[sync] ActiveSync login & client-side certificates
Jens-Uwe Mozdzen
jmozdzen at nde.ag
Mon May 26 13:06:18 UTC 2014
Hi *,
(sorry for the duplicate, sent this to the wrong list)
I tried to add a rule to our web server so that ActiveSync access
requires not only a client-side certificate, but is limited to a
pre-defined list of certificates:
--- cut here ---
<Location /Microsoft-Server-ActiveSync>
SSLOptions +StrictRequire +ExportCertData +FakeBasicAuth
AuthName "nonsense message here"
AuthType Basic
AuthUserFile /etc/apache2/vhosts.d/passwd
AuthGroupFile /etc/apache2/vhosts.d/groups
Require group activesync
</Location>
--- cut here ---
Before adding that rule, any ActiveSync request was logged in Apache's
access log via the user name. After the change, I can see that both
the client presents the proper certificate and that the cert name is
used during httpd's logging.
Unfortunately, somehow the Horde ActiveSync code does use the
certifate name as the user name to authenticate, which will not work,
of course. I see in Horde's log:
==> /var/log/horde/horde5.log <==
2014-05-26T14:49:02+02:00 ERR: HORDE [horde] [pid 30911 on line 62 of
"/usr/share/php5/PEAR/Horde/Core/ActiveSync/Auth.php"]
2014-05-26T14:49:02+02:00 NOTICE: HORDE [horde] Login failed from
ActiveSync client for user ***certificate DN redacted for security***.
[pid 30911 on line 542 of "/usr/share/php5/PEAR/Horde/ActiveSync.php"]
The corresponding entry in httpd' access_log shows the expected 401 error:
==> /var/log/apache2/access_log.ssl <==
192.168.102.4 - ***certificate DN redacted for security***
[26/May/2014:14:49:02 +0200] "OPTIONS
/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype*** HTTP/1.1" 401
-
Activating (or deactivating) the following settings according to the
Wiki doesn't change anything:
--- cut here ---
RewriteRule .* -
[E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
--- cut here ---
The login name part of the ActiveSync request (User=***username***),
so can't Horde use that user name for validation? Is it some hook on
my side that interferes with this? Looking at the hooks below
/horde/config or /horde/imp/config didn't reveal anything that seems
relevant...
Thank you for any pointers.
With regards,
Jens
--
Jens-U. Mozdzen voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15 mobile : +49-179-4 98 21 98
D-22423 Hamburg e-mail : jmozdzen at nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
More information about the sync
mailing list