Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets
As a follow up, I was able to get this configuration working by adding the following line to the rimpublic.property file:
application.handler.exchange.domain=[MYDOMAIN].COM
The full steps required to implement this for my environment are below in case this helps anyone else:
1. Ensure MDSLogin.conf domain name and realm name changed from COMPANY.COM to [MYDOMAIN].COM
2. Ensure KRB5.conf modified to support only RC4-HMAC and Kerberos realm name changed from COMPANY.COM to [MYDOMAIN].COM
3. Ensure rimpublic.property file contains the following line: application.handler.exchange.domain=[MYDOMAIN].COM
4. Enable Integrated MDS Authentication with [MYNEWSERVICEACCOUNTFORIA] account for [MYDOMAIN].COM domain
5. Verify SPN's registered in AD for services requiring IA
6. Verify Kerberos Constrained Delegation service account [MYNEWSERVICEACCOUNTFORIA] is trusted for delegation to SPN's
7. Create 2 Pull URL patterns:
a) .*[MYDOMAIN]\.com.* Intranet Sites
b) .* Internet Sites
8. Create Access Control Rule "Allow Browser Access" with 2 entries:
a) HTTP .* Internet Sites Allow Access control rules only
b) HTTP .*[MYDOMAIN]\.com.* Intranet Sites Allow Integrated
9. Apply Access Control Rule "Allow Browser Access" to ALL BlackBerry users
10. Enable Pull authorization on each MDS-CS server
11. Test browser access to Intranet Sites, Internet Sites
__________________
BESX 4.1.7 on Exchange 2003: 65 Devices
BESX 5.0.3 on Exchange 2003: 2007 Devices
|