Enabling notifications for Work Connect Notification Service (Secure Work Space)
Since my organisation is going through the process of enabling Push Notifications for iOS devices in Secure Works Space, I wanted to share some learning which might help others through the process.
So by default, the Secure Work Space on iOS devices cannot receive push notifications (and thus, email or updates) while the app is not active (aka: Running full screen on the iOS device). This is because Apple restrict applications from operating in the background.
To get around this, and make the whole experience MUCH nicer, BlackBerry use Apple Push Notifications to push data to the application when it's not active. For these push notifications to work, some work has to be done between the BES and the Exchange Servers.
BlackBerry have a KB article to enable this, which can be found here: http://btsc.webapps.blackberry.com/btsc/KB34664
Of course, it doesn't always go smoothly, so this is where I want to document some ways to debug, which I'll describe in a few posts below.
Enjoy - and hope this helps someone
What to do when it doesn't work.
Let's look at the logs. For Work Connect Notification issues relating to push notifications, we're interested in the logs found here:
C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Logs\RIM.BUDS.BWCN
That's the default location - but you may have them elsewhere, as is my case:
D:\BlackBerry Enterprise Service 10\Logs\RIM.BUDS.BWCN
The log we're after is "asg.log"
However - the logs don't always give you enough detail, so the first step is to up your level of logging detail to see what's really going on.
To increase the logging for the BlackBerry Work Connect Notification Service to TRACE
1. Stop the BES10 - BlackBerry Work Connect Notification Service
2. Browse to C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\webapps\asg\WEB-INF\classes\
3. Make a backup copy of log4j.xml by copying it to the Desktop
4. Open the log4j.xml file with a file editor program such as Notepad
5. Remove everything in the file and replace with the following:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE log4j:configuration SYSTEM "log4j.dtd">
<appender name="asg" class="org.apache.log4j.RollingFileAppender">
<param name="file" value="C:/Program Files (x86)/Research In Motion/BlackBerry Enterprise Service 10/Logs/RIM.BUDS.BWCN/asg.log" />
<param name="maxFileSize" value="200MB" />
<param name="MaxBackupIndex" value="10" />
<param name="DatePattern" value="'.'yyyy-MM-dd" />
value="[%d] [%t] %-5p: %c:%L - %m%n" />
<priority value="debug" />
<appender-ref ref="asg" />
Now we've got extra logging awesomeness.
For our situation, we found a series of errors which lead us to the issue:
[2014-08-21 09:22:38,766] [threadPoolTaskExecutor-2] DEBUG: org.apache.http.wire:86 - http-outgoing-2 << "<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Header><t:ServerVersionInfo MajorVersion="8" MinorVersion="3" MajorBuildNumber="298" MinorBuildNumber="1" xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types" /></soap:Header><soap:Body><soap:Fault><faultcode>soap :Client</faultcode><faultstring>The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</faultstring><detail><e:ResponseCode xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">ErrorImpersonationDenied</e:ResponseCode><e:Message xmlns:e="http://schemas.microsoft.com/exchange/services/2006/errors">The server to which the application is connected cannot impersonate the requested user due to insufficient permission.</e:Message></detail></soap:Fault></soap:Body></soap:Envelope>"[2014-08-21 09:22:38,772] [threadPoolTaskExecutor-2] DEBUG: com.openpeak.asg.connector.health.aspect.ASGConnec torMonitorAspect:81 - finished monitoring asg connector:exchange_10 with health:ACCESS_DENIED[2014-08-21 09:22:38,779] [threadPoolTaskExecutor-2] DEBUG: org.apache.http.wire:86 - >> "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Subscription><email>user.name@x xxxxxxx.xxx</email><emailRetentionPeriod>2</emailRetentionPeriod><subscriptionId>FAILEDuser.na email@example.com</subscriptionId><asgKey>112043624630000000</asgKey></Subscription>"
So from this, we can determine that our issue is impersonation rights.
To debug and troubleshoot why impersonation rights aren't working, here's a handy link
How to use the EWS Editor to test Microsoft Exchange Impersonation and Autodiscover
KB32861-How to use the EWS Editor to test Microsoft Exchange Impersonation and Autodiscover
- CrackBerry Master
08-22-14, 02:36 AM #4
- 1,415 Posts
100% agree. Great writing and nice way to summarize the "How Apple does push for 3. party apps".
