BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 01-18-2011, 09:11 AM   #1 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2006
Model: 8900
Carrier: O2
Posts: 39
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Please Login to Remove!

Hello
We have installed a BES version 5 with SP2 to primarily test Single Sign-on (SSO), identity authentication system that keeps users on enterprise intranets from having to keep signing in when they want to access SharePoint.
We currently have a call logged with RIM as this doesn’t work for us; we still get the prompt for login and password. The whole environment is setup for Kerberos.
Can anyone help with the following?
• Has anyone been able to get this working in their environment?
• If so was it out of the box or did you need to make configuration changes on your environment?
• Any general tips to troubleshoot further would be gratefully received.
We are running Exchange 2003, BES5 SP2 and SharePoint 2007.
Many Thanks
__________________
BES 4.1.6, EX2003, SQL2000, 600+ users, 8 BES Servers
Offline  
Old 01-21-2011, 11:54 PM   #2 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

I think you have a mis-understanding here. BES 5.0 SP2 Single Sign-On is primarily for the BlackBerry Administration Service only and not accessing Intranet sites via MDS-CS.

For the 2nd, not supported currently.

KB15140-Unable to sign into an internal Single Sign-On website
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.
Offline  
Old 01-24-2011, 04:36 AM   #3 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

There are two things you can do on BES 5.0 SP2:

- SSO for the Admin and Desktop Web site

- SSO to your Intranet and Shared Files

I guess you want to do the second point. It is a bit complicated to configure, but it is doable, see:

BlackBerry MDS Connection Service Integrated Authentication
http://docs.blackberry.com/en/admin/...1-5.0.2-US.pdf
Offline  
Old 01-27-2011, 07:25 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Jun 2006
Model: 8900
Carrier: O2
Posts: 39
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Hi yes this is what we have implemented BlackBerry MDS Connection Service Integrated Authentication and currently doesn't work. RIM dev team are looking into it at the moment.
Can anyone answer by initial question thanks.
Has anyone been able to get this working in their environment?
xxx8226; If so was it out of the box or did you need to make configuration changes on your environment?
xxx8226; Any general tips to troubleshoot further would be gratefully received.
__________________
BES 4.1.6, EX2003, SQL2000, 600+ users, 8 BES Servers
Offline  
Old 01-27-2011, 08:33 AM   #5 (permalink)
BlackBerry Extraordinaire
 
Join Date: Aug 2008
Location: Basel
Model: 9780
PIN: N/A
Carrier: Swisscom
Posts: 1,579
Post Thanks: 5
Thanked 119 Times in 116 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Well, I got SSO for the Admin / Desktop Web Site to work, but I haven't tried for Intranet sites like Sharepoint.

Have you checked out these KB articles:

KB22726-Configure the delegation user account to delegate access to network resources

KB15642-Configure BlackBerry Mobile Data System for Kerberos Authentication to a web site hosted on a Microsoft IIS web server

Last edited by freakinvibe : 01-27-2011 at 08:36 AM. Reason: Wrong Link
Offline  
Old 01-28-2011, 08:35 PM   #6 (permalink)
BlackBerry Extraordinaire
 
noname's Avatar
 
Join Date: Sep 2005
Location: Congested Islet of "Foreign Talents" (> 45% of workforce) - Singapore.
Model: Z10
OS: 10.0.0
PIN: NUKE(PAP)
Carrier: Singtel
Posts: 1,504
Post Thanks: 6
Thanked 9 Times in 9 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Nice, I was a mountain turtle. Thanks for sharing all.
__________________
Native but 4th class citizen of a nation governed by idiots who import congestions & contention.
Offline  
Old 01-30-2011, 01:03 AM   #7 (permalink)
Thumbs Must Hurt
 
Join Date: Jan 2008
Model: 8830
PIN: N/A
Carrier: verizon
Posts: 82
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Hi Pikey.

Yes - we've got it working to a certain extent in our environment.

It's definitely not an out-of-the box configuration and the instructions provided by RIM aren't very helpful. As far as tips for getting it to work - I'd suggest reading up on Kerberos delegation and/or kerberos constrained delegation and how to configure this within AD.

