Thursday, September 16, 2010

Blackberry BIS issue, when running UAG

We have a scenario, where we started publishing Exchange 2010 (and Exchange 2007) with UAG (Unified Acces Gateway)
After that Blackberry BIS (Hosted Blackberry) users stopped working.
When trying to set up their account, we got an error that the Password was not correct.

We got some errors in the Apllication eventlog, but the didn't help.
Microsoft UAG, is running on top of Micrsoft TMG ( formerly ISA server), and we use that several places, without any problems. So we figured, that is had to be the UAG that caused the problem.

Then we discovered, that BIS is using UPN's (User Principal Name = user@domain.local), even though we use "domain\user" in the web interface.

And UAG is not set up to use UPN as standard.
We changed that by using this article:
http://technet.microsoft.com/en-us/library/ee809087.aspx

That helped, the BIS users now works, and we don't get any error in the eventlog :-)

Note:
The errors we got in the application eventlog on the UAG server:
(bg is the username, for the BIS users)


Log Name:      Application
Source:        Microsoft Forefront UAG
Date:          14-09-2010 10:29:30
Event ID:      67
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX.XXX.XX
Description:
A request from source IP address x.x.x.x on trunk owa; Secure=1 for application Internal Site of type InternalSite failed. The URL /InternalSite/logon.asp contains an illegal path. The rule applied is Default rule. The method is GET.


Log Name:      Application
Source:        Microsoft Forefront UAG
Date:          14-09-2010 10:29:28
Event ID:      51
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX.XXX.XX
Description:
A request from source IP address x.x.x.x on trunk owa; Secure=1 for application Exchange services of type ExchangePub2010 failed because the  method used PROPFIND is not valid for requested URL /exchange/bg.


Log Name:      Application
Source:        Microsoft Forefront UAG
Date:          14-09-2010 10:29:27
EventID:      51
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      XXXX.XXX.XX
Description:
A request from source IP address x.x.x.x on trunk owa; Secure=1 for application Unknown application name of type Unknown application type failed because the  method used PROPFIND is not valid for requested URL /bg.

5 comments:

  1. Thank you for the post - a question for you - were you seeing any messages in UAG surrounding illegal WebDAV methods? We have the same issue (UAG - Exchange 2010 SP1 - users on BIS cannot hit email via OWA trunk since upgrade from 2003, receiving invalid password errors). We do not have 2007 Exchange, which I understand still supports WebDAV. I have spoken to RIM / BIS support, they are saying BIS only supports OWAccess (2003 / 2007), not OWApplication (2010), and they don't know when it will. We have tried enabling EWS on the OWA trunk, but I feel the core issue is the remote BIS server is attempting to communicate with us via WebDAV, which I understand 2010 no longer supports. Comments?

    ReplyDelete
  2. Have you tried to change the suggested so the UAG accepts UPN's?

    I cannot remember any webdav errors, but I would think that BIS should be the same for all users.

    Let me know if this helps.

    ReplyDelete
  3. Seeing this issue after a fresh UAG SP3 install. BIS was working fine for Exchange 2010 until the UAG went in. Endpoint policy checking disabled as is owa forms authentication.

    ReplyDelete
  4. Dear Sir,

    What registry you had modified to get rid of this issue. Can you please provide me details.

    Thanks & Regards,
    ZB

    ReplyDelete
  5. Hi ZB,
    You need to modify:
    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UserMGR\TranslateUPN
    Set to 1 to enable client authentication using a user principal name (UPN) in a Forefront UAG portal. Enabling UPN consists of the following steps:
    1. Configure the registry key
    2. Copy the repository_for_upn.inc CustomUpdate file to von\InternalSite\inc\CustomUpdate folder.
    3. Rename the file to repository.inc, where repository is the name of the authentication server that is used to authenticate the user.
    4. Restart the Microsoft Forefront UAG User Manager service.
    5. Activate the configuration.

    HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UserMGR\TranslateUPN
    To perform Kerberos authentication using UPN, set to 1.
    To perform using the format DOMAIN\UserName, set to 0. If no value is set, DOMAIN\UserName will be used.

    Let me know if that helped.

    BR
    Lasse I.

    ReplyDelete