Afaria – Test NDES certificate template

Easiest way to test SCEP with Afaria is to make use of the delivered ServerSCEPtest application. This application comes with Afaria`s PackageServer component. It can be found in the bin directory of the package server.

The test application is a Windows executable that executes the SCEP process through Afaria. You have two options available for the test:

  1. Provisioning Server
  2. Package Server

I am going to execute the SCEP/NDES test using the package server. This is the Afaria component used by all clients to receive a client certificate for apps.

To run the test, at least the common name value must be filled in. This is the CN= part of the certificate. Normally, this is your user id. Unfortunately, the test tool is limited to 2048 bit key (Afaria SP8) and does not select you higher or custom values. To run the test, just select perform test button. The additional CSR informations like city, org, etc are taken from the package server configuration. These values are given by the Afaria admin.

The status of the SCEP process is shown in the log area. You can see that the CSR is created and send to the package server CA. After the test ran without errors, the returned certificate is saved to: C:\ProgramData\SAP\Afaria.

The see and validate the value of the new certificate, you can use the Crypto Shell Extensions of Windows Server.

The certificate was issued by the CA: CA. Lifetime is one year. And the template is AfariaUser. This matches exactly how the NDES template was configured.

To be 100% sure, the CA can be consulted. Normally, all issued certificates are stored there and can be consulted. Taking a look into the issued certificate list, I can see that a new certificate by the NDES user was issued using as a template AfariaUser. Therefore, the new NDES configuration is validated and working.

Afaria – Define certificate template for SCEP on Windows CA

When you work with Afaria, you`ll sooner (iOS) or later (Android, WP) come in contact with certificates. To be more specific, with device (iOS) and user (all platforms) certificates. To make it as easy as possible to get those certificates available to the devices and users, an MDM solution makes use of SCEP. SCPE in the Microsoft world is called NDES, and is available with their CA. If you install everything following the official documentation, you`ll end up having

  1. A working environment (yeah)
  2. Most probably a certificate issue, as your users and devices get a certificate named IPSec (Offline request).

This default certificate is what Microsoft thinks fulfills most use cases of SCEP (sorry, NDES) and basically they are right. A device or user can use this certificate without problems for most of the scenarios. Most importantly, users can use it to authenticate themselves against services. It may be that

  • your security area does not like the name
  • the lifetime does not meet the requirement: its 2 years as given by Microsoft
  • it is missing some functionality
  • wrong algorithm or key length
  • or something else

All of the above points are valid and can invalidate the use of the default configuration. Which leaves you to the question: how to solve this?

To make Afaria get back from the CA a valid certificate based on a custom template, it only takes two steps:

  1. Create a template
  2. Assign template to NDES (SCEP)

With SCEP, Afaria is only consuming a service offered by CA. How the CA is treating the request, depends 100% on the CA. Therefore, no additional configuration is needed on the consuming service: Afaria. As a result of this, three steps are necessary to make Afaria get back a custom certificate:

  1. Create a certificate template
  2. Assign template to NDES (SCEP)
  3. Test

Afaria 7 Self Service Portal – Error 403 Forbidden

I came recently across a strange error while trying to access my SAP Afaria 7 self-service portal. Suddenly I got a 403 error message.

The server was down for a few days as I did not have to use it. Maybe the shutdown of my VM didn`t work or Microsoft installed some patches, or something else. In the end, I could not log in anymore at my self-service portal at https://afaria.tobias.de/EUSSP/

I took a look at the site configuration at IIS Admin and the connection string to the AD looked good.

I reinstalled the self-service component, but no luck, still 403. Then I decided to take a closer look at the web site configuration. In IIS, there are ASP app pools, maybe something was wrong. Google pointed my to take a look at the ISAPI and CGI Restrictions located at the root of the web server.

The ASP.NET for 64 bit was not allowed to be used (restriction).

I activated that one. Afterwards, all are allowed (32bit and 64 bit, for all version)

To be on the safe side, I also run aspnet_regiis.exe –I from the installation directory of .NET v4 64bit.

Command: aspnet_regiis.exe –I

Now I was able to log on to SAP Afaria Self-Service Portal again!

