[hdawg]

I use the BESUserAminService on pretty much every server I touch; its great for reporting, tinkering, and for our homegrown web application that does device provisioning, management, and reporting ...

I have no problems with any installation on any Exchange implementation but have a problem with all Domino installations ...

Using BES 4.1 SP3 & SP4 (and matching UserAdminService) I login to the server as my account, install the service, start it up, and everything works correctly. I connect to it using:

BESUserAdminClient -p password -servers -stats

and it works great. The problem is ... I can't run the service as my account; it needs to run as Local System; like the Lotus Domino service runs as. (corporate policy)

When I change the service to run as Local System, and then export / import the reg keys from: HKCU\Software\Research in Motion\BlackBerry Enterprise Server\Admin
to: HKU\.DEFAULT\Software\Research in Motion\BlackBerry Enterprise Server\Admin

and then start the service it starts without an issue.

I then execute the same command and I receive the: "Error -55: could not determine client role" error ... I checked KB11097 ... and no dice.

I've added the computer object granting it permission to the SQL databasse and still no dice.

if I modify my command to:

BESUserAdminClient -p password -servers -stats -SQLUSER sa -SQLPASS password

it works perfectly fine. Unfortunately this isn't really acceptable to me ... and I wouldn't think I would need this since I enter in the SQL credentials during the BESUserAdminService install ... tried it both using windows auth and sql auth; same result.

I'm going to open up a case with T-Support as this is really bugging me now ... anyone got suggestions; I'm sick of searching here and at RIMs site on this. Any help / insight would be appreciated.

[niall.gray]

Hey there,

Did you ever get a fix for this???

[noname]

hdawg, try granting access this on the SQL Server to:-

NTDomain\BESDominoNetBiosName$

then, enable server admin + public & db_owner roles.

[hdawg]

Quote:

Originally Posted by noname

hdawg, try granting access this on the SQL Server to:-

NTDomain\BESDominoNetBiosName$

then, enable server admin + public & db_owner roles.

We actually came to a solution last Thursday; not what I wanted though.

If you add the SQL Server sysadmin role to the computer object and then grant it the db_owner role for the database, and then execute the BESUserAdminClient command with a user that also has the same permissions it works. ... Instead of using the sysadmin role you could use serveradmin and securityadmin.

After a few hours with T-Support we both came to the conclusion that the documentation on this is poor at best and really needs to be updated.

The thing that really kills me, is that I would think the BESUserAdminService is all that needs access; the user / object executing the BESUserAdminClient shouldn't need any direct access to the database; the service should be proxying for it as even it is authenticated as it is using a password to send its command to the service. The design on this is really poor and kills me.

So I've given the server object all the permission it needs, have configured my web service to run as LocalSystem, and everything works. Executing commands locally on the server doesn't work as when I logon to the server my account doesn't have the requisite permissions in SQL; but that is fine I guess for now.

[niall.gray]

Thanks for the reply.

Mind if i ask another question..

Are you saying the the user context that the client gets executed under needs access to the database??

[hdawg]

Quote:

Originally Posted by niall.gray

Are you saying the the user context that the client gets executed under needs access to the database??

Yes, exactly ... which baffles me to no end.

[niall.gray]

thats possibly the worst thing

So i wonder why they put the sql parameters in.

[hdawg]

Quote:

Originally Posted by niall.gray

thats possibly the worst thing

So i wonder why they put the sql parameters in.

That was my complaint. I was told it was the credentials that the service used to connect to the sql server ... which makes sense ... but then why the heck doesn't it proxy the command from the client?!?!?!?!

IS THAT NOT THE POINT OF IT?!?!?!?!

ok, I'm off my soapbox ... for now.

[niall.gray]

Did they say when you spoke to them whether this was going to be fixed??

[hdawg]

Highly doubtful ... especially with the focus on BES 5. I'm almost sure this service will go away with 5.

[noname]

hey hdawg, BESUserAminService -> BRK -> FOC => less solid design I guess? Yeah BES 5.0 will have better feature (hopefully).

[K_NAPP]

Did anyone ever find out if SP5 has made BESUserAdminService better or replaced it with something?

[hdawg]

nope no "fix / change" still the only thing.

[aqeel]

hmmm, is there any thing using which we can send user Enterprise Activation passwords only from BESUserAdmin ?

[hdawg]

Quote:

Originally Posted by aqeel

hmmm, is there any thing using which we can send user Enterprise Activation passwords only from BESUserAdmin ?

huh?