Things to check:
Ensure the MDS service is running as the BESAdmin account.
Ensure you've got a SPN tied to the service account running the application pool in sharepoint.
Ensure you've got SPN's tied to the BES service account, otherwise you wont be able to configure it for delegation.
More specifically, tie these SPNs to your besadmin account:
Basplugin111/<basName>.domain.com
http/<basName>.domain.com
Ensure you've got the BESadmin account setup for delegation within AD.
Ensure you've got sharepoint integrated auth enabled.
Enable 'Authentication support enabled' within the BAS
Configure the Krb5.conf and restart MDS if you make changes.
Configure Mdslogin.conf and restart MDS if you make changes.


It's a lot to go through and I'm still on the fence whether it's worth the complexity.

For starters, we've configured the BESadmin account with kerberos constrained delegation. So, any changes to the webservers that users access may require additional configuration on my part. And, I may not know about it until we get a call into the help desk that a user can't access a specific website.

Some websites still don't work and authentication does not work at all; They're completely inaccessible. I'm not certain if this is because it's behind a hardware load balancer or if it's because we have an in house developer that programmed a plugin to IIS that supports kerberos authentication with a MIT kerberos realm.

The end user experience is only marginally better. It's nice to be able to visit a sharepoint site, close the browser, reopen it, and visit the site again without having to authenticate again. And, it's nice to be able to visit other sites once we've logged into the sharepoint site (or at least one other in which kerberos delegation has been configured). However, this does not persist if the device is rebooted, device browser cache/cookies are deleted (may not be the case 100% of the time) MDS is restarted, or beyond 24 hours (at least once every 24 hours I'll need to authenticate again...).

If we had only Microsoft servers in our environment and didn't have more than one authentication realm (AD and MIT), then it might be worth the battle.

If anything, we're calling it 'reduced sign on'.

Please let me know if any of this helps you; If you get it working, I'd be curious to see if your experiences from the end user perspective is any different.
Offline  
Old 03-07-2011, 10:41 AM   #8 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2011
Model: 9800
PIN: N/A
Carrier: TELUS
Posts: 29
Post Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

I am also struGGLING to get INTERGRATED Authentication enabled for few URL hosted on INTRANET.bUT By tommorow i am sure it will be resolved.

I am not getting prompt now for accessing URLs but when i see MDAT logs on BES it shows " NO DELAGATION FOUND FOR DOMIANNAME"

As per RIM if we are enabling IA in our envirnomnet then we don't have to delegate BASPLUGIN for ID in AD.T hat is only required when we are enabling SSO and not IA.

Also we will have to use 2 seprate ids for SSO and IA.
Offline  
Old 03-11-2011, 12:04 AM   #9 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2011
Model: 9800
PIN: N/A
Carrier: TELUS
Posts: 29
Post Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

Hi,

My delegation error has gone after few changes in RIM PROPERTIES FILES and now again Kerbous error has comeup.

Have madefew changes in spn and ms delgate on Domain controller.

Will check in moring and update you all.

If it works fine then one thign is sure i will be master of SSO...Kidding
Offline  
Old 04-06-2011, 10:25 PM   #10 (permalink)
Knows Where the Search Button Is
 
Join Date: Feb 2011
Model: 9800
PIN: N/A
Carrier: TELUS
Posts: 29
Post Thanks: 3
Thanked 0 Times in 0 Posts
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

FinallyIntegrated Authentication has started working in my BES environment after lot of efforts

Now i am happy man.

Now next task > Whitelisting of apps.
Offline  
Old 07-28-2011, 09:04 AM   #11 (permalink)
CrackBerry Addict
 
mahoward's Avatar
 
Join Date: May 2005
Model: 8900
Carrier: T-Mobile
Posts: 560
Post Thanks: 0
Thanked 1 Time in 1 Post
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

I am in the same position, trying to get IA to work to intranet sites. Already slogged through all the docs, from setting up Pull rules to setting proper SPN's, and still having issues.

