Welcome to the CrackBerry Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Results 1 to 8 of 8
Like Tree1Likes
  • 1 Post By jpvj
  1. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    586 Posts
    Thread AuthorThread Author   #1  

    Default Enabling notifications for Work Connect Notification Service (Secure Work Space)

    Hi All,

    Since my organisation is going through the process of enabling Push Notifications for iOS devices in Secure Works Space, I wanted to share some learning which might help others through the process.

    So by default, the Secure Work Space on iOS devices cannot receive push notifications (and thus, email or updates) while the app is not active (aka: Running full screen on the iOS device). This is because Apple restrict applications from operating in the background.

    To get around this, and make the whole experience MUCH nicer, BlackBerry use Apple Push Notifications to push data to the application when it's not active. For these push notifications to work, some work has to be done between the BES and the Exchange Servers.

    BlackBerry have a KB article to enable this, which can be found here: http://btsc.webapps.blackberry.com/btsc/KB34664

    Of course, it doesn't always go smoothly, so this is where I want to document some ways to debug, which I'll describe in a few posts below.

    Enjoy - and hope this helps someone
    BlackBerry 10 Certified System Administrator
    Thanked by:
    strongo (08-21-2014) 
  2. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    586 Posts
    Thread AuthorThread Author   #2  

    Default

    What to do when it doesn't work.

    Let's look at the logs. For Work Connect Notification issues relating to push notifications, we're interested in the logs found here:

    C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Logs\RIM.BUDS.BWCN

    That's the default location - but you may have them elsewhere, as is my case:

    D:\BlackBerry Enterprise Service 10\Logs\RIM.BUDS.BWCN

    The log we're after is "asg.log"

    However - the logs don't always give you enough detail, so the first step is to up your level of logging detail to see what's really going on.

    To increase the logging for the BlackBerry Work Connect Notification Service to TRACE
    1. Stop the BES10 - BlackBerry Work Connect Notification Service
    2. Browse to C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\webapps\asg\WEB-INF\classes\
    3. Make a backup copy of log4j.xml by copying it to the Desktop
    4. Open the log4j.xml file with a file editor program such as Notepad
    5. Remove everything in the file and replace with the following:
    <?xml version="1.0" encoding="utf-8"?>
    <!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
    <log4j:configuration xmlns:log4j="http://jakarta.apache.org/log4j/">
    <appender name="asg" class="org.apache.log4j.RollingFileAppender">
    <param name="file" value="C:/Program Files (x86)/Research In Motion/BlackBerry Enterprise Service 10/Logs/RIM.BUDS.BWCN/asg.log" />
    <param name="maxFileSize" value="200MB" />
    <param name="MaxBackupIndex" value="10" />
    <param name="DatePattern" value="'.'yyyy-MM-dd" />
    <layout class="org.apache.log4j.PatternLayout">
    <param name="ConversionPattern"
    value="[%d] [%t] %-5p: %c:%L - %m%n" />
    </layout>
    </appender>
    <root>
    <priority value="debug" />
    <appender-ref ref="asg" />
    </root>
    </log4j:configuration>
    6. Start the BES 10 - BlackBerry Work Connect Notification Service

    Now we've got extra logging awesomeness.

    For our situation, we found a series of errors which lead us to the issue:

    [2014-08-21 09:22:38,766] [threadPoolTaskExecutor-2] DEBUG: org.apache.http.wire:86 - http-outgoing-2 << "<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Header><t:ServerVersionInfo MajorVersion="8" MinorVersion="3" MajorBuildNumber="298" MinorBuildNumber="1" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" /></soap:Header><soap:Body><soap:Fault><faultcode>soap :Client</faultcode><faultstring>The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</faultstring><detail><e:ResponseCode xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">ErrorImpersonationDenied</e:ResponseCode><e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</e:Message></detail></soap:Fault></soap:Body></soap:Envelope>"
    [2014-08-21 09:22:38,772] [threadPoolTaskExecutor-2] DEBUG: com.openpeak.asg.connector.health.aspect.ASGConnec torMonitorAspect:81 - finished monitoring asg connector:exchange_10 with health:ACCESS_DENIED
    [2014-08-21 09:22:38,779] [threadPoolTaskExecutor-2] DEBUG: org.apache.http.wire:86 - >> "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Subscription><email>user.name@x xxxxxxx.xxx</email><emailRetentionPeriod>2</emailRetentionPeriod><subscriptionId>FAILEDuser.na me@xxxxxxxx.xxx140857698773</subscriptionId><asgKey>112043624630000000</asgKey></Subscription>"
    (user.name@xxxxxxxx.xxx) in the above log was of course the actual email address of the user in question for our server. Masked the name for privacy reasons.

