That requires LDAP access to AD from each client, which is not possible when the mobile client is not on the local network.
I did some more research and found this -
The client: Apple Mail on iPhone 5S
IOS Version: tested with both 8 and 9
Exchange: 2010, latest service pack
ActiveSync Protocol: 14.1
I traced activesync calls between iPhone and Exchange CAS and I see the phone does a “ResolveRecipients” cmd call when the phone does a cert lookup -
2015-09-17 21:28:15 172.11.22.33 POST /Microsoft-Server-ActiveSync/default.eas User=vaibhav&DeviceId=ApplXXXXXXXXXXXX&DeviceType=iPhone&Cmd=ResolveRecipients………..
ResolveRecipients is the call used to lookup GAL entries and optionally certificates for a recipient. ResolveRecipients uses this
XML element structure -
So I traced the ActiveSync interaction inside the HTTPS packets. First tried using IIS logs but that was useless. Found an option in OWA to log device interaction. So I see this when the client does a cert lookup -
Request (from Apple Mail)
——————————
RequestBody :
<?xml version="1.0" encoding="utf-8" ?>
<ResolveRecipients xmlns="ResolveRecipients:">
<To bytes="21"/>
<Options>
<MaxAmbiguousRecipients>0</MaxAmbiguousRecipients>
<CertificateRetrieval>2</CertificateRetrieval>
</Options>
</ResolveRecipients>
——————————
Response (from Exchange CAS)
———————
<?xml version="1.0" encoding="utf-8" ?>
<ResolveRecipients xmlns="ResolveRecipients:">
<Status>1</Status>
<Response>
<To bytes="21"/>
<Status>1</Status>
<RecipientCount>1</RecipientCount>
<Recipient>
<Type>1</Type>
<DisplayName>Test User</DisplayName>
<EmailAddress>email@hidden</EmailAddress>
<Certificates>
<Status>7</Status>
</Certificates>
</Recipient>
</Response>
</ResolveRecipients>
------—————
The interesting things to see in the above -
1. MaxAmbiguousRecipients is being set to “0” by Apple Mail. I hope that means “send me all available responses” and not really “limit to 0”. Microsoft documentation is not really clear on what “0” means -
https://msdn.microsoft.com/en-us/library/gg675493(v=exchg.80).aspx
2. The response from Exchange CAS includes the Certificates section with “Status: 7”. Which means - “the recipient does not have a valid S/MIME cert” -
https://msdn.microsoft.com/en-us/library/gg675644(v=exchg.80).aspx
This is not true because we have a cert uploaded for the user in AD and Outlook for windows clients are able to lookup that cert successfully.
So, now I am confused as to how to proceed further. Not sure why this interaction has a failure result only for Apple Mail lookups. Trying to find another ActiveSync client that can do the same cert lookups.
—
VaibhaV
From: "Rowe, Walter"
Date: Thursday, September 10, 2015 at 9:59 AM
To: VaibhaV Sharma
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
I was able to use Apple Mail in 10.11 to find certs in the userCertificate attribute in AD provided (a) the certificate was identified as an encryption certificate, and (b) Keychain prefs were set to search the directory for certificates.
--
Walter Rowe, Application Hosting
Infrastructure Services / OISM / NIST
US Department of Commerce
Email:
email@hidden
Office: 301.975.2885
On Sep 10, 2015, at 12:25 PM, VaibhaV Sharma <
email@hidden> wrote:
I
did some additional testing based on your description below and see some issues.
Test
Process
*
Used Outlook for Mac to “submit S/MIME cert to GAL” from the trust center
*
Verified that userSMIMECertificate is populated
*
Used ldapsearch from a mac / linux machine to fetch userSMIMECertificate from AD user object
The
downloaded cert from userSMIMECertificate seems to be in PEM format and not DER.
Also
testing the new Outlook/Mac 2015 and it has random cert fetch issues for certain users. Not sure if it is related. Running some other tests. Will report if I find anything interesting.
—
VaibhaV
On
7/24/15, 10:42 AM, "fed-talk-bounces+vaibhav=email@hidden on
behalf of Miller, Timothy J." <fed-talk-bounces+vaibhav=email@hidden on
behalf of email@hidden>
wrote:
userCertificate is part of the standard RFC 4523 LDAP core schema; it's included in the pkiUser and strongAuthenticationUser classes. It should be a DER encoded RFC 5280 Certificate object.
userSMIMECertificate is defined in a different standard, RFC 2798, which defines the inetOrgPerson class. This should be a defined DER encoded signed PKCS#7 object following RFC 5751.
userSMIMECertificate is supposed to be preferred over userCertificate for S/MIME applications. RFC 2798 has a slight ambiguity on that point since it doesn't use RFC 2119 nomenclature. It's possible that Apple Keychain Access and/or Address Book is looking
for userSMIMECertificate, is strict about the implied SHOULD clause, and doesn't fall back on userCertificate when userSMIMECertificate is not available. The last time I did specific testing on this was c.2006, and I no longer have those notes.
Publishing userCertificate to a directory can be done by anything. Subject to directory permissions. Microsoft Certificate Services will automatically publish to AD when the CA is run as an Enterprise CA.
