BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 05-18-2009, 01:44 PM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2008
Model: 9500
PIN: N/A
Carrier: TANGO
Posts: 32
Post Thanks: 0
Thanked 0 Times in 0 Posts
Smile BES 5.0 and LDAP and WEBDESKTOP

Please Login to Remove!

Hello
I have problem accessing the Webdesktop in BES 5.0.
All user names are refused.
What is the login name for the LDAP user i must use?
Administrator?
Or must i create an extra user? if so, what are the privileges this user must have?
Thanks a lot for your help.
Offline  
Old 05-19-2009, 04:55 AM   #2 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2005
Model: 9500
Carrier: Vodafone NL
Posts: 87
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Note that there is a bug when you change the LDAP settings in the "Blackberry Server Configuration" tool...

View Document
Offline  
Old 05-19-2009, 03:23 PM   #3 (permalink)
Knows Where the Search Button Is
 
Join Date: Jul 2008
Model: 9500
PIN: N/A
Carrier: TANGO
Posts: 32
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

that is not the issue, i already checked this
Offline  
Old 06-09-2009, 05:49 AM   #4 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Any luck with this? i have the same issue?

Error : "The username, password, or domain is not correct. Please correct the entry"
Offline  
Old 06-11-2009, 05:46 PM   #5 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jhanff View Post
that is not the issue, i already checked this
I've you've checked this, you're now running into the bug.

Just to be clear:

If you open up the Configuration Tool from the Windows Start menu and go to the LDAP settings tab and click on "Verify" or "Check" or whatever is listed there, you're now locked out of BES using LDAP verification. This is a known issue with BES 5.0.

Step 1: When you set up BES and BAS, you were asked to supply an Active Directory user that has permissions to search Active Directory. There is no standard user. You need to make sure the user info you put into the installer has the correct permissions.

Step 2: When you try to log into BAS or Webdesktop using an Active Directory account, BAS uses the credentials of that you specified in Step 1.

- mike
Offline  
Old 06-15-2009, 06:58 AM   #6 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Sweater.

I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?

"I didnt know how many of my users use this service until now, WHEN IT IS NOT WORKING

What else could it be?

Thanks a bunch
Offline  
Old 06-15-2009, 10:40 AM   #7 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hey Raiden,

Did you ever get the Active Directory login to work?

I'm having the same issue on a new install ( re-installed 3 times to rule out everything)

walked thorugh all KB articles, everything seems fine, permmissions are in place and the account used has read permissions to the LDAP.

help needed.

I am probably going to be forced to bring this to tech support once i get an answer i will relay it here.

I also notice the BES-AS module is created by a third party and not RIM.

Maybe thats why they refuse to address the problem.

way to justify a 3k expense that only half works....
Offline  
Old 06-15-2009, 10:48 AM   #8 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Raiden View Post
Thanks Sweater.

I have also checked this and all LDAP settings are fine, i supplied to BESADMIN credentials during setup for standardization. Is this correct? Could this be the problem?
OK - so here's a standard way to set up BES/BAS with Active Directory authentication:

You have a besadmin user account in Active Directory that has the appropriate Exchange permissions (assuming Exchange) and Active Directory permissions to be able to do LDAP lookups.

That besadmin user is what the BES and BAS services are running as underneath. Further, the besadmin username and password is what BAS passes along to Active Directory when you log into BAS or Webdesktop. Meaning:
When a user puts their username into the Webdesktop interface and clicks "OK" or whatever, Webdesktop takes their username and password, logs into Active Directory as "besadmin" and looks up that person's username and password in order to authenticate them through to Webdesktop.
Enter the current problem with BAS 5.0:

When you set up BAS during install, the besadmin Active Directory credentials that you confirmed during install are stored in the BESMgmt database. During setup, the password for besadmin gets encrypted properly so that when a user tries to log in to Webdesktop, the correct username (besdamin) and password are sent on to Active Directory and everything works.

However - the 5.0 BlackBerry Administration tool run from the Start menu has a bug in it. If you use that tool to confirm your LDAP settings, that tool will fail to encrypt the besadmin password correctly. This breaks the ability of that besadmin user account to do proper Active Directory authentication whenever you try to log into BAS or Webdesktop.

There are workarounds for this problem, including uninstalling and reinstalling BAS and never, ever touching that tool from the Start menu. However, you might find a call to tech support will be your best bet.

- mike
Offline  
Old 06-15-2009, 10:55 AM   #9 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by x0rerror View Post
I also notice the BES-AS module is created by a third party and not RIM.
BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.

How comfortable are you with SQL queries?

The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.

If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.

Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.

- mike
Offline  
Old 06-15-2009, 11:19 AM   #10 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by sweater View Post
BAS uses standard Java modules to do things like (in this case) LDAP lookups. It's a limitation of the programming language, but also a standard programming language. I highly doubt it's the actual module that's the issue.

How comfortable are you with SQL queries?

The username and password for the Active Directory account you used to set up AD authentication are stored in a Users table in the BESMgmt database.

If you run a select * on that table and see your besadmin password in clear text it hasn't been encrypted correctly.

Sorry - I'm not in front of a working system at the moment so I can't give you the exact SQL query and which table, but I remember it being very easy to find.

- mike
Hi Mike,

Thanks for recapping. My Besadmin account is actually an active directory account. This account has read permission to LDAP; this has been confirmed by logging into a workstation and running a LDAP tool, i can query LDAP with no problems. I have even went as far as giving the account DOMAIN ADMIN credentials.

