How to configure email notifications for Secure Work Space for iOS devices on BES10

Article ID: KB34664

Type: Support Content

Last Modified: 07-03-2015


Product(s) Affected:

  • BES10
Jump to: Environment | Overview
  • BlackBerry Enterprise Service 10 version 10.1 to 10.2
  • BlackBerry Work Connect Notification Service
  • Secure Work Space by BlackBerry for iOS

The Work Connect Notification Service component of BlackBerry Enterprise Service 10 is responsible for communicating with Microsoft Exchange to provide new email notifications for Secure Work Space on iOS devices. The Work Connect Notification Service communicates with Microsoft Exchange using Exchange Web Services (EWS) using a combination of Basic Authentication and Windows Authentication to register for notifications of new email and send it along to the iOS device.

Required firewall configuration

All firewalls between BES10 where the Work Connect Notification Service is installed and Microsoft Exchange CAS must allow an SSL connection from the Microsoft Exchange CAS to Work Connect Notification Service on port 8088.

Additionally, BES10 must be able to communicate to the BlackBerry Infrastructure, over port 443 Outbound. For more info around firewall requirements for BlackBerry Enterprise Service 10, see KB34193.

Complete the following:

Configuration of MicrosoftExchange Client Access Server

Note: Connection to a CAS pool is only supported on BES10 version 10.2 and later. If the ability to point to a CAS pool or load balancer is required, disable the need for SSL for versions earlier than BES10 version 10.2. In addition, NTLMv2 Session Security is currently only supported if you are running BES10 version 10.2 MR2 or later.

On the Microsoft Exchange Server, disable minimum session security for NTLMv2 if you are not running BES10 version 10.2 MR2 or later.

  1. Navigate to Administrative Tools.
  2. Open Local Security Policy.
  3. Click on Security Options.
  4. Double-click on Network security: Minimum session security for NTLM SSP based (including secure RPC) servers.
  5. Uncheck Require NTLMv2 session security.
  6. Open command prompt.
  7. Type gpupdate /force.

For the Work Connect Notification Service to function correctly, the Microsoft Exchange client access server's Microsoft IIS must have both Basic Authentication and Windows Authentication enabled for EWS.

  1. On the Microsoft Exchange Server, open Internet Information Services (IIS) Manager.
  2. Navigate to Sites > Default Web Site > EWS and select Authentication.
  3. Enable Basic Authentication and ensure Windows Authentication is enabled.
    Basic authentication is only required to test the connection to the /EWS/Exchange.asmx service from within the UDS Console. After confirming the service is working, it is okay to disable Basic Authentication.
    Note: If unable to access the /EWS/Exchange.asmx service, then check that Windows Authentication under Advanced Settings, Extended Protection is set to OFF and then restart Microsoft IIS by issuing iisreset command.
  4. Enable Anonymous Authentication (applicable to Exchange 2010 and 2013).
  5. Restart Microsoft IIS.

Create and configure an impersonation account

For the Work Connect Notification Service, an authentication account is required to impersonate users so the service is able to register for mail notifications over EWS.

Task 1 - Create a basic user account with a mailbox in Microsoft Active Directory

For the sake of the next steps, assume the name is mydomain\impersonation.

Note: If using BES10 version 10.1.2 and earlier, do not use uppercase characters in the password, as it will be passed to EWS as lowercase and authentication will fail. This is a known issue which has been fixed in BES10 version 10.1.3.

Task 2 - Assign impersonation permissions to the new account that is created via one of the following Powershell commands:

For Microsoft Exchange 2013:

Note: Exchange environment must be upgraded to CU2+ to function correctly.

