[jhanff]

Hello
I have problem accessing the Webdesktop in BES 5.0.
All user names are refused.
What is the login name for the LDAP user i must use?
Administrator?
Or must i create an extra user? if so, what are the privileges this user must have?
Thanks a lot for your help.

[sddroog]

Note that there is a bug when you change the LDAP settings in the "Blackberry Server Configuration" tool...

View Document

[jhanff]

that is not the issue, i already checked this

[Raiden]

Any luck with this? i have the same issue?

Error : "The username, password, or domain is not correct. Please correct the entry"

[sweater]

Quote:

Originally Posted by jhanff

that is not the issue, i already checked this

I've you've checked this, you're now running into the bug.

Just to be clear:

If you open up the Configuration Tool from the Windows Start menu and go to the LDAP settings tab and click on "Verify" or "Check" or whatever is listed there, you're now locked out of BES using LDAP verification. This is a known issue with BES 5.0.

Step 1: When you set up BES and BAS, you were asked to supply an Active Directory user that has permissions to search Active Directory. There is no standard user. You need to make sure the user info you put into the installer has the correct permissions.

Step 2: When you try to log into BAS or Webdesktop using an Active Directory account, BAS uses the credentials of that you specified in Step 1.

- mike

[Raiden]

Thanks Sweater.

I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?

"I didnt know how many of my users use this service until now, WHEN IT IS NOT WORKING

What else could it be?

Thanks a bunch

[x0rerror]

Hey Raiden,

Did you ever get the Active Directory login to work?

I'm having the same issue on a new install ( re-installed 3 times to rule out everything)

walked thorugh all KB articles, everything seems fine, permmissions are in place and the account used has read permissions to the LDAP.

help needed.

I am probably going to be forced to bring this to tech support once i get an answer i will relay it here.

I also notice the BES-AS module is created by a third party and not RIM.

Maybe thats why they refuse to address the problem.

way to justify a 3k expense that only half works....

[sweater]

Quote:

Originally Posted by Raiden

Thanks Sweater.

I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?

OK - so here's a standard way to set up BES/BAS with Active Directory authentication:

You have a besadmin user account in Active Directory that has the appropriate Exchange permissions (assuming Exchange) and Active Directory permissions to be able to do LDAP lookups.

That besadmin user is what the BES and BAS services are running as underneath. Further, the besadmin username and password is what BAS passes along to Active Directory when you log into BAS or Webdesktop. Meaning:

When a user puts their username into the Webdesktop interface and clicks "OK" or whatever, Webdesktop takes their username and password, logs into Active Directory as "besadmin" and looks up that person's username and password in order to authenticate them through to Webdesktop.

Enter the current problem with BAS 5.0:

When you set up BAS during install, the besadmin Active Directory credentials that you confirmed during install are stored in the BESMgmt database. During setup, the password for besadmin gets encrypted properly so that when a user tries to log in to Webdesktop, the correct username (besdamin) and password are sent on to Active Directory and everything works.

However - the 5.0 BlackBerry Administration tool run from the Start menu has a bug in it. If you use that tool to confirm your LDAP settings, that tool will fail to encrypt the besadmin password correctly. This breaks the ability of that besadmin user account to do proper Active Directory authentication whenever you try to log into BAS or Webdesktop.

There are workarounds for this problem, including uninstalling and reinstalling BAS and never, ever touching that tool from the Start menu. However, you might find a call to tech support will be your best bet.

- mike

[sweater]

Quote:

Originally Posted by x0rerror

I also notice the BES-AS module is created by a third party and not RIM.

BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.

How comfortable are you with SQL queries?

The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.

If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.

Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.

- mike

[x0rerror]

Quote:

Originally Posted by sweater

BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.

How comfortable are you with SQL queries?

The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.

If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.

Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.

