[mahoward]

As a follow up, I was able to get this configuration working by adding the following line to the rimpublic.property file:

application.handler.exchange.domain=[MYDOMAIN].COM


The full steps required to implement this for my environment are below in case this helps anyone else:

1. Ensure MDSLogin.conf domain name and realm name changed from COMPANY.COM to [MYDOMAIN].COM

2. Ensure KRB5.conf modified to support only RC4-HMAC and Kerberos realm name changed from COMPANY.COM to [MYDOMAIN].COM

3. Ensure rimpublic.property file contains the following line: application.handler.exchange.domain=[MYDOMAIN].COM

4. Enable Integrated MDS Authentication with [MYNEWSERVICEACCOUNTFORIA] account for [MYDOMAIN].COM domain

5. Verify SPN's registered in AD for services requiring IA

6. Verify Kerberos Constrained Delegation service account [MYNEWSERVICEACCOUNTFORIA] is trusted for delegation to SPN's

7. Create 2 Pull URL patterns:
a) .*[MYDOMAIN]\.com.* Intranet Sites
b) .* Internet Sites

8. Create Access Control Rule "Allow Browser Access" with 2 entries:
a) HTTP .* Internet Sites Allow Access control rules only
b) HTTP .*[MYDOMAIN]\.com.* Intranet Sites Allow Integrated

9. Apply Access Control Rule "Allow Browser Access" to ALL BlackBerry users

10. Enable Pull authorization on each MDS-CS server

11. Test browser access to Intranet Sites, Internet Sites