 

Afaria 7 – Update to SP6

Blogs with content referred to by this blog:

  1. Install Afaria Server
  2. Install Afaria API Service and Administrator
  3. Install Self Service Portal
  4. Install Enrollment Server
  5. Install Package Server
  6. Validation of Afaria 7 SP6

Afaria 7 SP6 update

Afaria 7 SP6 is available as of 11. September 2015 and can be downloaded from SAP Support Portal. The pre-requisite for installing SP6 is having SP5 installed. Its a 326MB download. The size already implies that you cannot install SP6 without having Afaria 7 already installed.

Download the file (AFARIA70006_0-21010386.zip) and copy it over to your Afaria 7 server. The ZIP contains all the files for all the components going to be updated.

Before starting installation check that your current Afaria 7 SP5 installation is working:

Start update

Run setup.exe

Choose language

Check your license key

Readiness check

If your license is OK, start the readiness check

Select what you want to test and start the test by clicking on “Test Now”.

The tests are executed. This can take some while to finish.

If the test finishes, you should see as a result that all requirements are satisfied.

Install/Upgrade to Afaria 7 SP6

From the setup, select the Install option.

This will show you a screen with all the components that can be upgraded with the installer.

From this screen on you`ll have to start the update process for each component you have installed on your server.

  1. Install Afaria Server
  2. Install Afaria API Service and Administrator
  3. Install Self Service Portal
  4. Install Enrollment Server
  5. Install Package Server

Additional Installations and Resources

Select what you need to install.

VALIDATE UPDATE

  1. Validation of Afaria 7 SP6

SAP Afaria 7 SP6 – Validation of Afaria 7 SP6 update

After updating from SP5 to SP6 it is a good idea to check that Afaria is capable to start and runs without errors. For a very basic check of the server, see here some examples on how to do this.

Check that all Afaria services are up and running

Check that the Admin console is running and connects to AD

Access the Afaria admin console & log in.

Check device data

Verify that the Afaria data about devices, groups, policies is still available.

Verify server status

The server status must be green.

SAP Afaria 7 SP6 – Install Enrollment Server

Next component to be updated is the enromment server.

Select the DB type.

Select where the DB server is running.

In case the setup program can connect to the DB server, it will show a list of databases available to the user. Select the Afaria DB. In case an error occurs, check with one of the previous blogs on how to solve this issue.

SAP Afaria 7 SP6 – Install Self Service Portal

Next component to be updated is the Self Service Portal. This will update the web site hosted by IIS.

Confirm the user credentials used to connect to the API server.

Possible error: API server cannot be reached

Solution: check if API server is up and running

If not, start the service

Confirm the HTTP path to EUSSP. Should be the same is with SP5.

SAP Afaria 7 SP6 – Install Afaria API Service and Administrator

The upgrade of the API service and administrator console is listed as one step, but will be executed as two steps:

  • 1st the API service and directly afterwards the
  • Administrator console

As both are bound together, you cannot install the admin console separately. As the API service is installed first, you can upgrade the API service and not the admin console. This should not be done! Run the installation and update both at once.

SAP Afaria API Service

Start the installation

Select DB

Keep account information

Installation finishes

Select if you want to start the services. If you want to continue with the installation, do not start them now. The installation will now continue with the Afaria Admin setup.

SAP Afaria Administration

Keep account information

Select how the admin user will authenticate. Here I am using my Active Directory.

Either way, you`ll have to configure the LDAP URL Afaria will use to authenticate the user.

Installation finishes

SAP Afaria 7 SP6 – Install Afaria Server

Start the Afaria Server update. First agree to the license agreement, of course, only when you have read the license and agree to it.

Afaria server update starts. First the currently running server service is stopped.

The setup program will stop the Afaria services. In case this is not possible, you are asked to do it manually or to restart the computer. In case the services are stopped successfully, the setup will start the Afaria Server installation.

Select DB server type

Select host where the DB server is running on and how to log on to the DB.

At this step, while testing the DB connection, I got an error message. The installer cannot connect to the Afaria DB. In my case, this was solved by starting the MSSQLServer process (for some reasons, SQL Server wasn`t started anymore).

Error: No connection to DB

Solution: Start SQL Server

Select the Afaria DB.

Confirm installation path

Confirm service account credentials

Start installation

This can take a while …

Installation finishes

Select if you want to start the services. If you want to continue with the installation, do not start them now.