[A_Zimbo]

Quote:

Originally Posted by sleeper55

open for any suggestions at this point!

Sleeper it strikes me that you are coming in on a domain that somebody else already laid out the Active Directory structures to and made it a little difficult to find simple things like Users due to them being assigned to all sorts of Organisational Units. The one sure fire way to find the BESAdmin account in the Domain is use the Find feature in the MMC for Active Directory Users and Computers.

In AD Users and Computers first select the root of the domain in the tree on the lefft of the screen. Then choose Action on the bar menu, then select Find. Type in the name of the account (In this case I assume it is BESAdmin that you created?) and click the find button. If the account exists then it will appear in the list and you can then right click it and select properties. You can then proceed as per my suggested fix of a few days ago quoted above.

Hope that solves the problem though it also sounds like somebody needs to document the OU structure of the Active Directory so that people like yourself have some way of referencing where users and computers are situated. Best of luck!

[Portland_Girl]

Quote:

Originally Posted by A_Zimbo

Using Active Directory Users and Computers I went to the users container and right clicked on the user BESADMIN and selected properties. Under the Account Tab I set the following items in the "Account Options" list at the bottom of that tab.

Use Kerberos DES etc - Checked.
This account Supports Kerberos AES 128bit encryption - checked.
This account supports Kerberos AES 256bit encryption - checked.
Do not require Kerberos preauthentication - UNCHECKED.

I reset my system time which was about 7 minutes off. Then I followed the advice of A_Zimbo in configuring account properties for besadmin. I did not have to reboot. I tried logging in after setting change and it worked like a charm. Thanks!!

[A_Zimbo]

Quote:

Originally Posted by Portland_Girl

I reset my system time which was about 7 minutes off. Then I followed the advice of A_Zimbo in configuring account properties for besadmin. I did not have to reboot. I tried logging in after setting change and it worked like a charm. Thanks!!

That's true about the system time Portalnd girl. I read about that in the knowledge base somewhere. Silly me forgot to put that in my original post.

[chrislehr]

Quote:

Originally Posted by A_Zimbo

I had about eight or nine hours trying to resolve this yesterday and this is what I finally did to get this working. I am posting this here for others who may have the same issue and hopefully it may help the OP of this thread.

I made a discovery in the Security log of the Event viewer on my Server that was hosting both BES Express 5.0.1 as well as Exchange 2007. They are both on the same box. The Security log entry made reference to a Kerberos right being denied to the BESADMIN active directory account around the time I tried to login to the BES Admin service website. This was irrespective of whether I wanted to login to the BES Express Admin website as BESADMIN or as another login (Say my domain admin account).

I deduced from this that when the BES Express Admin Web service needs to verify your login it is being denied some sort of Kereberos Ticket and or elevated privilege. Since the Message indicated the problem to be with the BESADMIN Active Directory user that I created for installing BESX and of course used by the BESX background services to execute under, I checked out the properties of this account I had created and made the following changes / settings.

Using Active Directory Users and Computers I went to the users container and right clicked on the user BESADMIN and selected properties. Under the Account Tab I set the following items in the "Account Options" list at the bottom of that tab.

Use Kerberos DES etc - Checked.
This account Supports Kerberos AES 128bit encryption - checked.
This account supports Kerberos AES 256bit encryption - checked.
Do not require Kerberos preauthentication - UNCHECKED.

I rebooted the server (Not just restarting the background services!) and finally I was able to login to the BESX Administration Service web site under BESADMIN or under my Domain Admin login ID.

Hope that helps anyone else in this predicament. It was an unnecessarily long day yesterday getting this going thanks to that one stupid little problem.

Best Wishes all

These changes helped me get logged in. Thank YOU.

[A_Zimbo]

Quote:

Originally Posted by chrislehr

These changes helped me get logged in. Thank YOU.

That's great to hear Chris.

I wish though that a more Kerberus type person would tell us why we have to do this to a "Standard user" to get it to work. I can't think of any other product I have ever installed that required this sort of amendment to "out of the box" user settings. Very strange.

Glad the fix worked for you though.

[knottyrope]

M$ does not want it to be easy for BES installs, so they can sell active sync compatable devices.

[tonyadfs]

"The username, password, or domain is not correct. Please correct the entry." error appears when trying to log in to BlackBerry Administration Service using Windows Authentication
Document ID: KB20406 - Blackberry website-support and services- type in KB article kb20406

This is a known issue.

[liamt]

Quote:

Originally Posted by knottyrope

M$ does not want it to be easy for BES installs, so they can sell active sync compatable devices.

to be fair to M$ - this install is littered with problems and poor documentation and bugs, its not all M$' fault (wow, never had to say that before lol)

[itimoteo]

Kerberos, ohhhh kerberos and time issues...
My BESx box was 6 minutes off.
Just sync'd it and it worked! No reboots needed!

Thanks!

[kevincap]

Quote:

Originally Posted by A_Zimbo

I had about eight or nine hours trying to resolve this yesterday and this is what I finally did to get this working. I am posting this here for others who may have the same issue and hopefully it may help the OP of this thread.

I made a discovery in the Security log of the Event viewer on my Server that was hosting both BES Express 5.0.1 as well as Exchange 2007. They are both on the same box. The Security log entry made reference to a Kerberos right being denied to the BESADMIN active directory account around the time I tried to login to the BES Admin service website. This was irrespective of whether I wanted to login to the BES Express Admin website as BESADMIN or as another login (Say my domain admin account).

I deduced from this that when the BES Express Admin Web service needs to verify your login it is being denied some sort of Kereberos Ticket and or elevated privilege. Since the Message indicated the problem to be with the BESADMIN Active Directory user that I created for installing BESX and of course used by the BESX background services to execute under, I checked out the properties of this account I had created and made the following changes / settings.

Using Active Directory Users and Computers I went to the users container and right clicked on the user BESADMIN and selected properties. Under the Account Tab I set the following items in the "Account Options" list at the bottom of that tab.

Use Kerberos DES etc - Checked.
This account Supports Kerberos AES 128bit encryption - checked.
This account supports Kerberos AES 256bit encryption - checked.
Do not require Kerberos preauthentication - UNCHECKED.

I rebooted the server (Not just restarting the background services!) and finally I was able to login to the BESX Administration Service web site under BESADMIN or under my Domain Admin login ID.

Hope that helps anyone else in this predicament. It was an unnecessarily long day yesterday getting this going thanks to that one stupid little problem.

Best Wishes all

Just FYI doing this change also BREAKS the ability for the BES installer to communicate with a remote sql server. I found this out because the sysadmin prior to me applied this fix- I had to reinstall BES because of a data failure and it wouldn't work. Make sure you revert the changes if you have to reinstall BES!!

You'll get an error in your logs like this:

ConnectionItem::ConnectToDB: COM Error 0x80004005 - Unspecified error - Source: "Microsoft OLE DB Provider for SQL Server" - Description "Cannot generate SSPI context" - Command "ConnectionItem::ConnectToDB"

[dlautman]

FYI. I had this problem and just solved. The problem was I changed the admin password that was used to authenticate in blackberry server configuration - > administration service -> ad settings.

Re the Kerberos thing: if you're not using Kerberos and you have this checked, it will make you unable to log in.