04-07-2011 10:12 AM
I am really at a cross roads here, I have a Windows Server 2003 Standard, I need to ensure that the user access the installation package for the phone is a member of our active directory, now, the folder is secured in IIS with anonymous access disabled, Authenticated access is set to "Digetst Authentication for Windows domain servers" with the correct realm. The user can go to a web test page with internet explorer on any computer and get prompted for a login, they put in their network user name and network password and authenticate OK and I know who they are. BUT on the BlackBerry phones, no matter what phone it is, when prompted, they put in the EXACT SAME INFORMATION and get user not authorized, it is like the phone can't send or receive something. The IIS server has an SSL certificate that is valid until 2016 and is a valid verisign certificate. Content expiration is dsabled. MIME types are correct for the deployed program because if I enable anonymous, anyone can install the program just fine (which is not what I want, I do not want anonymous enabled) , I am not using any asp.net stuff but that tab is set to version 2.0.50272 which should have no effect on this problem. The directory is setup with Read / Log Visits and Index this resource, it has its own application pool set to Scripts Only which is also fine.
Why is it impossible with any browser configuration on the blackberries to authenticate?
Solved! Go to Solution.
04-07-2011 10:16 AM
not really my field of expertise, as far as i know the BES handles this kind of authentification (if it is possible).
maybe you can ask a BES admin or over at the BES forums.
04-07-2011 10:27 AM
This is note a BES issue, this is not a BES deployed program, imagine if you will, you have a web host, which you can use to deploy your programs through, you can use anonymous on that web host and host your COD / JAD / JAR files, part of deploying to the BlackBerry phones is the ability to use the web, now, we have our own web server, where the problem lies is in IIS -> Active Directory working with the BlackBerries, this again, nothing to do with BES, so this doesn't belong in the BES section and I do not want this to deter to that type of conversation or direction, this is not a BES deployed program, does not existin the BES operations, nor used our BES system, this is simply a web deployed program except it is in our domain with simple windows digest security which again, has nothing to do with BES.
To be exact, no BES is being used for this, all I want is a SECURE folder that uses windows digest for domain controllers, the user gets prompted on their phone and they have to put in their network login information, again no BES, so has nothing to do with BES, let me stress this again, NOT BES, I will mention that part again because I do not want this moved to some BES thing and get lost in utter lost confusion in oblivion, this is a simple thing where you can create any web site, secure it to IIS -> Active Directory required authentication and the phone can't even browse to DEFAULT.HTM in that folder because no matter what the user types in for security, full domain information or what ever, the phone will not authenticate.
Simple, let me keep this straight forward, NOT BES, not on any slight of hand, not on any level, NOT BES, so please do not confuse this process by pointing at BES and no mod move this to some BES forums, this has nothing to do with BES, this is Windows Sever 2003 standard with IIS, folder is secure in its own app pool, anonymous disabled, open ANY browser on the phone, create a default.htm file and put a simple "HI" in it, nothing more, then use the phone to browse to that default.htm so it prompts for network security credentials, then simply try to log in, the blackberries will not log in.
So again, NO BES, keeping on track, keeping on subject, keeping in the limits of the confines of the original post (and note in the original post I never mentioned this is a BES deployed program), this is IIS security issue with Active Directory, not a single blackberry can authenticate the user through the browser, this is not a BES issue.
BES is totally off topic, BES doesn't handle this security, IIS -> Active Directory does, you have to look up "Deploying to the BlackBerry Phone" in the manual to see all the available deployment options, and using simple IIS is an option, as I said, it works with Anonymous which is not what I want, I simply want the phone to Authenticate like any web browser on any phone, I can get this to work with Andriod, I can get this to work with the iPhone, I can't get this to work with BlackBerry and using IIS is an option for "Deploying to the BlackBerry", I do realize that BES push is another option but I do not want to go that route, to much black tape.
04-07-2011 10:41 AM
Reading between the lines here, I think you are telling us this is not a BES issue.... .
Can I summarize the problem that I see back to you.
1) On a normal Browser, you get an authentication page, you enter your credentials, you get authorized.
2) On a BlackBerry Browser, you do the same, enter the same information, and you are not authorized.
So the problem here is something to do with the processing between the Browser and the Authentication page. There is no Java code involved.
If this is a correct summary of the problem, then I think you are in the wrong forum. You should be talking to the Web folks here or the IIS folks. I'm not sure which end is most likely causing the problem. Personally I would suggest it is the IIS end that is expecting something that the BB Browser does not deliver. But this is not an area of expertise.
04-07-2011 10:46 AM - edited 04-07-2011 10:47 AM
Correct on #1 and #2, the entire program is writting in Java, but deploying it to the phone through a secured IIS folder is the issue. The program works just fine, even the SOAP component that I have written works just fine through SSL, it is the initial deployment folder with no anonymous access allowed, that is the problem. I have tried every setting in IIS for security and nothing works except for enabling anonymous which is bad.
Edit: as far as login options, I have used short name and network password, I have used domain\short name and network password, I have used domain\long name and network password, and I have used long name and network password, none of which worked on the phone.
04-07-2011 10:47 AM
well, let's say you described your issue well, now.
i thought you would mean kerberos/ntlm authentification (which is similar, as i read on technet).
as far as i know windows digest authentication is not supported on the blackberry browser, but feel free to get this confirmed by your RIM support.
maybe you could switch to basic authentication with https?
04-07-2011 10:52 AM
So NTLM is not valid with BlackBerry?
I will switch to Basic Authentication, remove all other types, set the default domain and realm, and force SSL and see where this lands, will let you know shortly, I thought digest authentication would work with BlackBerry, at least I thought I read somewhere in the documetation where NTLM is supported.
Thanks, trying now.
04-07-2011 10:59 AM
NTLM is supported by the BES (+MDS), not by the BB itself.
a BIS device is not able to use NTLM.
04-07-2011 11:03 AM
BES isn't totally off topic. But it is a feature that isn't supported on the Blackberry Browser from what I can gather. For authentication you will need to set it to either basic or anonymous unless you are using BES which will then supply your windows credentials if an option is turned on.
This are two interesting links that go talk about the security risk and configuration method of working with forms based autentication. As you can see its BES that would enable the use of digest authentication which is a subset of integrated windows authentication designed to communicate with clients outside of the Windows world.