The whole problem is caused by iOS not allowing apps to run in the background. The solution is to send a push message via APNS to the the device for a specific app. The device shows the notification and when the user opens the app it may either use the push message if it contains enough data (lit suitable for email) or initiate a pull cycle and retrieve the data from the server.
This is why Apples own mail app works so much better: It is allowed to run in the background.
Strange environment warning ahead:
If you have a NETBIOS domain name containing a dot like abc.dom push notifications does not work.
I know this is very uncommon as most companies have abc as NETBIOS domain name and abc.local as DNS domain name. It's most likely a leftover from old NT4 opgrades and is not recommended by MS ("should not contain a dot").
The problem is a limitation of an Apache component, that tries to be "helpful" by assuming that the user by mistake entered the DNS domain name. The component then make an educated guess and just passes on the first part of the NETBIOS domain name (abc) which of course fails validation as no such domain exists.
Posted via CB10
Further to the above.
In our environment, enabling Anonymous Authentication - which is recommended by BlackBerry, actually caused a flood of 403 Forbidden errors in the asg.log, and a subsequent failure of the push notification service.
For our environment (Exchange 2007 CAS boxes), we had to disable Anonymous Auth for push notifications to work. (Restart IIS after changing anonymous auth)
Hopefully this helps someone.
If all seems to be good in the asg.log, but no push notifications, try this:
For the iOS notifications to also function ensure that port 8088 is open between the Exchange and BES10 for ASG (BWCN service). This can be tested by logging onto Exchange (you CAS server) and trying the following example URL from the browser:
Note: Replace FQDNofBES10 with the FQDN of the BES10 server.
If working correctly, there will be no certificate warning prompt and XML data should display within the browser about the ASG version.
If a certificate warning is displayed accessing the URL, ensure the UDS certificate has been imported correctly on the Exchange CAS. If page cannot be displayed is seen then ensure port 8088 is open between the Exchange CAS and BES10.
In our environment, we had incorrectly imported the UDS CA to the wrong CAS server - and this troubleshooting step identified that, as the URL prompted an untrusted certificate. Re-importing the UDS certificate as trusted root on the CORRECT CAS server helped!
Remember - after every significant change, restart the scheduler service as well as the Work Connect Notification service.
- CrackBerry Abuser
08-25-14, 08:16 AM #7
- 253 Posts
Any way round that?
Posted via CB10
- CrackBerry Master
08-26-14, 11:26 AM #8
- 1,415 Posts
At this point I REALLY, REALLY wonder why BlackBerry always has to make "incomplete" setups. BES 10 is as we all know build on Mobile Fusion which was a patchwork of BES 5.0 (- sync) and Ubitex (iOS/Android) + a management console. Except from a little tweeking and fixing it was always a mess. This was from the old days where BlackBerry suddently found out the no longer would survice as a single vendor company and needed to support iOS/Android.
With BES 5.0 you might remember the procedure for setting up SSO for BAS. Why on earth not write a small tool creating the nescessary changes to AD and kerberos delegation?
For UDS / push notifications a test tool would have saved a LOT of troubles. It could easily test open firewall ports, certificates, delegation stuff etc. Would save BES admins and T-Support a LOT of trouble shooting.
Also a tool for exporting the *current/active* UDS certificate would be nice. You might have seen 2-4 differenct UDS certificates after performing some BES SP installs. Why does the SP installer not inform you about a new UDS certificate being installed and remind you to export it and import it on the CAS? Why not offer to remove old certificates?
Looking forward to BES 12. Not much about the architecture is out, but I know some components are the same.
- 09-02-15, 03:27 PM #9
For BES12 users this BWCN log is located at C:\Program Files\BlackBerry\BES\Logs\BWCN if you want to update your article..and the XLM file for logging configuration is located at C:\Program Files\BlackBerry\BES\BWCN\webapps\asg\WEB-INF\classes
- By jhimmel in forum BlackBerry Z30Replies: 6Last Post: 10-21-14, 05:38 AM
- By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 09-23-14, 12:39 PM
- By Mehdi_Fiore in forum App AnnouncementsReplies: 44Last Post: 08-27-14, 03:26 PM
- By Mehdi_Fiore in forum Sales AnnouncementsReplies: 2Last Post: 08-20-14, 06:37 PM