertificate,usercertific ate;binary'>
<= IPPP, HANDLER = LDAP, scope: 'sub'>
<= IPPP, HANDLER = LDAP, filter: '(&(|(givenname=Richard*)(cn=Richard*))(|(usercer t ificate=*)(usercertificate;binary=*)))'>
<= IPPP, HANDLER = LDAP, extensions: 'null'>
<= IPPP, HANDLER = LDAP, Starting query>
<= IPPP, HANDLER = LDAP, Disabling datastream compression>
<= IPPP, HANDLER = LDAP, Query complete. Sent 1 entries to device.>
----------------------------------------------------------------------

And then shows that it uses, what one would assume, to be the same scheme as used when performing the certificate lookup to perform a certificate status check:

----------------------------------------------------------------------
<2008-07-21 11:14:05.125 EDT>:[317]:<MDS-CS_BLACKBERRY_MDS-CS_1>:<DEBUG>:<LAYER = IPPP, HANDLER = CRL, LDAP Server - Scheme: 'ldap', Auth: '', Path: 'CN=xyz%20Certification%20Authority...
----------------------------------------------------------------------

As you can see from the above query, the pre-defined LDAP scheme is thought to be used, including port number, server, and credentials, as this type of debug information in relation to scheme usage is also present when performing a certificate lookup/retrieval.

There is absolutely nothing noted in the administrative documentation which reveals that the BES performs certificate status lookups anonymously. Not sure if there is any information on the development side which might detail this fact.

The solution:

No matter which SKU or build of Windows Server 2003 is used, anonymous queries to the LDAP are disabled by default for security purposes and must be enabled manually. They are disabled to prevent unauthorized parties from performing DoS attacks, done by launching massively complex queries for extended durations. No other form of malicious activity other than this can occur by enabling anonymous lookups.

To do this, the ADSIEdit snap-in will be required to make a very careful change to the schema. This snap-in is available when the Windows Server 2003 Support Tools library is installed.

The details are available at Novell's Cool Solutions Forum, in the second-half of the document titled:
"Additional Configuration for Windows 2003 server" and you may disregard the first half as it does not apply to this situation.

Once anonymous lookups have been enabled, you should definitely not see the previous connection binding error.

From the log snippet below, you can see that the query is now actually being performed.

----------------------------------------------------------------------
<= IPPP, HANDLER = CRL, Fetching CRL via LDAP from ldap:///CN=xyz%20Intermediate%20Certification%20Authority, CN=certification,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=xyz,DC=com?certif icateRevocationList?base?objectClass=cRLDistributi onPoint>

<= IPPP, HANDLER = CRL, Parsing Query ldap:///CN=xyz%20Intermediate%20Certification%20Authority, CN=certification,CN=CDP,CN=Public%20Key%20Services ,CN=Services,CN=Configuration,DC=xyz,DC=com?certif icateRevocationList?base?objectClass=cRLDistributi onPoint>

<= IPPP, HANDLER = CRL, LDAP Server - Scheme: 'ldap', Auth: '', Path: 'CN=xyz%20Intermediate%20Certification%20Authority ,CN=certification,CN=CDP,CN=Public%20Key%20Service s,CN=Services,CN=Configuration,DC=xyz,DC=com', Query: '?certificateRevocationList?base?objectClass=cRLDi stributionPoint'>

<= IPPP, HANDLER = CRL, Starting LDAP query>

<= IPPP, HANDLER = CRL, Parsing LDAP response threw a NamingException:javax.naming.NameNotFoundException : [LDAP: error code 32 - 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, best match of:>

<= IPPP, HANDLER = CRL, 'CN=Configuration,DC=xyz,DC=com'>

<= IPPP, HANDLER = CRL, ]; remaining name ''>
----------------------------------------------------------------------

(For our own environment, we're seeing another error related to the MDS-CS not being able to find the CRL in LDAP, but this will be detailed in a separate post so not to sidetrack this particular issue.)

Try this out and I hope this gets you guys back up and running.

[jacytan]

Hi there,

i was able to successfully implement the LDAP api using the actual device.
i did not try it anymore in the simulator since there were a lot of complaints and i didn't want to waste my time. Now, i have another problem.

I am using Simple Authentication to access LDAP and everytime i try to access the LDAP, the blackberry prompts me for a username and password. is there a way to hardcode the username and password so that the user doesn't need to be hassled? or can i get a username and password of the blackberry device...is this possible?

[Baldric]

Hi Jacytan,

In MDS_CS go to LDAP, configure the username to use the BES Admin account and password, MDS_CS will need to be restarted. MDS_CS will then perform the LDAP request on behalf of the BB