When i try to login to WEBDESKTOP MANAGER i get the follwing error appended to the BAS-AS log:

(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]

I have also tried port 389 / 3268.

password is encrypted properly.. i have followed the KB article referring to password corruption when managing LDAP through config Gui.

any ideas?

P.S Raiden, can you check your BES-AS log to see if we are getitng the same login errors as above?

thanks alot.

Last edited by x0rerror : 06-15-2009 at 11:20 AM.
Offline  
Old 06-15-2009, 12:42 PM   #11 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?

After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X

Thank you a bunch for your assistance..what other workarounds are there?

Thanks again
Offline  
Old 06-15-2009, 12:49 PM   #12 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ok xor let me check my log to confirm, will revert...
Offline  
Old 06-15-2009, 05:48 PM   #13 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by x0rerror View Post
(06/15 11:07:47:479):{http-BES.MYBES.INC%2F10.0.0.104-443-1} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=68908} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://myldapserver.inc:3268 error=javax.naming.CommunicationException: myldapserver.inc:3268 [Root exception is java.net.ConnectException: connect: Address is invalid on local machine, or port is not valid on remote machine]
I'm not aware of what that error might be unless it's a network issue - install Windows server support tools on the BAS server (or BES/BAS if it's the same machine) and try to do LDAP lookups against your active directory using the LDP tool from MS. And be prepared to give RIM a call for support, I think.

- mike
Offline  
Old 06-15-2009, 05:55 PM   #14 (permalink)
Thumbs Must Hurt
 
Join Date: Sep 2005
Model: 8300
Carrier: AT&T, tMobile, Verizon
Posts: 55
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Raiden View Post
Thank you Mike. That's brilliant from RIM's behalf...
Anyways when reinstalling do you do anything different?

After installing should you not xonfirm the credentials via the start menu? The reason
I ask this is because I have also reinstalled webdesktop 3X

Thank you a bunch for your assistance..what other workarounds are there?

Thanks again
If you run the installer on the BAS server (could be the same as your BES server - you do have the option of them being separate servers) simply un-check the BAS and Webdesktop components, not the BES components. This will leave BES there, just take away BAS/WD.

Reboot, etc.

Re-run the installer, selecting once again the BAS and WD components to reinstall them. The key here is the during the install you're asked to provide valid besadmin credentials (if besadmin is your AD user that you're using) and will properly encrypt them in the database.

If you can successfully reinstall and can re-login using AD credentials:
the 1st thing you should do is to create an additional administrative user in BAS (named basadmin, maybe?) and set it to only use BAS authentication, not AD authentication.
This should be a standard part of the install process at this point but is not listed in the documentation. If you set up that BAS-only user and your LDAP settings get screwed up using the Start menu tool, you can still log in using the non-AD basadmin account, reset the LDAP settings in BAS, and be on your way. BAS will correctly encrypt your LDAP settings/password.

Whatever you do, do not touch the LDAP settings dialog available from the Start menu.

- mike
Offline  
Old 06-18-2009, 05:13 AM   #15 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

running MR's and SP's tonight will provide feedback...
Offline  
Old 06-19-2009, 02:36 AM   #16 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know

Thanks again
Offline  
Old 06-19-2009, 02:36 PM   #17 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Raiden View Post
Mike I have tried above step by step but still cannot access..im looking to reinstall on another server With Win2008 will try again and let you know

Thanks again

Hey Raiden,

Did you have a chance to check your bas-as logs for the error?

Let me know if the re-install works for you.

I will be getting tech support as soon as the purchase is made; i'll shoot the resolution back here.... please do the same if you get it functioning.

(cannot login to web desktop using active directory authetication. )

thanks.
Offline  
Old 06-19-2009, 03:53 PM   #18 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2009
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 16
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

RESOLVED

I managed to resolve my Active Directory authentication failures by adding my 'ldap' servers to my etc/hosts file.

un$%^&*in real.

RIM should hire me.

Still doesn't explain what is wrong with thier code and the inability to properly query my ldap. But the workaround ... works around....
Offline  
Old 06-19-2009, 04:20 PM   #19 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,366
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

Have you read this ?
BlackBerry Support Community Forums - Cannot login using Active Directory. Wrong LDAP servername in LOG. - BlackBerry® Enterprise Server 5.0 - BlackBerry Support Community Forums

That guy tells, that even he has entered the FQDN of the server in the setup of BES, the BES system queries domain.com:389 instead of host.domain.com:389.

I had no problems with ldap (besides the known bug with the ldap password).

Maybe, this is related to your wrong AD dns entries, or, maybe because of a missing search domain in your TCP/IP setup ?

Check this:
if the IP for your server is given manually, in the DNS options of the TCP settings, make sure, the correct search domain is present:
if your FQDN name for the LDAP server is server.domain.com and you specify it as "server", the resolver will only be able to resolve the correct adress if "domain.com" is in the searchlist.

If the Address is supplied using DHCP, check if a correct search domain is present in the DCHP servers options.
Offline  
Old 07-06-2009, 03:55 AM   #20 (permalink)
Talking BlackBerry Encyclopedia
 
Join Date: Aug 2006
Location: South Africa
Model: 8310i
Carrier: Vodafone
Posts: 202
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

x0error Please post your HostsFile?

Thanks
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.