[svaldes]

I have folowed the BB articles about enabling SSO on out recentrly updated BES 5.0.2 and is not working, theres any particular log to check for errors on SSO?

Thanks.

[SoUnCool]

try this Configure BES 5.0.2 SSO / Auto Logon (Active Directory) « digital Jive

[RadHaz75]

that article finally got me set stright. i had been trying off and on for months to get it working. the part that rims documentation is not clear about is that the account needs to REPLACE the one listed in the "Microsoft Active Directory login information" section. i kept trying to add the new account to the last section where it asks for the account forrest name info.

[hutchingsp]

Hmm.. can I just confirm what the SSO extends to?

Right now if I go to File Shares via the BES/MDS I'm prompted for user credentials. That's what we want as our shares are locked down using NTFS permissions so using the besadmin account wouldn't be acceptable, but it would be useful if users weren't prompted for their credentials.

[SoUnCool]

Quote:

Originally Posted by hutchingsp

Hmm.. can I just confirm what the SSO extends to?

Right now if I go to File Shares via the BES/MDS I'm prompted for user credentials. That's what we want as our shares are locked down using NTFS permissions so using the besadmin account wouldn't be acceptable, but it would be useful if users weren't prompted for their credentials.

access to internal resources , shares or intranet sites are setup using delegated account, DO NOT user BESADMIN for delegation, if you want BB users not to type password then use delegated account in permissions first and then setup MDS to use this delegated account to access the resources



"SINGLE SIGN-ON allows end users and administrators to directly and securely access BlackBerry Web Desktop Manager and BlackBerry Administration Service once they have signed in to the network without the need to re-enter their user ID and password. (This is when they are accessing from their windows machine NOT from smart phone). Smartphone users can be allowed access to the intranet, files and business systems "behind the firewall" directly from their BlackBerry smartphone without the need to enter their network password with the device already authenticated via Active Directory and BlackBerry Enterprise Server. For smart phone users, it is not a direct single sign-on like from your windows machine. It is achieved by configuring the Microsoft Active Directory account to delegate access to an intranet site.

After you configure the BlackBerry MDS Connection Service (which is used to access intranet resources) to support Integrated Windows authentication, the BlackBerry MDS Connection Service uses the Microsoft Active Directory account to verify login information for a user and access the network resources on behalf of the user. The BlackBerry Enterprise Server then sends information from the network resources to the user's device.

Here are most important prerequisites to achieve this

Prerequisites: Configuring the Microsoft Active Directory account to delegate access to an intranet site

Verify that you configured Integrated Windows® authentication for the application server that hosts the intranet site.
Verify that the application server that hosts the intranet site and the web application that runs on the application server support Kerberos™ authentication.

References

BES 5.0.2 MDS Connection Service with Integrated A... - BlackBerry Support Community Forums

Configuring Integrated Windows authentication so that users can access resources on your organization's network - Administration Guide - BlackBerry Enterprise Server for IBM Lotus Domino - 5.0.2

KB22726-Configure the delegation user account to delegate access to network resources

[hutchingsp]

Thanks, but I'm still unclear.

My network account is DOMAIN\Joe

On my Blackberry right now, if I go to files and try access \\server\share it prompts me for my credentials (with the "remember" option).

That's fine because Joe should only be able to access a shared folder to which his account has access.

What I'm not clear on is whether the SSO stuff means Joe doesn't need to enter his credentials but "somehow" BES knows it's Joe and connects to \\server\share as Joe?

[SoUnCool]

Quote:

Originally Posted by hutchingsp

Thanks, but I'm still unclear.

My network account is DOMAIN\Joe

On my Blackberry right now, if I go to files and try access \\server\share it prompts me for my credentials (with the "remember" option).

That's fine because Joe should only be able to access a shared folder to which his account has access.

What I'm not clear on is whether the SSO stuff means Joe doesn't need to enter his credentials but "somehow" BES knows it's Joe and connects to \\server\share as Joe?

for SSO you will create a active directory account, and grant that account access to your file share, when BB user Joe will access the share via AD account

so not a good idea for shares and resources with multiple access level, since there is no way that BES MDS will recoginize a BB user as your domain\joe