clady
08-11-2009, 04:41 AM
Hello to everyone.
We use BES 4.1 and I'm currently trying to integrate the MDS-CS to our Internet proxy architecture, based on Squid, to allow Internet secure access.
I wrote a patch ;-) for Squid to log both the "Rim-device-id" and "Rim-device-email" header, so we can trace BlackBerry users access without authenticate them :idea:.
What I would like to do now is the authentication of the MDS Server to the squid proxies, to reach an higher security level.
Here I have some problems: seems to be that MDS is not able to use kerberos for proxy authentication. Although the Squid helper and BES agreed to use the "Negotiate" schema, BES start to use NTLMSSP instead of SPNEGO for Kerberos.
Since the "squid_kerb_auth" helper is not able to process NTLMSSP method (that's a Microsoft "Standard" :x), the authentication fails WITHOUT falling-back to the NTLM schema (as Firefox instead do).
What I undestood, doing several tests and sniffing with Wireshark, is that the "com.sun.security.auth.module.Krb5LoginModule" is never used, because I see the same behavior commenting the respectve line:
MDS_Proxy_Authentication_Identity {
//com.sun.security.auth.module.Krb5LoginModule optional defaultUserRealm=***********;
net.rim.security.auth.module.ntlm.NtlmLoginModule optional defaultUserDomain=************;
net.rim.security.auth.module.pwd.PwdLoginModule optional;
};
To make it works I removed the Negotiate schema from the proxyies and then the MDS authenticated itself using NTLM schema, provided apparently by the same "net.rim.security.auth.module.ntlm.NtlmLoginModule" that provide Negotiate schema. Maybe this is why the fall-back to NTLM doesn't work (because is the same module)?
Has anyone had the same problem? Where can I find detailed documentation about the MDS authentication environment (especially rim Modules)?
Thanks in advance for yor help!!
We use BES 4.1 and I'm currently trying to integrate the MDS-CS to our Internet proxy architecture, based on Squid, to allow Internet secure access.
I wrote a patch ;-) for Squid to log both the "Rim-device-id" and "Rim-device-email" header, so we can trace BlackBerry users access without authenticate them :idea:.
What I would like to do now is the authentication of the MDS Server to the squid proxies, to reach an higher security level.
Here I have some problems: seems to be that MDS is not able to use kerberos for proxy authentication. Although the Squid helper and BES agreed to use the "Negotiate" schema, BES start to use NTLMSSP instead of SPNEGO for Kerberos.
Since the "squid_kerb_auth" helper is not able to process NTLMSSP method (that's a Microsoft "Standard" :x), the authentication fails WITHOUT falling-back to the NTLM schema (as Firefox instead do).
What I undestood, doing several tests and sniffing with Wireshark, is that the "com.sun.security.auth.module.Krb5LoginModule" is never used, because I see the same behavior commenting the respectve line:
MDS_Proxy_Authentication_Identity {
//com.sun.security.auth.module.Krb5LoginModule optional defaultUserRealm=***********;
net.rim.security.auth.module.ntlm.NtlmLoginModule optional defaultUserDomain=************;
net.rim.security.auth.module.pwd.PwdLoginModule optional;
};
To make it works I removed the Negotiate schema from the proxyies and then the MDS authenticated itself using NTLM schema, provided apparently by the same "net.rim.security.auth.module.ntlm.NtlmLoginModule" that provide Negotiate schema. Maybe this is why the fall-back to NTLM doesn't work (because is the same module)?
Has anyone had the same problem? Where can I find detailed documentation about the MDS authentication environment (especially rim Modules)?
Thanks in advance for yor help!!