[horde] ActiveSync login & client-side certificates

Jens-U. Mozdzen jmozdzen at nde.ag
Mon May 26 13:03:53 UTC 2014 

Hi *,

I tried to add a rule to our web server so that ActiveSync access  
requires not only a client-side certificate, but is limited to a  
pre-defined list of certificates:

--- cut here ---
<Location /Microsoft-Server-ActiveSync>
         SSLOptions +StrictRequire +ExportCertData +FakeBasicAuth
         AuthName        "nonsense message here"
         AuthType        Basic
         AuthUserFile    /etc/apache2/vhosts.d/passwd
         AuthGroupFile   /etc/apache2/vhosts.d/groups
         Require         group activesync
</Location>
--- cut here ---

Before adding that rule, any ActiveSync request was logged in Apache's  
access log via the user name. After the change, I can see that both  
the client presents the proper certificate and that the cert name is  
used during httpd's logging.

Unfortunately, somehow the Horde ActiveSync code does use the  
certifate name as the user name to authenticate, which will not work,  
of course. I see in Horde's log:

==> /var/log/horde/horde5.log <==
2014-05-26T14:49:02+02:00 ERR: HORDE [horde]  [pid 30911 on line 62 of  
"/usr/share/php5/PEAR/Horde/Core/ActiveSync/Auth.php"]
2014-05-26T14:49:02+02:00 NOTICE: HORDE [horde] Login failed from  
ActiveSync client for user ***certificate DN redacted for security***.  
[pid 30911 on line 542 of "/usr/share/php5/PEAR/Horde/ActiveSync.php"]

The corresponding entry in httpd' access_log shows the expected 401 error:

==> /var/log/apache2/access_log.ssl <==
192.168.102.4 - ***certificate DN redacted for security***  
[26/May/2014:14:49:02 +0200] "OPTIONS  
/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype*** HTTP/1.1" 401  
-

Activating (or deactivating) the following settings according to the  
Wiki doesn't change anything:

--- cut here ---
         RewriteRule .* -  
[E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
         RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
         RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
--- cut here ---

The login name part of the ActiveSync request (User=***username***),  
so can't Horde use that user name for validation? Is it some hook on  
my side that interferes with this? Looking at the hooks below  
/horde/config or /horde/imp/config didn't reveal anything that seems  
relevant...

Thank you for any pointers.

With regards,
Jens

More information about the horde mailing list