- mike

Hi Mike,

Thanks for recapping. My Besadmin account is actually an active directory account. This account has read permission to LDAP; this has been confirmed by logging into a workstation and running a LDAP tool, i can query LDAP with no problems. I have even went as far as giving the account DOMAIN ADMIN credentials.

When i try to login to WEBDESKTOP MANAGER i get the follwing error appended to the BAS-AS log:

(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]

I have also tried port 389 / 3268.

password is encrypted properly.. i have followed the KB article referring to password corruption when managing LDAP through config Gui.

any ideas?

P.S Raiden, can you check your BES-AS log to see if we are getitng the same login errors as above?

thanks alot.

[Raiden]

Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?

After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X

Thank you a bunch for your assistance..what other workarounds are there?

Thanks again

[Raiden]

Ok xor let me check my log to confirm, will revert...

[sweater]

Quote:

Originally Posted by x0rerror

(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]

I'm not aware of what that error might be unless it's a network issue - install Windows server support tools on the BAS server (or BES/BAS if it's the same machine) and try to do LDAP lookups against your active directory using the LDP tool from MS. And be prepared to give RIM a call for support, I think.

- mike

[sweater]

Quote:

Originally Posted by Raiden

Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?

After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X

Thank you a bunch for your assistance..what other workarounds are there?

Thanks again

If you run the installer on the BAS server (could be the same as your BES server - you do have the option of them being separate servers) simply un-check the BAS and Webdesktop components, not the BES components. This will leave BES there, just take away BAS/WD.

Reboot, etc.

Re-run the installer, selecting once again the BAS and WD components to reinstall them. The key here is the during the install you're asked to provide valid besadmin credentials (if besadmin is your AD user that you're using) and will properly encrypt them in the database.

If you can successfully reinstall and can re-login using AD credentials:

the 1st thing you should do is to create an additional administrative user in BAS (named basadmin, maybe?) and set it to only use BAS authentication, not AD authentication.

This should be a standard part of the install process at this point but is not listed in the documentation. If you set up that BAS-only user and your LDAP settings get screwed up using the Start menu tool, you can still log in using the non-AD basadmin account, reset the LDAP settings in BAS, and be on your way. BAS will correctly encrypt your LDAP settings/password.

Whatever you do, do not touch the LDAP settings dialog available from the Start menu.

- mike

[Raiden]

running MR's and SP's tonight will provide feedback...

[Raiden]

Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know

Thanks again

[x0rerror]

Quote:

Originally Posted by Raiden

Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know

Thanks again

Hey Raiden,

Did you have a chance to check your bas-as logs for the error?

Let me know if the re-install works for you.

I will be getting tech support as soon as the purchase is made; i'll shoot the resolution back here.... please do the same if you get it functioning.

(cannot login to web desktop using active directory authetication. )

thanks.

[x0rerror]

RESOLVED

I managed to resolve my Active Directory authentication failures by adding my 'ldap' servers to my etc/hosts file.

un$%^&*in real.

RIM should hire me.

Still doesn't explain what is wrong with thier code and the inability to properly query my ldap. But the workaround ... works around....

[nobody7290]

Have you read this ?
BlackBerry Support Community Forums - Cannot login using Active Directory. Wrong LDAP servername in LOG. - BlackBerry® Enterprise Server 5.0 - BlackBerry Support Community Forums

That guy tells, that even he has entered the FQDN of the server in the setup of BES, the BES system queries domain.com:389 instead of host.domain.com:389.

I had no problems with ldap (besides the known bug with the ldap password).

Maybe, this is related to your wrong AD dns entries, or, maybe because of a missing search domain in your TCP/IP setup ?

Check this:
if the IP for your server is given manually, in the DNS options of the TCP settings, make sure, the correct search domain is present:
if your FQDN name for the LDAP server is server.domain.com and you specify it as "server", the resolver will only be able to resolve the correct adress if "domain.com" is in the searchlist.

If the Address is supplied using DHCP, check if a correct search domain is present in the DCHP servers options.

[Raiden]

x0error Please post your HostsFile?

Thanks