[SEP]

initially i didn't because many thought this was the cause of the problem so reinstalled everything and didnt touch it. I have since installed MR1 and it was then suggested the password be verified. nothing has changed in that respect of fixing AD authentication but only to break the monitoring service.

[SEP]

Unable to administer the BlackBerry Administration Service after using the BlackBerry Server Configuration tabs - KB18161

After editing the LDAP Password field on the Administration Service - LDAP tab in the BlackBerry Server Configuration tool, Administrators can no longer log into the BlackBerry Administration Service console using Windows (Microsoft® Active Directory®) Authentication


This implies you could actually log in BAS using Windows AD credentials from fresh install if you didn't mess with the config panel afterwards.....I know I haven't been able to...

[nobody7290]

But exactly this problem is fixed in MR1 - see the release notes.
Quote:
BlackBerry Configuration Panel
SDR 299265
In BlackBerry Enterprise Server version 5.0, if you specified the LDAP password using the BlackBerry Configuration Panel, the password was entered into the BlackBerry Configuration Database in plain text. As a result, the BlackBerry Administration Server could not read the password, and you could not log into the BlackBerry Administration Service using Windows authentication.

In BlackBerry Enterprise Server version 5.0 MR1, this issue is resolved.

[SEP]

well I don't know what more to do...I've done a fresh install and immediately MR1, haven't touched the config panel and imported the password into sql db

one thing. Who did the copying hashed password into sql part? Could someone explain in english what that means, ######### or numbers - I got the numbers. is this correct?

[nobody7290]

When your generated text file is like:
-51e7812816142316207a6df17212de41

The command to update the sql server would be:

Code:

update BASAuthenticationCredentials set password = '--51e7812816142316207a6df17212de41' where AuthenticationType LIKE '1'

does that explain your question ?

[SEP]

well i've now installed MR2 - fixed a whole bunch of user pages i didnt know existed

but web desktop still no go

[Raiden]

This is my error

(09/07 10:49:57:329):{http-Servername.domain.CORP%2FI{ADDRESS119-443-6} [com.rim.bes.basplugin.activedirectory.ActiveDirect oryManagerBean] [INFO] [ADAU-1000] {u=SystemUser, t=47938} loginAsLdapUser failed to authenticate LDAP user=bbhdesk, realm=vodacom.corp, kdc=ServerNameDOMAINCONTROLLER.Domain.corp javax.security.auth.login.LoginException: KDC has no support for encryption type (14)

[nobody7290]

Dont know, but google "knows" many things.
Did you read this ?

Quote google search for "KDC has no support for encryption type (14)":

Code:

javax.security.auth.login.LoginException: KrbException: KDC has no support for encryption type (14) - KDC has no support for encryption type
Cause 1: Your KDC does not support the encryption type requested.

Solution 1: Sun's implementation of Kerberos supports the following encryption types: des-cbc-md5, des-cbc-crc and des3-cbc-sha1.

Applications can select the desired encryption type by specifying following tags in the Kerberos Configuration file krb5.conf:

[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
  
If not specified, the default value is:
des-cbc-md5 des-cbc-crc des3-cbc-sha1
  
Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2.

Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket.

On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01  ( default is 0 )
By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT.
Here is the location of the registry setting on Windows XP SP2:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

Did you try that change in the registry ?

[Raiden]

I have moved this role to a Windows 2008 server..
DC and Webdesktop Server are 2008 servers..."Googling to find out more"

[Raiden]

Some notes....Trying this as well
KDC has no support for encryption type (14)