|
|
|
05-18-2009, 12:44 PM
|
#1
|
Knows Where the Search Button Is
Join Date: Jul 2008
Model: 9500
PIN: N/A
Carrier: TANGO
Posts: 32
|
BES 5.0 and LDAP and WEBDESKTOP
Please Login to Remove!
Hello
I have problem accessing the Webdesktop in BES 5.0.
All user names are refused.
What is the login name for the LDAP user i must use?
Administrator?
Or must i create an extra user? if so, what are the privileges this user must have?
Thanks a lot for your help.
|
Offline
|
|
05-19-2009, 03:55 AM
|
#2
|
Thumbs Must Hurt
Join Date: Jan 2005
Model: 9500
Carrier: Vodafone NL
Posts: 87
|
Note that there is a bug when you change the LDAP settings in the "Blackberry Server Configuration" tool...
View Document
|
Offline
|
|
05-19-2009, 02:23 PM
|
#3
|
Knows Where the Search Button Is
Join Date: Jul 2008
Model: 9500
PIN: N/A
Carrier: TANGO
Posts: 32
|
that is not the issue, i already checked this
|
Offline
|
|
06-09-2009, 04:49 AM
|
#4
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
Any luck with this? i have the same issue?
Error : "The username, password, or domain is not correct. Please correct the entry"
|
Offline
|
|
06-11-2009, 04:46 PM
|
#5
|
Thumbs Must Hurt
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
|
Quote:
Originally Posted by jhanff
that is not the issue, i already checked this
|
I've you've checked this, you're now running into the bug.
Just to be clear:
If you open up the Configuration Tool from the Windows Start menu and go to the LDAP settings tab and click on "Verify" or "Check" or whatever is listed there, you're now locked out of BES using LDAP verification. This is a known issue with BES 5.0.
Step 1: When you set up BES and BAS, you were asked to supply an Active Directory user that has permissions to search Active Directory. There is no standard user. You need to make sure the user info you put into the installer has the correct permissions.
Step 2: When you try to log into BAS or Webdesktop using an Active Directory account, BAS uses the credentials of that you specified in Step 1.
- mike
|
Offline
|
|
06-15-2009, 05:58 AM
|
#6
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
Thanks Sweater.
I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?
"I didnt know how many of my users use this service until now, WHEN IT IS NOT WORKING
What else could it be?
Thanks a bunch
|
Offline
|
|
06-15-2009, 09:40 AM
|
#7
|
Knows Where the Search Button Is
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
|
Hey Raiden,
Did you ever get the Active Directory login to work?
I'm having the same issue on a new install ( re-installed 3 times to rule out everything)
walked thorugh all KB articles, everything seems fine, permmissions are in place and the account used has read permissions to the LDAP.
help needed.
I am probably going to be forced to bring this to tech support once i get an answer i will relay it here.
I also notice the BES-AS module is created by a third party and not RIM.
Maybe thats why they refuse to address the problem.
way to justify a 3k expense that only half works....
|
Offline
|
|
06-15-2009, 09:48 AM
|
#8
|
Thumbs Must Hurt
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
|
Quote:
Originally Posted by Raiden
Thanks Sweater.
I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?
|
OK - so here's a standard way to set up BES/BAS with Active Directory authentication:
You have a besadmin user account in Active Directory that has the appropriate Exchange permissions (assuming Exchange) and Active Directory permissions to be able to do LDAP lookups.
That besadmin user is what the BES and BAS services are running as underneath. Further, the besadmin username and password is what BAS passes along to Active Directory when you log into BAS or Webdesktop. Meaning: When a user puts their username into the Webdesktop interface and clicks "OK" or whatever, Webdesktop takes their username and password, logs into Active Directory as "besadmin" and looks up that person's username and password in order to authenticate them through to Webdesktop. Enter the current problem with BAS 5.0:
When you set up BAS during install, the besadmin Active Directory credentials that you confirmed during install are stored in the BESMgmt database. During setup, the password for besadmin gets encrypted properly so that when a user tries to log in to Webdesktop, the correct username (besdamin) and password are sent on to Active Directory and everything works.
However - the 5.0 BlackBerry Administration tool run from the Start menu has a bug in it. If you use that tool to confirm your LDAP settings, that tool will fail to encrypt the besadmin password correctly. This breaks the ability of that besadmin user account to do proper Active Directory authentication whenever you try to log into BAS or Webdesktop.
There are workarounds for this problem, including uninstalling and reinstalling BAS and never, ever touching that tool from the Start menu. However, you might find a call to tech support will be your best bet.
- mike
|
Offline
|
|
06-15-2009, 09:55 AM
|
#9
|
Thumbs Must Hurt
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
|
Quote:
Originally Posted by x0rerror
I also notice the BES-AS module is created by a third party and not RIM.
|
BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.
How comfortable are you with SQL queries?
The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.
If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.
Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.
- mike
|
Offline
|
|
06-15-2009, 10:19 AM
|
#10
|
Knows Where the Search Button Is
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
|
Quote:
Originally Posted by sweater
BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.
