BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 03-26-2010, 01:33 PM   #1 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Location: Buttzville, NJ
Model: 8830
PIN: IsSharpAndPointy
Carrier: Verizon Wireless
Posts: 182
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Accessing a Network Share Authentication Issue using Files

Please Login to Remove!

I am running into an authentication issue using Files (new BB OS 5.0 application to allow you to connect to network shares if you are using BES/BESx) to connect to a network share on a server outside of the domain. I am able to successfully connect to a network share on a server, which is in the same domain as the BES/BESx server. However, I am unable to connect to a network share on a server that is not in the same domain (or not in a domain at all). I enter a login and password local to the server, and I have tried entering the domain as blank, or the name of the server (for those not in the domain) and both come back with Authentication Failed. I know the l/p is correct, and I have confirmed that the BES/BESx server can access the network share using the supplied l/p successfully. Has anyone had any luck connecting to a network share on a server that is not in the same domain as the BES/BESx?

Thank You
Offline  
Old 03-27-2010, 08:19 AM   #2 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

Add me to the list - does not work here too with BES 5.0 full.
I tried adding a hosts entry and entered some name and matching IP, but, will not work.
Tried to add a forward lookup-zone to AD with the name of the remote domain and added the host - will not work.

however, if I log on the the Machine, where the BES is running, I can access the remote server.

Maybe the BES authenticates by trying to aquire a kerberos ticket ? - this is unlikely to work if the Server is remote.

In the logs of the BES I do not find anything about the failed connection.
Offline  
Old 03-29-2010, 05:44 AM   #3 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

Followup:
I even created a secondary dns zone holding a copy of the remote servers DNS zones.
Still cant login to the remote server.
Offline  
Old 03-29-2010, 07:05 PM   #4 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Location: Buttzville, NJ
Model: 8830
PIN: IsSharpAndPointy
Carrier: Verizon Wireless
Posts: 182
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I am kinda shocked no one has had this issue before and not figured out how to fix it.
Offline  
Old 04-27-2010, 10:16 AM   #5 (permalink)
New Member
 
Join Date: Jul 2007
Model: 8900
PIN: N/A
Carrier: T-Mo
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Add me to this list.

identical issue - I can see access the share as long as it is under the same domain. But get authentication errors when I try another domain.

The error we get in the event viewer is EVENT ID 4625: the user has not been granted the requested logon type at this machine.

Last edited by kennyc01 : 04-27-2010 at 10:20 AM.
Offline  
Old 04-27-2010, 02:38 PM   #6 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

Quote:
Originally Posted by kennyc01 View Post
identical issue - I can see access the share as long as it is under the same domain. But get authentication errors when I try another domain.

The error we get in the event viewer is EVENT ID 4625: the user has not been granted the requested logon type at this machine.
I now also looked into the logs of the server I tried to connect to, but, there is nothing logged about a failed attempt.

Are you sure, this event you logged, was connected to the blackberrys servers attempt to login ?

my remote server is connected via a VPN, it is in a different subnet, so for me, it looks like the BES will simply not try to connect to something outside of its own subnet.

I can logon to a WindowsXP machine which is not in my domain, but in a workgroup, which is located in my own subnet.
Offline  
Old 04-28-2010, 08:30 AM   #7 (permalink)
New Member
 
Join Date: Jul 2007
Model: 8900
PIN: N/A
Carrier: T-Mo
Posts: 6
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

yep.

the process is made by bmds.exe, by account besadmin, and it logged the account and domain names I tried to use.

I am on 5.0.1 MR2, Server 2008 x64.
Offline  
Old 05-01-2010, 10:45 AM   #8 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

I also found the log now.
And, as I supected before, the BES uses kerberos, which will not work in this case.
I logged the kerberos events on the BES.
translation in english:

Code:
A Kerberos error occured while authenticating
 ClientTime: 
 ServerTime: 15:20:3.0000 5/1/2010 Z
 ErrorCode: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Erweiterter Fehler: 
 Clientbereich: 
 Clientname: 
 Servercontext: someremotedomain.LOCAL
 Servername: krbtgt/localdomain.COM
 Targetname: krbtgt/localdomain.com@remotedomain.LOCAL
 Errortext: 
 File: 9
 Line: ae0

Original message in German:
Code:
Eine Kerberos-Fehlermeldung wurde auf
         Anmeldesitzung  empfangen:
 Clientzeit: 
 Serverzeit: 15:20:3.0000 5/1/2010 Z
 Fehlercode: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Erweiterter Fehler: 
 Clientbereich: 
 Clientname: 
 Serverbereich: someremotedomain.LOCAL
 Servername: krbtgt/localdomain.COM
 Zielname: krbtgt/localdomain.com@remotedomain.LOCAL
 Fehlertext: 
 Datei: 9
 Zeile: ae0
 Die Fehlerdaten stehen in den Berichtdaten.
I am no expert in kerberos. From what I know, it looks, like the BES queries the DC of the local domain, to get a ticket from the remote domain, but, the local DC does not know how this can be done.

How can I change the Configuration of the BES to use NTLM/NTLMv2 for authentication instead of kerberos ?
Offline  
Old 05-01-2010, 01:52 PM   #9 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

in: MDS\Servers\instance\config
In the mdslogin.conf

there is written:
Code:
MDS_Default {
    com.sun.security.auth.module.Krb5LoginModule      optional   defaultUserRealm=COMPANY.COM;
    net.rim.security.auth.module.ntlm.NtlmLoginModule Sufficient defaultUserDomain=COMPANY.COM;
    net.rim.security.auth.module.pwd.PwdLoginModule   optional;
};
So, if the BES uses this config file for the "files" service, login with ntlm should be possible.
I tried to login to a remote XP PC, which is not a member of a AD-domain, using credentials of the local PC (where no kerberos authentication AFAIK is possible ?), and, it also fails.

This looks like a Bug to me.
Offline  
Old 05-06-2010, 07:56 AM   #10 (permalink)
Thumbs Must Hurt
 
Join Date: Jul 2006
Location: Buttzville, NJ
Model: 8830
PIN: IsSharpAndPointy
Carrier: Verizon Wireless
Posts: 182
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have been playing with this using virtual systems so I can see a clean set of logs and I am noticing that sometimes I don't even see a login failures from any user (besadmin or user account) on the client pc.

Ugh, why would they give you the option for login/password/DOMAIN if you can't login to any other domains/workstations..
Offline  
Old 05-08-2010, 11:18 AM   #11 (permalink)
BlackBerry Extraordinaire
 
Join Date: Mar 2006
Model: 9700
Carrier: t-mobile Germany
Posts: 1,362
Post Thanks: 11
Thanked 69 Times in 66 Posts
Default

Because, there is a bug in the implementation, or someone did not think of this problem.

The login procedure could try kerberos at the first attempt, but then must fall back to ntlm - which it doesnt.
The only way to use kerberos for login to a remote domain is to establish a trusted relationship between the two domains - this is an unlikely setup to expect.

Maybe this is even a kind of security feature, which simply does not allow you to login to your PC at home, because you then could copy secret information from your office to an unknown/untrusted PC.

I tried to find information about the files feature on RIMs site, but found only this:
JAAS Login Configuration File

referencing the mdslogin.conf

And the file looks ok.
But even if this looks ok, nobody seems to know if the files features uses the mdslogin.conf at all.

anyone else with a good Idea ?
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.