Have a ticket open which has been escalated to development. Errors I am seeing in MDAT logs are below:

During MDS Initialization:

<LAYER = SCM, Initializing delegation user; Other Exception=java.lang.reflect.InvocationTargetExcept ion>
<LAYER = SCM, Could not perform a Kerberos login; Exception=javax.security.auth.login.LoginException : Message stream modified (41)>


When trying to browse an intranet site from device (I get the credential popup instead of seamless logon):

<LAYER = IPPP, uri xweb01:80/ matches pattern xweb01.*\/.*. The rule is ALLOW . The rule is ALLOW and is allowed for Int Auth>
<LAYER = SCM, Attempting integrated authentication for HTTP on device ID=uf, URL=http://xweb01/>
<LAYER = SCM, Error when creating LDAP context, will re-establish login; Exception=javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]]>
<LAYER = SCM, User not authorized to perform the LDAP Search, trying again>
<LAYER = SCM, Could not perform a Kerberos login; Exception=javax.security.auth.login.LoginException : Message stream modified (41)>
<LAYER = SCM, Error when creating LDAP context, will re-establish login; Exception=javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))]]>
<LAYER = SCM, User not authorized to perform the LDAP Search, trying again>
<LAYER = SCM, client account is null>
<LAYER = SCM, Unable to determine user AD login name for impersonation>


hit.singh, can you share what you were able to tweak to get your environment to work correctly?
__________________
BESX 4.1.7 on Exchange 2003: 65 Devices
BESX 5.0.3 on Exchange 2003: 2007 Devices
Offline  
Old 07-29-2011, 11:39 AM   #12 (permalink)
CrackBerry Addict
 
mahoward's Avatar
 
Join Date: May 2005
Model: 8900
Carrier: T-Mobile
Posts: 560
Post Thanks: 0
Thanked 1 Time in 1 Post
Default Re: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets

As a follow up, I was able to get this configuration working by adding the following line to the rimpublic.property file:

application.handler.exchange.domain=[MYDOMAIN].COM


The full steps required to implement this for my environment are below in case this helps anyone else:

1. Ensure MDSLogin.conf domain name and realm name changed from COMPANY.COM to [MYDOMAIN].COM

2. Ensure KRB5.conf modified to support only RC4-HMAC and Kerberos realm name changed from COMPANY.COM to [MYDOMAIN].COM

3. Ensure rimpublic.property file contains the following line: application.handler.exchange.domain=[MYDOMAIN].COM

4. Enable Integrated MDS Authentication with [MYNEWSERVICEACCOUNTFORIA] account for [MYDOMAIN].COM domain

5. Verify SPN's registered in AD for services requiring IA

6. Verify Kerberos Constrained Delegation service account [MYNEWSERVICEACCOUNTFORIA] is trusted for delegation to SPN's

7. Create 2 Pull URL patterns:
a) .*[MYDOMAIN]\.com.* Intranet Sites
b) .* Internet Sites

8. Create Access Control Rule "Allow Browser Access" with 2 entries:
a) HTTP .* Internet Sites Allow Access control rules only
b) HTTP .*[MYDOMAIN]\.com.* Intranet Sites Allow Integrated

9. Apply Access Control Rule "Allow Browser Access" to ALL BlackBerry users

10. Enable Pull authorization on each MDS-CS server

11. Test browser access to Intranet Sites, Internet Sites
__________________
BESX 4.1.7 on Exchange 2003: 65 Devices
BESX 5.0.3 on Exchange 2003: 2007 Devices
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Similar Threads for: SSO (single Sign On) BES 5 SP2 - Authentication to Intranets
Thread Thread Starter Forum Replies Last Post
Agent Crash Every hour or less GPITMAN BES Admin Corner 2 07-01-2010 01:14 AM
Enabling Application Server SSO (Single Sign on)on the BES MobileMind BES Admin Corner 4 09-16-2009 04:12 PM
Help required migrating from an old WinNT4 BES3.6 to Win2003 Server BES4.0 johnny_boy_uk BES Admin Corner 22 01-28-2008 12:44 PM
SP2 Update for BES 4.0 MSchnatmann BES Admin Corner 2 10-03-2006 03:11 PM
The Saga of getting a BES data plan in the UK nm1213 General BlackBerry Discussion 3 09-03-2006 05:36 PM





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.