[horde] ActiveSync login & client-side certificates

Michael J Rubinsky mrubinsk at horde.org
Mon May 26 14:06:00 UTC 2014 

Quoting "Jens-U. Mozdzen" <jmozdzen at nde.ag>:

> Hi *,
>
> I tried to add a rule to our web server so that ActiveSync access  
> requires not only a client-side certificate, but is limited to a  
> pre-defined list of certificates:
>
> --- cut here ---
> <Location /Microsoft-Server-ActiveSync>
>         SSLOptions +StrictRequire +ExportCertData +FakeBasicAuth
>         AuthName        "nonsense message here"
>         AuthType        Basic
>         AuthUserFile    /etc/apache2/vhosts.d/passwd
>         AuthGroupFile   /etc/apache2/vhosts.d/groups
>         Require         group activesync
> </Location>
> --- cut here ---
>
> Before adding that rule, any ActiveSync request was logged in  
> Apache's access log via the user name. After the change, I can see  
> that both the client presents the proper certificate and that the  
> cert name is used during httpd's logging.
>
> Unfortunately, somehow the Horde ActiveSync code does use the  
> certifate name as the user name to authenticate, which will not  
> work, of course. I see in Horde's log:
>
> ==> /var/log/horde/horde5.log <==
> 2014-05-26T14:49:02+02:00 ERR: HORDE [horde]  [pid 30911 on line 62  
> of "/usr/share/php5/PEAR/Horde/Core/ActiveSync/Auth.php"]
> 2014-05-26T14:49:02+02:00 NOTICE: HORDE [horde] Login failed from  
> ActiveSync client for user ***certificate DN redacted for  
> security***. [pid 30911 on line 542 of  
> "/usr/share/php5/PEAR/Horde/ActiveSync.php"]
>
> The corresponding entry in httpd' access_log shows the expected 401 error:
>
> ==> /var/log/apache2/access_log.ssl <==
> 192.168.102.4 - ***certificate DN redacted for security***  
> [26/May/2014:14:49:02 +0200] "OPTIONS  
> /Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype*** HTTP/1.1" 401  
> -
>
> Activating (or deactivating) the following settings according to the  
> Wiki doesn't change anything:
>
> --- cut here ---
>         RewriteRule .* -  
> [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
>         RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
>         RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
> --- cut here ---
>
> The login name part of the ActiveSync request (User=***username***),  
> so can't Horde use that user name for validation? Is it some hook on  
> my side that interferes with this? Looking at the hooks below  
> /horde/config or /horde/imp/config didn't reveal anything that seems  
> relevant...
>
> Thank you for any pointers.


What versions of Horde and pertinent libraries are you using?  Horde  
5.2 (which is currently in beta) has native support for using X509  
client certs for ActiveSync either in lieu of, or in addition to  
normal username/password auth. There are also a number of hooks that  
can be used to customize the behavior.

That being said, I'm not 100% sure I follow your example. What  
username/password is being passed to Horde, where does it come from?

-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5869 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20140526/306d50f1/attachment-0001.bin>

More information about the horde mailing list