Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Developer
Posts: 333
Registered: ‎04-16-2008
My Device: 8900

BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

Hello,

 

I have always created MDS Proxy Exclusion rules that tell the MDS CS to point to a proxy, and in order to authenticate through the proxy used a service account. This has always worked well, but we now have a requirement for each user to auth through the proxy. On desktops different users have different levels of access which permit them to get to certain sites. User A may not be allowed access to MySpace & Facebook but User B can! We now need to implement this on BlackBerry devices too. Is this possible?

 

Looking through the documentation it is possible to use AD authentication for internal websites hosted on IIS e.g.

 

http://docs.blackberry.com/en/admin/deliverables/16661/Configuring_devices_authenticate_content_serv...

 

http://docs.blackberry.com/en/admin/deliverables/16661/SSO_for_MDS-CS_1086111_11.jsp

 

Has anyone configured what I am trying to do before on BES 5.0.2 and got it working ??

 

Cheers, R.

New Contributor
Posts: 8
Registered: ‎08-02-2010
My Device: Not Specified

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

What I was able to do for Intranet websites is to just have the domain pre-entered during login, the user has then to enter the password if he has checked to remember the username, but haven't achieved single sign-on. From what I've read this is not possible expect if you follow the other KB article that prompts you to delegate access to a site which in my case is not really applicable since we are talking about many sites.

 

Regarding Internet through a proxy, I am also using a service account for all users since the other way is as with Intranet sites, to just have the domain pre-entered in the authentication popup but the users then have to enter their password everytime.

 

If anyone had better luck with AD authentication I would also be glad to hear it.

New Contributor
Posts: 2
Registered: ‎08-29-2010
My Device: Bold 9650
My Carrier: Sprint

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

I am trying to enable Intregrated Windows Authentication (Kerberos) but have had no success.

 

Prior to upgrading to 5.0.2 we were successfully using MDS with NTLM (domain name pre-populated).  Our users could select remember username, enter their password and their credentials would be valid for up to 2 hours.  Then our users could access any internal URL without having to re-authenticate at each new URL.

 

We're trying to enable single sign on with Kerberos constrained delegation but have not had much luck.

 

I've followed all of RIM's config docs and re-read them a few times as well.

 

BAS and MDS Connection Service are both using BESAdmin.  BAS SSO is working.  BESAdmin is configured with the two required SPNs.  Delegation was enabled for BESAdmin (Kerberos only) to HTTP/internalwebappURL.

 

On the handheld the user is still prompted for credentials (yes we applied the pull access control rule to the user with a handheld).

 

Any ideas?  Has anyone else been successful?

Contributor
Posts: 24
Registered: ‎11-06-2009
My Device: Not Specified

Does this feature really exist?

I am not sure, if "integrated authentication" works at all...

 

http://supportforums.blackberry.com/t5/BlackBerry-Enterprise-Server/Understanding-MDS-Connection-Ser...

 

Maybe just somebody knowledged from RIM takes a litte time and explains us, how we get it to work ...

 

Thank you very much!

 

Peter

 

Developer
Posts: 333
Registered: ‎04-16-2008
My Device: 8900

Re: Does this feature really exist?

Totally agree with you Peter!!

 

It is something that gets talked about and people say 'yeah you can do it....' But I don't know anyone that has it working yet!!

Developer
Posts: 333
Registered: ‎04-16-2008
My Device: 8900

Re: Does this feature really exist?

Contributor
Posts: 49
Registered: ‎05-30-2008
My Device: Not Specified

Re: Does this feature really exist?

Seems like a pain to do that for every potential site that is in your environment.  For a mom and pop store is may be good.  For an enterprise this is way too much work.  We have thousands of servers and new ones coming on board every day!

 

In my opinion this isn't ready for prime time yet. 

New Contributor
Posts: 4
Registered: ‎05-25-2010
My Device: Bold 9700
My Carrier: Voadafone UK

Re: BES 5.0.2 MDS Connection Service with Integrated Authentication to AD

[ Edited ]

Don't use the BESADMIN as that's set to kerberos only for SSI

 

On the delegation account use the www AS WELL AS the http service.

 

That's 3 days of my life I'll not be getting back.

 

 

J/.