  1. Open Exchange Admin Center as an administrator.
  2. After creating the impersonation account navigate to Permissions> Admin Roles.
  3. Add a new admin role policy using the + button with the following details:
    • Name - UDS Application Impersonation
    • Write Scope - Default
    • Roles - Add the ApplicationImpersonation role
    • Members - Add the impersonation account you created
  4. Save the settings.
  5. Run the following command using the Exchange Management Shell:
    New-ManagementRoleAssignment -Name "UDS Application Impersonation" -Role:ApplicationImpersonation -User:impersonation

For Microsoft Exchange 2010:

For Microsoft Exchange 2007:

  • The ms-Exch-EPI-Impersonation permission gives the caller the ability to submit an impersonation call through the Client Access server. This does not mean that the caller has permission to access any particular account. Permission to impersonate on a server is set on the security descriptor of the Server object in Microsoft Active Directory. The calling account cannot be a member of any administrator group. This permission is explicitly denied to those groups. After impersonation permissions are established on a server, the caller can be granted permission to a specific account or to any account in a mailbox database. The ms-Exch-EPI-May-Impersonate permission is used to grant the caller access to specific accounts.
    Get-ExchangeServer | where {$_.IsClientAccessServer -eq $TRUE} | ForEach-Object {Add-ADPermission -Identity $_.distinguishedname -User (Get-User -Identity impersonation | select-object).identity -extendedRight ms-Exch-EPI-Impersonation}
    Note: The above command grants the mydomain/impersonation user account the permission to submit impersonation calls on all Client Access Servers.

    Get-MailboxDatabase | ForEach-Object {Add-ADPermission -Identity $_.DistinguishedName -User impersonation -ExtendedRights ms-Exch-EPI-May-Impersonate}

    Note: The above command grants the mydomain/impersonation user account the permission to impersonate any user in all mailbox databases


Import Universal Device Service CA Cert to Microsoft Exchange

Import the Universal Device Service root certificate onto the Microsoft Exchange Server, this is required since the Work Connect Notification Service connects to Microsoft Exchange over SSL.

Task 1 - Export the UDS Root certificate from BlackBerry Enterprise Service 10 core server

  1. On the BES10 where the core components are installed, open the MMC console.
  2. Add the certificates snap-in: Click File > Add Remove Snap-ins > Certificates > Computer Account.
  3. Go to Certificates > Personal > Certificates.
    Note: If there are multiple RIM UDS Server ROOT certs, then ensure that the one being exported matches the RIM BUDS Core SSL Certificate.
  5. Right-click on the CA certificate > All Tasks > Export (keeping all the defaults).
  6. Transfer the exported certificate to each CAS that will be connected to for impersonating users.

Task 2 - Import UDS root certificate to Exchange

Note: For Microsoft Exchange 2013, the UDS root certificate must be installed on the mailbox servers and not the CAS servers.

  1. Open the MMC console on Exchange then select File > Add Remove Snap-ins > Certificates > Computer Account.
  2. Expand Certificates > Trusted Root Certification Authorities > Certificates.
  3. Right-click the Certificates folder > All Tasks > Import.
  4. Browse to where the UDS root certificate was moved and select it.
  5. Repeat steps 1 to 4 for each CAS server (or mailbox server if using Microsoft Exchange 2013).
  6. After importing the certificate double click the certificate to bring up its properties. The working certificate will show the following:
    This certificate is intended for the following purposes(s), All issuance policies, All application policies.

If the CAS is running Windows 2003, once the certificate is imported, one of the following errors may be displayed:

  • The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.
  • This Certificate Has an Invalid Digital Signature.

A hotfix is available from Microsoft to correct this. See Microsoft Support article 938397.

Task 3 - Verify that the Exchange throttling policy is not limiting or blocking any EWS connections for the impersonation account being used for iOS notifications

Note : This task is for Microsoft Exchange 2010 and 2013 only.

To check the throttling policy run the following command in PowerShell:

Get-ThrottlingPolicy | Format-List

Verify that the following settings are set to null:

  • EWSMaxConcurrency (Exchange 2010 and 2013)
  • EWSPercentTimeInAD (Exchange 2010)
  • EWSPercentTimeInCAS (Exchange 2010)
  • EWSPercentTimeInMailboxRPC (Exchange 2010)
  • EWSMaxSubscriptions (Exchange 2010 and 2013)
  • EWSFastSearchTimeoutInSeconds (Exchange 2010)

Another option for Task 3 is to create a new throttling policy with NULL values and assign that to the impersonation account.

