[sync] ActiveSync login & client-side certificates

Jens-Uwe Mozdzen jmozdzen at nde.ag
Mon May 26 13:06:18 UTC 2014 

Hi *,

(sorry for the duplicate, sent this to the wrong list)

I tried to add a rule to our web server so that ActiveSync access  
requires not only a client-side certificate, but is limited to a  
pre-defined list of certificates:

--- cut here ---
<Location /Microsoft-Server-ActiveSync>
          SSLOptions +StrictRequire +ExportCertData +FakeBasicAuth
          AuthName        "nonsense message here"
          AuthType        Basic
          AuthUserFile    /etc/apache2/vhosts.d/passwd
          AuthGroupFile   /etc/apache2/vhosts.d/groups
          Require         group activesync
</Location>
--- cut here ---

Before adding that rule, any ActiveSync request was logged in Apache's  
access log via the user name. After the change, I can see that both  
the client presents the proper certificate and that the cert name is  
used during httpd's logging.

Unfortunately, somehow the Horde ActiveSync code does use the  
certifate name as the user name to authenticate, which will not work,  
of course. I see in Horde's log:

==> /var/log/horde/horde5.log <==
2014-05-26T14:49:02+02:00 ERR: HORDE [horde]  [pid 30911 on line 62 of  
"/usr/share/php5/PEAR/Horde/Core/ActiveSync/Auth.php"]
2014-05-26T14:49:02+02:00 NOTICE: HORDE [horde] Login failed from  
ActiveSync client for user ***certificate DN redacted for security***.  
[pid 30911 on line 542 of "/usr/share/php5/PEAR/Horde/ActiveSync.php"]

The corresponding entry in httpd' access_log shows the expected 401 error:

==> /var/log/apache2/access_log.ssl <==
192.168.102.4 - ***certificate DN redacted for security***  
[26/May/2014:14:49:02 +0200] "OPTIONS  
/Microsoft-Server-ActiveSync?Cmd=OPTIONS&User=***userid***&DeviceId=**devid***&DeviceType=***devicetype*** HTTP/1.1" 401  
-

Activating (or deactivating) the following settings according to the  
Wiki doesn't change anything:

--- cut here ---
          RewriteRule .* -  
[E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
          RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
          RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
--- cut here ---

The login name part of the ActiveSync request (User=***username***),  
so can't Horde use that user name for validation? Is it some hook on  
my side that interferes with this? Looking at the hooks below  
/horde/config or /horde/imp/config didn't reveal anything that seems  
relevant...

Thank you for any pointers.

With regards,
Jens

-- 
Jens-U. Mozdzen                         voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
Postfach 61 03 15                       mobile  : +49-179-4 98 21 98
D-22423 Hamburg                         e-mail  : jmozdzen at nde.ag

         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
           Sitz und Registergericht: Hamburg, HRB 90934
                   Vorstand: Jens-U. Mozdzen
                    USt-IdNr. DE 814 013 983

More information about the sync mailing list