BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/index.php)
-   BES Admin Corner (http://www.blackberryforums.com/forumdisplay.php?f=21)
-   -   Accessing a Network Share Authentication Issue using Files (http://www.blackberryforums.com/showthread.php?t=222885)

Triforce66 03-26-2010 01:33 PM

Accessing a Network Share Authentication Issue using Files
 
I am running into an authentication issue using Files (new BB OS 5.0 application to allow you to connect to network shares if you are using BES/BESx) to connect to a network share on a server outside of the domain. I am able to successfully connect to a network share on a server, which is in the same domain as the BES/BESx server. However, I am unable to connect to a network share on a server that is not in the same domain (or not in a domain at all). I enter a login and password local to the server, and I have tried entering the domain as blank, or the name of the server (for those not in the domain) and both come back with Authentication Failed. I know the l/p is correct, and I have confirmed that the BES/BESx server can access the network share using the supplied l/p successfully. Has anyone had any luck connecting to a network share on a server that is not in the same domain as the BES/BESx?

Thank You

nobody7290 03-27-2010 08:19 AM

Add me to the list - does not work here too with BES 5.0 full.
I tried adding a hosts entry and entered some name and matching IP, but, will not work.
Tried to add a forward lookup-zone to AD with the name of the remote domain and added the host - will not work.

however, if I log on the the Machine, where the BES is running, I can access the remote server.

Maybe the BES authenticates by trying to aquire a kerberos ticket ? - this is unlikely to work if the Server is remote.

In the logs of the BES I do not find anything about the failed connection.

nobody7290 03-29-2010 05:44 AM

Followup:
I even created a secondary dns zone holding a copy of the remote servers DNS zones.
Still cant login to the remote server.

Triforce66 03-29-2010 07:05 PM

I am kinda shocked no one has had this issue before and not figured out how to fix it.

kennyc01 04-27-2010 10:16 AM

Add me to this list.
 
identical issue - I can see access the share as long as it is under the same domain. But get authentication errors when I try another domain.

The error we get in the event viewer is EVENT ID 4625: the user has not been granted the requested logon type at this machine.

nobody7290 04-27-2010 02:38 PM

Quote:

Originally Posted by kennyc01 (Post 1599828)
identical issue - I can see access the share as long as it is under the same domain. But get authentication errors when I try another domain.

The error we get in the event viewer is EVENT ID 4625: the user has not been granted the requested logon type at this machine.

I now also looked into the logs of the server I tried to connect to, but, there is nothing logged about a failed attempt.

Are you sure, this event you logged, was connected to the blackberrys servers attempt to login ?

my remote server is connected via a VPN, it is in a different subnet, so for me, it looks like the BES will simply not try to connect to something outside of its own subnet.

I can logon to a WindowsXP machine which is not in my domain, but in a workgroup, which is located in my own subnet.

kennyc01 04-28-2010 08:30 AM

yep.

the process is made by bmds.exe, by account besadmin, and it logged the account and domain names I tried to use.

I am on 5.0.1 MR2, Server 2008 x64.

nobody7290 05-01-2010 10:45 AM

I also found the log now.
And, as I supected before, the BES uses kerberos, which will not work in this case.
I logged the kerberos events on the BES.
translation in english:

Code:

A Kerberos error occured while authenticating
 ClientTime:
 ServerTime: 15:20:3.0000 5/1/2010 Z
 ErrorCode: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Erweiterter Fehler:
 Clientbereich:
 Clientname:
 Servercontext: someremotedomain.LOCAL
 Servername: krbtgt/localdomain.COM
 Targetname: krbtgt/localdomain.com@remotedomain.LOCAL
 Errortext:
 File: 9
 Line: ae0


Original message in German:
Code:

Eine Kerberos-Fehlermeldung wurde auf
        Anmeldesitzung  empfangen:
 Clientzeit:
 Serverzeit: 15:20:3.0000 5/1/2010 Z
 Fehlercode: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Erweiterter Fehler:
 Clientbereich:
 Clientname:
 Serverbereich: someremotedomain.LOCAL
 Servername: krbtgt/localdomain.COM
 Zielname: krbtgt/localdomain.com@remotedomain.LOCAL
 Fehlertext:
 Datei: 9
 Zeile: ae0
 Die Fehlerdaten stehen in den Berichtdaten.

I am no expert in kerberos. From what I know, it looks, like the BES queries the DC of the local domain, to get a ticket from the remote domain, but, the local DC does not know how this can be done.

How can I change the Configuration of the BES to use NTLM/NTLMv2 for authentication instead of kerberos ?

nobody7290 05-01-2010 01:52 PM

in: MDS\Servers\instance\config
In the mdslogin.conf

there is written:
Code:

MDS_Default {
    com.sun.security.auth.module.Krb5LoginModule      optional  defaultUserRealm=COMPANY.COM;
    net.rim.security.auth.module.ntlm.NtlmLoginModule Sufficient defaultUserDomain=COMPANY.COM;
    net.rim.security.auth.module.pwd.PwdLoginModule  optional;
};

So, if the BES uses this config file for the "files" service, login with ntlm should be possible.
I tried to login to a remote XP PC, which is not a member of a AD-domain, using credentials of the local PC (where no kerberos authentication AFAIK is possible ?), and, it also fails.

This looks like a Bug to me.

Triforce66 05-06-2010 07:56 AM

I have been playing with this using virtual systems so I can see a clean set of logs and I am noticing that sometimes I don't even see a login failures from any user (besadmin or user account) on the client pc.

Ugh, why would they give you the option for login/password/DOMAIN if you can't login to any other domains/workstations..

nobody7290 05-08-2010 11:18 AM

Because, there is a bug in the implementation, or someone did not think of this problem.

The login procedure could try kerberos at the first attempt, but then must fall back to ntlm - which it doesnt.
The only way to use kerberos for login to a remote domain is to establish a trusted relationship between the two domains - this is an unlikely setup to expect.

Maybe this is even a kind of security feature, which simply does not allow you to login to your PC at home, because you then could copy secret information from your office to an unknown/untrusted PC.

I tried to find information about the files feature on RIMs site, but found only this:
JAAS Login Configuration File

referencing the mdslogin.conf

And the file looks ok.
But even if this looks ok, nobody seems to know if the files features uses the mdslogin.conf at all.

anyone else with a good Idea ?


All times are GMT -5. The time now is 09:12 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.