Hello to everyone.

We use BES 4.1 and I'm currently trying to integrate the MDS-CS to our Internet proxy architecture, based on Squid, to allow Internet secure access.

I wrote a patch ;-) for Squid to log both the "Rim-device-id" and "Rim-device-email" header, so we can trace BlackBerry users access without authenticate them :idea:.

What I would like to do now is the authentication of the MDS Server to the squid proxies, to reach an higher security level.

Here I have some problems: seems to be that MDS is not able to use kerberos for proxy authentication. Although the Squid helper and BES agreed to use the "Negotiate" schema, BES start to use NTLMSSP instead of SPNEGO for Kerberos.

Since the "squid_kerb_auth" helper is not able to process NTLMSSP method (that's a Microsoft "Standard" :x), the authentication fails WITHOUT falling-back to the NTLM schema (as Firefox instead do).

What I undestood, doing several tests and sniffing with Wireshark, is that the "com.sun.security.auth.module.Krb5LoginModule" is never used, because I see the same behavior commenting the respectve line:

MDS_Proxy_Authentication_Identity {
//com.sun.security.auth.module.Krb5LoginModule optional defaultUserRealm=***********;
net.rim.security.auth.module.ntlm.NtlmLoginModule optional defaultUserDomain=************;
net.rim.security.auth.module.pwd.PwdLoginModule optional;
};

To make it works I removed the Negotiate schema from the proxyies and then the MDS authenticated itself using NTLM schema, provided apparently by the same "net.rim.security.auth.module.ntlm.NtlmLoginModule" that provide Negotiate schema. Maybe this is why the fall-back to NTLM doesn't work (because is the same module)?

Has anyone had the same problem? Where can I find detailed documentation about the MDS authentication environment (especially rim Modules)?

Thanks in advance for yor help!!

Hi,

Afaik the section MDS_Proxy_Authentication_Identity is only used when you provide the MDS with a machine account to authenticate all requests towards the proxy.
It is _not_ used if the user should be authenticated - then just MDS_Default is used. The attributes defaultUserRealm and defaultUserDomain are also only evaluated in MDS_Default.

It is also worth noting, that only the first Proxy-Authentication HTTP header is being evaluated. If the proxy announces multiple authentication possibilities, the MDS will just use the scheme anounced in the first Proxy-Authentication header. All subsequent headers are ignored :cry:
There is barely any documentation and the mechanism itself is difficult to use and not very flexible. It is also very difficult to get any answers from RIM for this stuff ... I used Fiddler and found it out myself though 8-)

Greetings,
Neo3000

Many thanks Neo3000!

This is the first time I hear about Fiddler and reading something about it seems to be a nice tool. I don't undestand if you used Fiddler only for debug or if you used it in production environment, after you scripted an adaptation layer interface to make the authentication works (if so, you have all my respect :smile: !!!!!).

Only a clarification: my intent is to authenticate the server through a machine account so, if I'm not wrong, for the authentication should be used the section MDS_Proxy_Authentication_Identity. Is it right? The result of my tests goes in that way but nothing is too much clear...

Anyway, we have also some Proxy that use only NTLM Schema. So I think that we are going to use them to avoid the problems met with the Negotiate one.

Thanks again for your help.