Publishing userSMIMECertificate requires the private key and therefore is not automatic. Outlook/Windows has this function in Trust Center in the S/MIME profile settings pane as the "Publish to GAL" button. Outlook/Mac has no equivalent.
-- T
-----Original Message-----
From:
fed-talk-bounces+tmiller=email@hidden [mailto:fed-talk-
bounces+tmiller=email@hidden] On Behalf Of Neely, Lee
Sent: Friday, July 24, 2015 12:24 PM
To: Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY
SOLUTIONS] <email@hidden>
Cc: Apple Fed-Talk List <email@hidden>
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Yes, it is in UserCertificate. Value is a binary (Of course)
From: Campbell, Paul Madison (ARC-TH)[ASRC RESEARCH & TECHNOLOGY
SOLUTIONS] [mailto:email@hidden]
Sent: Friday, July 24, 2015 9:56 AM
To: Neely, Lee
Cc: Apple Fed-Talk List
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Huh, I’m in Walter’s boat. Natively joined Macs, Contacts configured with
connection to GAL, Exchange 2010 (not sure on SP level). I’ve never seen
Contacts or Mail able to grab certs along with contacts or addressing. Maybe
there’s something unique about Lee’s exchange?
Lee, on your AD schema, is the user’s certificate stored in the value
“UserCertificate”?
You can test by going to Directory Utility > Directory Editor > Search Users for
yourself, scroll through the attributes on the right for your cert.
--
Paul Campbell | Senior Macintosh Systems Administrator ASRC Federal
Research and Technology Solutions NASA Ames Research Center Moffett
Field, CA 94035 email@hidden <mailto:email@hidden>
W: 650.604.4014 | F: 650.604.3323
ASRC Federal | Customer-Focused. Operationally Excellent.
On Jul 24, 2015, at 9:36 AM, Neely, Lee <email@hidden
<mailto:email@hidden> > wrote:
Natively joined to AD.
From:
fed-talk-bounces+neely1=email@hidden
<mailto:fed-talk-bounces+neely1=email@hidden> [mailto:fed-
talk-bounces+neely1=email@hidden <mailto:fed-talk-
bounces+neely1=email@hidden> ] On Behalf Of Rowe, Walter
Sent: Friday, July 24, 2015 9:10 AM
To: Apple Fed-Talk List
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup on GAL
Lee,
Is your Mac joined to AD natively through OS X or through are you
using a third-party product like Thursby or Centrify?
My experience is that OS X 10.10 and below natively joined to AD
does not find certs in the GAL.
Not disputing your experience. Just conveying my own.
Walter
On Jul 24, 2015, at 11:51 AM, Neely, Lee <email@hidden
<mailto:email@hidden> > wrote:
1) We’re using 10.10, 10.9
2) Exchange 2010 SP3
3) AD – Mac is Joined
From:
fed-talk-bounces+neely1=email@hidden
<mailto:fed-talk-bounces+neely1=email@hidden> [mailto:fed-
talk-bounces+neely1=email@hidden <mailto:fed-talk-
bounces+neely1=email@hidden> ]On Behalf Of VaibhaV Sharma
Sent: Thursday, July 23, 2015 6:00 PM
To: Apple Fed-Talk List
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert lookup
on GAL
What is your setup like that works? What version of the OS /
exchange, etc.? Is the Mac joined on the windows domain or only Mail is
configured with exchange?
On Jul 23, 2015, at 2:10 PM, Neely, Lee
<email@hidden <mailto:email@hidden> > wrote:
Apple Mail will retrieve certificates from the GAL.
I’ve tested and it works.
What it won’t do is retrieve them from other
directory services, even if other products, say Outlook 2011, can/do.
Lee
From: <fed-talk-
bounces+neely1=email@hidden <mailto:fed-talk-
bounces+neely1=email@hidden> > on behalf of Paul Nelson
<email@hidden <mailto:email@hidden> >
Date: Thursday, July 23, 2015 at 2:07 PM
To: VaibhaV Sharma <email@hidden
<mailto:email@hidden> >
Cc: "fed-talk@lists. Talk <mailto:fed-
talk@lists. Talk> " <email@hidden <mailto:Fed-
email@hidden> >
Subject: Re: [Fed-Talk] Apple Mail / iOS S/MIME cert
lookup on GAL
On Jul 23,
2015, at 3:59 PM, VaibhaV Sharma
<email@hidden <mailto:email@hidden> > wrote:
The other
aspect is how this would work from
outside a secure network if only activesync (https) port is reachable from the
client. On OS X, it does a ldap lookup but I don’t remember if keychain on iOS
was able to follow activesync or required ldap access.
Activesync provides protocol exchanges for getting
certificates from the GAL. Sounds like Apple just doesn’t use them.
Paul Nelson
Thursby Software Systems, Inc.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden <mailto:Fed-
email@hidden> )
Help/Unsubscribe/Update your Subscription:
talk/email@hidden>
This email sent to
email@hidden
<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden <mailto:Fed-
email@hidden> )
Help/Unsubscribe/Update your Subscription:
talk/email@hidden
talk/email@hidden>
This email sent to
email@hidden
<mailto:email@hidden>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do
not post admin requests to the list. They will be ignored.
Fed-talk
mailing list (email@hidden)
Help/Unsubscribe/Update
your Subscription:
This
email sent to email@hidden