Welcome!

Welcome to the Official BlackBerry Support Community Forums. This is your resource to discuss support topics with your peers, and learn from each other. New to the forum? Please visit the ‘Getting Started’ link below.
All New Topics | All New Posts
inside custom component

BlackBerry® Enterprise Service 10

Reply
Topic Options
Developer
Developer
kerseyr
Posts: 333
Registered: ‎04-16-2008

BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

Options

‎08-26-2010 12:16 PM

Hello,

 

I have always created MDS Proxy Exclusion rules that tell the MDS CS to point to a proxy, and in order to authenticate through the proxy used a service account. This has always worked well, but we now have a requirement for each user to auth through the proxy. On desktops different users have different levels of access which permit them to get to certain sites. User A may not be allowed access to MySpace & Facebook but User B can! We now need to implement this on BlackBerry devices too. Is this possible?

 

Looking through the documentation it is possible to use AD authentication for internal websites hosted on IIS e.g.

 

http://docs.blackberry.com/en/admin/deliverables/16661/Configuring_devices_authenticate_content_serv...

 

http://docs.blackberry.com/en/admin/deliverables/16661/SSO_for_MDS-CS_1086111_11.jsp

 

Has anyone configured what I am trying to do before on BES 5.0.2 and got it working ??

 

Cheers, R.

Report Inappropriate Content
Message 1 of 8 (4,066 Views)
Reply
Please use plain text.
 
gbil
New Contributor
gbil
Posts: 8
Registered: ‎08-02-2010

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

Options

‎08-26-2010 03:56 PM

What I was able to do for Intranet websites is to just have the domain pre-entered during login, the user has then to enter the password if he has checked to remember the username, but haven't achieved single sign-on. From what I've read this is not possible expect if you follow the other KB article that prompts you to delegate access to a site which in my case is not really applicable since we are talking about many sites.

 

Regarding Internet through a proxy, I am also using a service account for all users since the other way is as with Intranet sites, to just have the domain pre-entered in the authentication popup but the users then have to enter their password everytime.

 

If anyone had better luck with AD authentication I would also be glad to hear it.

Report Inappropriate Content
Message 2 of 8 (3,987 Views)
Reply
Please use plain text.
 
mdriest
New Contributor
mdriest
Posts: 2
Registered: ‎08-29-2010
My Carrier: Sprint

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

Options

‎08-29-2010 04:41 PM

I am trying to enable Intregrated Windows Authentication (Kerberos) but have had no success.

 

Prior to upgrading to 5.0.2 we were successfully using MDS with NTLM (domain name pre-populated).  Our users could select remember username, enter their password and their credentials would be valid for up to 2 hours.  Then our users could access any internal URL without having to re-authenticate at each new URL.

 

We're trying to enable single sign on with Kerberos constrained delegation but have not had much luck.

 

I've followed all of RIM's config docs and re-read them a few times as well.

 

BAS and MDS Connection Service are both using BESAdmin.  BAS SSO is working.  BESAdmin is configured with the two required SPNs.  Delegation was enabled for BESAdmin (Kerberos only) to HTTP/internalwebappURL.

 

On the handheld the user is still prompted for credentials (yes we applied the pull access control rule to the user with a handheld).

 

Any ideas?  Has anyone else been successful?

Report Inappropriate Content
Message 3 of 8 (3,907 Views)
Reply
Please use plain text.
 
pmeuser
Contributor
pmeuser
Posts: 20
Registered: ‎11-06-2009

Does this feature really exist?

Options

‎09-20-2010 09:28 AM

I am not sure, if "integrated authentication" works at all...

 

http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Server/Understanding-MDS-Connection-Ser...

 

Maybe just somebody knowledged from RIM takes a litte time and explains us, how we get it to work ...

 

Thank you very much!

 

Peter

 

Report Inappropriate Content
Message 4 of 8 (3,597 Views)
Reply
Please use plain text.
 
Developer
Developer
kerseyr
Posts: 333
Registered: ‎04-16-2008

Re: Does this feature really exist?

Options

‎09-20-2010 10:18 AM

Totally agree with you Peter!!

 

It is something that gets talked about and people say 'yeah you can do it....' But I don't know anyone that has it working yet!!

Report Inappropriate Content
Message 5 of 8 (3,587 Views)
Reply
Please use plain text.
 
Developer
Developer
kerseyr
Posts: 333
Registered: ‎04-16-2008

Re: Does this feature really exist?

Options

‎09-23-2010 11:48 AM

Has anyone done this....

 

http://www.blackberry.com/btsc/microsites/search.do?cmd=displayKC&docType=kc&externalId=KB22726&slic...

Report Inappropriate Content
Message 6 of 8 (3,507 Views)
Reply
Please use plain text.
 
RichmondFish
Contributor
RichmondFish
Posts: 42
Registered: ‎05-30-2008

Re: Does this feature really exist?

Options

‎11-03-2010 04:08 PM

Seems like a pain to do that for every potential site that is in your environment.  For a mom and pop store is may be good.  For an enterprise this is way too much work.  We have thousands of servers and new ones coming on board every day!

 

In my opinion this isn't ready for prime time yet. 

Report Inappropriate Content
Message 7 of 8 (2,962 Views)
Reply
0 Likes
Please use plain text.
 
hogbinj
New Contributor
hogbinj
Posts: 4
Registered: ‎05-25-2010
My Carrier: Voadafone UK

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

[ Edited ]
Options

‎11-11-2010 08:22 AM - edited ‎11-11-2010 08:27 AM

Don't use the BESADMIN as that's set to kerberos only for SSI

 

On the delegation account use the www AS WELL AS the http service.

 

That's 3 days of my life I'll not be getting back.

 

 

J/.

Report Inappropriate Content
Message 8 of 8 (2,845 Views)
Reply
Please use plain text.