[horde] Activesync auth problems with GIT since X.509 certificate commit ?

Michael J Rubinsky mrubinsk at horde.org
Mon Sep 9 17:56:55 UTC 2013 

Moving back to the list after receiving config.

Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:

> On 09/09/2013 08:00 PM, Michael J Rubinsky wrote:
>>
>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>
>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>
>>>> Quoting Tomi Orava <Tomi.Orava at ncircle.nullnet.fi>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'd rather not post my conf.php for public view, so I'll send
>>>>> to you personally.
>>>>>
>>>>>>>
>>>>>>> Has anyone else seen authentication problems with mobile
>>>>>>> devices (android & wp8) after the commit:
>>>>>>>
>>>>>>> commit fe9ec485c31bef4566f6451c9aafd8c780c41cd9 Author:
>>>>>>> Michael J Rubinsky <mrubinsk at horde.org> Date:   Sat Aug 31
>>>>>>> 15:07:17 2013 -0400
>>>>>>>
>>>>>>> Fully support X509 certificates for ActiveSync.
>>>>>>>
>>>>>>> Allow separate configuration for ActiveSync Authentication
>>>>>>> methods. Emulates Exchange server's ability to accept
>>>>>>> either: HTTP Basic only, client certificate only, or to
>>>>>>> require both HTTP Basic AND client certificates. If
>>>>>>> configured to require both, horde-wide Auth driver is used
>>>>>>> to authenticate using the HTTP Basic credentials, and the
>>>>>>> X509 driver is used to to authenticate with the client
>>>>>>> certificate. Obviously requires webserver config/support
>>>>>>> for the certificates.
>>>>>>>
>>>>>>>
>>>>>>> The Web interface works just fine with the imap login auth,
>>>>>>> but it seems that I'm missing something from the
>>>>>>> configuration as none of the mobile devices are able to
>>>>>>> login anymore (I'm using private certificate with my own ca
>>>>>>> certificate).
>>>>>>>
>>>>>>> Everything is back to normal if I revert back to the
>>>>>>> previous commit.
>>>>>>>
>>>>>>> Regards, Tomi Orava
>>>>>>
>>>>>> So, you are trying to use X509 certificates with your device?
>>>>>> Can you post your configuration?
>>>>>
>>>>> Well, this is just a normal ssl setup, although I'd like to use
>>>>> also the client certificates if the Samsung Galaxy S3 wouldn't
>>>>> disable those from the account.
>>>>>
>>>>> I did not see any new configuration blocks for the auth setup
>>>>> or something.
>>>>>
>>>>> Regards, Tomi Orava
>>>>
>>>>
>>>> Are you running the most up to date git code?
>>>
>>> Yes, just updated before trying again after yesterday:
>>>
>>> I'm on commit: 0fa5b22537e55728862b83d1f3d4f70cc0c7731d
>>
>> Not sure. There was a problem in
>> Horde_Core_ActiveSync_Driver::authenticate() for a short time after
>> the initial commit was made, but that was fixed. Anything in the
>> logs? This works fine for me here. Just to be clear, we are talking
>> about normal authentication from the activesync client and the
>> webserver itself does not require certificates to be authenticated,
>> right?
>
> The only logs are:
>
> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Load config file  
> (conf.php; app: horde) [pid 18319 on line 409 of  
> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
> 2013-09-09T20:14:31+03:00 NOTICE: HORDE [horde] Login failed from  
> ActiveSync client for user kaisa. [pid 18319 on line 567 of  
> "/usr/local/share/git/horde/framework/ActiveSync/lib/Horde/ActiveSync.php"]
> 2013-09-09T20:14:31+03:00 DEBUG: HORDE [horde] Max memory usage:  
> 22282240 bytes [pid 18319 on line 566 of  
> "/usr/local/share/git/horde/framework/Core/lib/Horde/Registry.php"]
> 2013-09-09T20:14:32+03:00 DEBUG: HORDE Load config file (conf.php;  
> app: horde) [pid 19382 on line 409 of  
> "/usr/local/share/git/horde/framework/Core/lib/Horde.php"]
>
>
> Ok, now when you mention about it ...
> Yes, you can't access my horde installation without
> username & password (basic authentication), except these files:
>
>         <Files rpc.php>
>             Order Allow,Deny
>             Allow from all
>             Satisfy Any
>         </Files>
>
>         <Files fb.php>
>             Order Allow,Deny
>             Allow from all
>             Satisfy Any
>         </Files>
>
> This has never caused any problems in here, though.

This shouldn't matter, as far as activesync goes. rpc.php is the only  
page it interfaces with.


> I'm using the EAS 14.1 and using Nexus 7, Galaxy S3 and Lumia 820
> all with the latest firmwares.
>
> If I take the X509 commit into use, none of those is able to login
> via activesync, normal web pages work just fine though (as they should).
>
> The horde authentication system is using imap server for password checking
> (cyrus imapd), in case this matters.

Do you see the authentication attempt in the imap server log?


>
> BTW.
>
> I updated to this latest GIT version as my wife's lumia is currently
> missing all possible contacts/calendar entries even after account removal
> on both ends & phone reboot. I used the version just before the X.509
> commit to try re-creating the account without success. Imap over ssl
> works just fine, but none of the contacts or calendar entries got synced
> to the phone. I do have complete debug logs in case this is something new.


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130909/238dfa3f/attachment-0001.bin>

More information about the horde mailing list