How comfortable are you with SQL queries?
The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.
If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.
Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.
- mike
|
Hi Mike,
Thanks for recapping. My Besadmin account is actually an active directory account. This account has read permission to LDAP; this has been confirmed by logging into a workstation and running a LDAP tool, i can query LDAP with no problems. I have even went as far as giving the account DOMAIN ADMIN credentials.
When i try to login to WEBDESKTOP MANAGER i get the follwing error appended to the BAS-AS log:
(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]
I have also tried port 389 / 3268.
password is encrypted properly.. i have followed the KB article referring to password corruption when managing LDAP through config Gui.
any ideas?
P.S Raiden, can you check your BES-AS log to see if we are getitng the same login errors as above?
thanks alot.
Last edited by x0rerror; 06-15-2009 at 10:20 AM..
|
Offline
|
|
06-15-2009, 11:42 AM
|
#11
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?
After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X
Thank you a bunch for your assistance..what other workarounds are there?
Thanks again
|
Offline
|
|
06-15-2009, 11:49 AM
|
#12
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
Ok xor let me check my log to confirm, will revert...
|
Offline
|
|
06-15-2009, 04:48 PM
|
#13
|
Thumbs Must Hurt
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
|
Quote:
Originally Posted by x0rerror
(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]
|
I'm not aware of what that error might be unless it's a network issue - install Windows server support tools on the BAS server (or BES/BAS if it's the same machine) and try to do LDAP lookups against your active directory using the LDP tool from MS. And be prepared to give RIM a call for support, I think.
- mike
|
Offline
|
|
06-15-2009, 04:55 PM
|
#14
|
Thumbs Must Hurt
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
|
Quote:
Originally Posted by Raiden
Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?
After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X
Thank you a bunch for your assistance..what other workarounds are there?
Thanks again
|
If you run the installer on the BAS server (could be the same as your BES server - you do have the option of them being separate servers) simply un-check the BAS and Webdesktop components, not the BES components. This will leave BES there, just take away BAS/WD.
Reboot, etc.
Re-run the installer, selecting once again the BAS and WD components to reinstall them. The key here is the during the install you're asked to provide valid besadmin credentials (if besadmin is your AD user that you're using) and will properly encrypt them in the database.
If you can successfully reinstall and can re-login using AD credentials: the 1st thing you should do is to create an additional administrative user in BAS (named basadmin, maybe?) and set it to only use BAS authentication, not AD authentication. This should be a standard part of the install process at this point but is not listed in the documentation. If you set up that BAS-only user and your LDAP settings get screwed up using the Start menu tool, you can still log in using the non-AD basadmin account, reset the LDAP settings in BAS, and be on your way. BAS will correctly encrypt your LDAP settings/password.
Whatever you do, do not touch the LDAP settings dialog available from the Start menu.
- mike
|
Offline
|
|
06-18-2009, 04:13 AM
|
#15
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
running MR's and SP's tonight will provide feedback...
|
Offline
|
|
06-19-2009, 01:36 AM
|
#16
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know
Thanks again
|
Offline
|
|
06-19-2009, 01:36 PM
|
#17
|
Knows Where the Search Button Is
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
|
Quote:
Originally Posted by Raiden
Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know
Thanks again
|
Hey Raiden,
Did you have a chance to check your bas-as logs for the error?
Let me know if the re-install works for you.
I will be getting tech support as soon as the purchase is made; i'll shoot the resolution back here.... please do the same if you get it functioning.
(cannot login to web desktop using active directory authetication. )
thanks.
|
Offline
|
|
06-19-2009, 02:53 PM
|
#18
|
Knows Where the Search Button Is
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
|
RESOLVED
I managed to resolve my Active Directory authentication failures by adding my 'ldap' servers to my etc/hosts file.
un$%^&*in real.
RIM should hire me.
Still doesn't explain what is wrong with thier code and the inability to properly query my ldap. But the workaround ... works around....
|
Offline
|
|
06-19-2009, 03:20 PM
|
#19
|
BlackBerry Extraordinaire
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,381
|
Have you read this ?
BlackBerry Support Community Forums - Cannot login using Active Directory. Wrong LDAP servername in LOG. - BlackBerry® Enterprise Server 5.0 - BlackBerry Support Community Forums
That guy tells, that even he has entered the FQDN of the server in the setup of BES, the BES system queries domain.com:389 instead of host.domain.com:389.
I had no problems with ldap (besides the known bug with the ldap password).
Maybe, this is related to your wrong AD dns entries, or, maybe because of a missing search domain in your TCP/IP setup ?
Check this:
if the IP for your server is given manually, in the DNS options of the TCP settings, make sure, the correct search domain is present:
if your FQDN name for the LDAP server is server.domain.com and you specify it as "server", the resolver will only be able to resolve the correct adress if "domain.com" is in the searchlist.
If the Address is supplied using DHCP, check if a correct search domain is present in the DCHP servers options.
|
Offline
|
|
07-06-2009, 02:55 AM
|
#20
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
|
x0error Please post your HostsFile?
Thanks
|
Offline
|
|
|
|