    So from this, we can determine that our issue is impersonation rights.
    BlackBerry 10 Certified System Administrator
    Thanked by:
    strongo (08-21-2014) 
  3. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    586 Posts
    Thread AuthorThread Author   #3  

    Default

    To debug and troubleshoot why impersonation rights aren't working, here's a handy link

    How to use the EWS Editor to test Microsoft Exchange Impersonation and Autodiscover
    KB32861-How to use the EWS Editor to test Microsoft Exchange Impersonation and Autodiscover
    BlackBerry 10 Certified System Administrator
    Thanked by:
    strongo (08-21-2014) 
  4. jpvj's Avatar
    CrackBerry Master

    Posts
    1,277 Posts
    #4  

    Default

    100% agree. Great writing and nice way to summarize the "How Apple does push for 3. party apps".

    The whole problem is caused by iOS not allowing apps to run in the background. The solution is to send a push message via APNS to the the device for a specific app. The device shows the notification and when the user opens the app it may either use the push message if it contains enough data (lit suitable for email) or initiate a pull cycle and retrieve the data from the server.

    This is why Apples own mail app works so much better: It is allowed to run in the background.


    Strange environment warning ahead:

    If you have a NETBIOS domain name containing a dot like abc.dom push notifications does not work.

    I know this is very uncommon as most companies have abc as NETBIOS domain name and abc.local as DNS domain name. It's most likely a leftover from old NT4 opgrades and is not recommended by MS ("should not contain a dot").

    The problem is a limitation of an Apache component, that tries to be "helpful" by assuming that the user by mistake entered the DNS domain name. The component then make an educated guess and just passes on the first part of the NETBIOS domain name (abc) which of course fails validation as no such domain exists.

    Posted via CB10
    higherdestiny likes this.
  5. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    586 Posts
    Thread AuthorThread Author   #5  

    Default

    Further to the above.

    In our environment, enabling Anonymous Authentication - which is recommended by BlackBerry, actually caused a flood of 403 Forbidden errors in the asg.log, and a subsequent failure of the push notification service.

    For our environment (Exchange 2007 CAS boxes), we had to disable Anonymous Auth for push notifications to work. (Restart IIS after changing anonymous auth)

    Hopefully this helps someone.
    BlackBerry 10 Certified System Administrator
  6. higherdestiny's Avatar
    CrackBerry Addict

    Posts
    586 Posts
    Thread AuthorThread Author   #6  

    Default

    If all seems to be good in the asg.log, but no push notifications, try this:

    For the iOS notifications to also function ensure that port 8088 is open between the Exchange and BES10 for ASG (BWCN service). This can be tested by logging onto Exchange (you CAS server) and trying the following example URL from the browser:

    https://FQDNofBES10:8088/asg/about
    Note: Replace FQDNofBES10 with the FQDN of the BES10 server.

    If working correctly, there will be no certificate warning prompt and XML data should display within the browser about the ASG version.

    If a certificate warning is displayed accessing the URL, ensure the UDS certificate has been imported correctly on the Exchange CAS. If page cannot be displayed is seen then ensure port 8088 is open between the Exchange CAS and BES10.




    In our environment, we had incorrectly imported the UDS CA to the wrong CAS server - and this troubleshooting step identified that, as the URL prompted an untrusted certificate. Re-importing the UDS certificate as trusted root on the CORRECT CAS server helped!

