Accessing a Network Share Authentication Issue using Files
I am running into an authentication issue using Files (new BB OS 5.0 application to allow you to connect to network shares if you are using BES/BESx) to connect to a network share on a server outside of the domain. I am able to successfully connect to a network share on a server, which is in the same domain as the BES/BESx server. However, I am unable to connect to a network share on a server that is not in the same domain (or not in a domain at all). I enter a login and password local to the server, and I have tried entering the domain as blank, or the name of the server (for those not in the domain) and both come back with Authentication Failed. I know the l/p is correct, and I have confirmed that the BES/BESx server can access the network share using the supplied l/p successfully. Has anyone had any luck connecting to a network share on a server that is not in the same domain as the BES/BESx?
Thank You |
Add me to the list - does not work here too with BES 5.0 full.
I tried adding a hosts entry and entered some name and matching IP, but, will not work. Tried to add a forward lookup-zone to AD with the name of the remote domain and added the host - will not work. however, if I log on the the Machine, where the BES is running, I can access the remote server. Maybe the BES authenticates by trying to aquire a kerberos ticket ? - this is unlikely to work if the Server is remote. In the logs of the BES I do not find anything about the failed connection. |
Followup:
I even created a secondary dns zone holding a copy of the remote servers DNS zones. Still cant login to the remote server. |
I am kinda shocked no one has had this issue before and not figured out how to fix it.
|
Add me to this list.
identical issue - I can see access the share as long as it is under the same domain. But get authentication errors when I try another domain.
The error we get in the event viewer is EVENT ID 4625: the user has not been granted the requested logon type at this machine. |
Quote:
Are you sure, this event you logged, was connected to the blackberrys servers attempt to login ? my remote server is connected via a VPN, it is in a different subnet, so for me, it looks like the BES will simply not try to connect to something outside of its own subnet. I can logon to a WindowsXP machine which is not in my domain, but in a workgroup, which is located in my own subnet. |
yep.
the process is made by bmds.exe, by account besadmin, and it logged the account and domain names I tried to use. I am on 5.0.1 MR2, Server 2008 x64. |
I also found the log now.
And, as I supected before, the BES uses kerberos, which will not work in this case. I logged the kerberos events on the BES. translation in english: Code:
A Kerberos error occured while authenticating Original message in German: Code:
Eine Kerberos-Fehlermeldung wurde auf How can I change the Configuration of the BES to use NTLM/NTLMv2 for authentication instead of kerberos ? |
in: MDS\Servers\instance\config
In the mdslogin.conf there is written: Code:
MDS_Default { I tried to login to a remote XP PC, which is not a member of a AD-domain, using credentials of the local PC (where no kerberos authentication AFAIK is possible ?), and, it also fails. This looks like a Bug to me. |
I have been playing with this using virtual systems so I can see a clean set of logs and I am noticing that sometimes I don't even see a login failures from any user (besadmin or user account) on the client pc.
Ugh, why would they give you the option for login/password/DOMAIN if you can't login to any other domains/workstations.. |
Because, there is a bug in the implementation, or someone did not think of this problem.
The login procedure could try kerberos at the first attempt, but then must fall back to ntlm - which it doesnt. The only way to use kerberos for login to a remote domain is to establish a trusted relationship between the two domains - this is an unlikely setup to expect. Maybe this is even a kind of security feature, which simply does not allow you to login to your PC at home, because you then could copy secret information from your office to an unknown/untrusted PC. I tried to find information about the files feature on RIMs site, but found only this: JAAS Login Configuration File referencing the mdslogin.conf And the file looks ok. But even if this looks ok, nobody seems to know if the files features uses the mdslogin.conf at all. anyone else with a good Idea ? |
All times are GMT -5. The time now is 09:12 PM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.