For this option follow these steps:

  1. On the Microsoft Exchange Server, click Start > Microsoft Exchange Server 2010 > Exchange Management Shell.
  2. Type New-ThrottlingPolicy BES10Policy -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null
  3. Type Set-Mailbox "impersonation" -ThrottlingPolicy BES10Policy where "impersonation" is the username from mydomain\impersonation

Task 4 - Setup BlackBerry Work Connect Notification Service

  1. Open the Administration Console for Universal Device Service.
  2. Select the Settings tab.
  3. Select the plus symbol (+) next to the ActiveSync Configuration section (under Gatekeeping).
  4. In the username field, enter in the impersonation account created earlier (For example mydomain\impersonation).
  5. Enter the password for the account.
  6. Select the Use Exchange Web Services to monitor notifications (for iOS devices with work space enabled) option.
  7. Enter in the https address of Exchange Web Services. For example,
  8. If the use of an HTTP proxy is required, enter in the required information.
  9. Select the appropriate version of the Microsoft Exchange environment from the drop-down list.
  10. Click the Test Connection button to ensure everything is set up correctly.
  11. Save the settings.

Task 5 - For BlackBerry Enterprise Service 10.2 MR2 and later import the Microsoft Exchange certificate into the BlackBerry Work Connect Notification Service Java Trusted store

To obtain the Microsoft Exchange certificate:

  1. Log onto Microsoft Exchange.
  2. Open Internet Information Services (IIS) Manager
  3. Under Connections, click the server.
  4. Scroll down the right body pane to Server Certificates icon and double click it.
  5. Select the Microsoft Exchange certificate
  6. Click the Details tab
  7. Chose Copy to File...
  8. Select Next, then No, do not export the private key. Select Next.
  9. Leave it on DER encoded binary X.509 (.CER), click Next.
  10. Select a file path location and name, click Next.
  11. Complete the Certificate Export Wizard by clicking Finish.
  12. Copy exported certificate to BlackBerry Enterprise Server 10 and do the following steps to import using Java keytool.

Note: By default, the BlackBerry Work Connect Notification Service keystore is located here: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\ssl\cacerts.

To import the Microsoft Exchange Certificate obtained above, perform the following steps:

  1. Log in to the computer that hosts BlackBerry Enterprise Service 10.
  2. Open a command prompt window (May have to right click and select Run as Administrator).
  3. To change the directory, type cd C:\Program Files\Java\jre1.7.0_51\bin and press ENTER.
    Note: The Java version will be different depending on the version of BES10 in use. For example, if using BES10 version 10.2.3, the Java folder will be jre1.7.0_55.
  4. Type "C:\Program Files\Java\jre1.7.0_51\bin\keytool.exe" -import -alias <alias> -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\ssl\cacerts" -trustcacerts -file <certificate_filename> -noprompt -storepass changeit, where <alias> is a short name to identify the internally signed Microsoft Exchange certificate and <certificate_filename> is the filename of the certificate. The <alias> can be any unique string used to identify the Certificate.

    For example, at the command line, type:
    "C:\Program Files\Java\jre1.7.0_51\bin\keytool.exe" -import -alias CA -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.BWCN\ssl\cacerts" -trustcacerts -file c:\CA.cer -noprompt -storepass changeit

  5. Press ENTER.
  6. If prompted the default keystore password is changeit.
  7. Restart the BES10 - BlackBerry Work Connect Notification Service.
  8. Restart the BES10 - Scheduler service.

Note: If there are no errors in the ASG log and the URL's are accessible from Exchange, access UDS console, access to port 8088, it may be necessary to remove all Microsoft ActiveSync settings and recreate them. It may be necessary to re-create the user, re-create the IT Policies, re-create new work IT Policies and profiles.


By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at