    Remember - after every significant change, restart the scheduler service as well as the Work Connect Notification service.
    BlackBerry 10 Certified System Administrator
  7. chasdrury's Avatar
    CrackBerry Abuser

    Posts
    176 Posts
    #7  

    Default

    Quote Originally Posted by higherdestiny View Post
    Further to the above.

    In our environment, enabling Anonymous Authentication - which is recommended by BlackBerry, actually caused a flood of 403 Forbidden errors in the asg.log, and a subsequent failure of the push notification service.

    For our environment (Exchange 2007 CAS boxes), we had to disable Anonymous Auth for push notifications to work. (Restart IIS after changing anonymous auth)

    Hopefully this helps someone.
    A question for you completely unrelated to your issue - you say CAS boxes - we have several exchange servers one in each country that we have an organisation. The push notifications is looking to a cas server in the central location - any UDS user outside the central environment doesn't get any notofixations.

    Any way round that?

    Posted via CB10
  8. jpvj's Avatar
    CrackBerry Master

    Posts
    1,277 Posts
    #8  

    Default

    Quote Originally Posted by higherdestiny View Post
    If all seems to be good in the asg.log, but no push notifications, try this:

    For the iOS notifications to also function ensure that port 8088 is open between the Exchange and BES10 for ASG (BWCN service). This can be tested by logging onto Exchange (you CAS server) and trying the following example URL from the browser:

    https://FQDNofBES10:8088/asg/about
    Note: Replace FQDNofBES10 with the FQDN of the BES10 server.

    If working correctly, there will be no certificate warning prompt and XML data should display within the browser about the ASG version.

    If a certificate warning is displayed accessing the URL, ensure the UDS certificate has been imported correctly on the Exchange CAS. If page cannot be displayed is seen then ensure port 8088 is open between the Exchange CAS and BES10.




    In our environment, we had incorrectly imported the UDS CA to the wrong CAS server - and this troubleshooting step identified that, as the URL prompted an untrusted certificate. Re-importing the UDS certificate as trusted root on the CORRECT CAS server helped!

    Remember - after every significant change, restart the scheduler service as well as the Work Connect Notification service.
    Thx. for sharing.
    At this point I REALLY, REALLY wonder why BlackBerry always has to make "incomplete" setups. BES 10 is as we all know build on Mobile Fusion which was a patchwork of BES 5.0 (- sync) and Ubitex (iOS/Android) + a management console. Except from a little tweeking and fixing it was always a mess. This was from the old days where BlackBerry suddently found out the no longer would survice as a single vendor company and needed to support iOS/Android.

    With BES 5.0 you might remember the procedure for setting up SSO for BAS. Why on earth not write a small tool creating the nescessary changes to AD and kerberos delegation?
    For UDS / push notifications a test tool would have saved a LOT of troubles. It could easily test open firewall ports, certificates, delegation stuff etc. Would save BES admins and T-Support a LOT of trouble shooting.

    Also a tool for exporting the *current/active* UDS certificate would be nice. You might have seen 2-4 differenct UDS certificates after performing some BES SP installs. Why does the SP installer not inform you about a new UDS certificate being installed and remind you to export it and import it on the CAS? Why not offer to remove old certificates?

    Looking forward to BES 12. Not much about the architecture is out, but I know some components are the same.

Similar Threads

  1. How to connect to Net gear Push2TV3000
    By jhimmel in forum BlackBerry Z30
    Replies: 6
    Last Post: 10-21-2014, 06:38 AM
  2. Replies: 1
    Last Post: 09-23-2014, 01:39 PM
  3. **New app** MondialChat for Blackberry
    By Mehdi_Fiore in forum App Announcements
    Replies: 44
    Last Post: 08-27-2014, 04:26 PM
  4. Application discounted for longer!
    By Mehdi_Fiore in forum Sales Announcements
    Replies: 2
    Last Post: 08-20-2014, 07:37 PM

Posting Permissions