03-05-2013 10:26 AM
Our enterprise uses Domino/Notes. We just deployed a full Traveler solution including IMC servers for authentication / connetion management. Everything is at the latest version. ( IMC = IBM Mobile Connect : authentication/reverse proxy optional box. Adds security and allows the creation of LTPA token based on Windows credentials accepted by Domino. So our users can loggin with their Windows password to their Traveler application on their Androids...)
Traveler <--> IMC <--> Reverse Proxy <--> Internet <--> Android phones
It works well.
Now, we're getting a lot of pressure to install the new BDS (BES10) from Blackberry.
We did manage to install BDS and got it to "talk" directly to the Traveler server. That worked well. (we are aware that our current version of Traveler (184.108.40.206) doesn't... "support" BES10... but it works. We'll just update it to 9.0 when it is released. We're ready to live with the "missing features" untill they are fixed.)
The issue :
We hate the Domino "HTTP Password". Because of... well, many reasons/issues encountered in our enterprise, we want to avoid using the HTTP Password at all cost.
With IMC in front of Traveler, we generate a LTPA Token allowing Traveler users to work with their Windows password. (When Traveler prompts for a usr/pwd, they enter their full email adress + Windows password). We love that.
We want to keep that feature with the BES10 users. When they do an Enterprise Activation and the BB10 asks for their "active sync password", we want our users to enter their Windows password. Not their "HTTP Password" as expected. But Domino has to accept that Windows password.
The easiest way to do that seemed to be to "tell" the BES10 server that the "Active Sync-compatible mail server" is the IMC (in the mail profile). Of course, since BES10 is a new product and IMC seems to have never been included in that config... the best answer we could get from both IBM and Blackberry was "yeah, that seems logical, that could work !"
So we created a mailprofile in the BES that points at the IMC server, and triied to do an activation. We get traces in the logs of all systems so... at least the servers all communicate together (sounds like a good start). But it would seem the IMC servers does something with he Authentication string that confuses the Traveler server. From the Blackberry device, when asked for Active Sync password, we enter our Windows password... then everything seems right for a few seconds, then it says something about the account infos changed and you need to enter the password again. In the Traveler server logs, we see this :
172.26.193.91 Travelerserver.acme.com "CN=John Wayne/OU=Here/O=acme" [27/Feb/2013:14:09:52 -0500] "OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1" 200 - "" "RIM-PlayBook/220.127.116.116" 0 "LtpaToken=g+DBX969OcEBcVvEMyMmkMUeWfkE7dOCCZyN0Dl
*** This seem to prove that there was a succesfull authentication at least once... but then I see this (6 seconds later...) :
172.26.193.91 Travelerserver.acme.com "John.Wayne@OurCompany.com" [27/Feb/2013:14:09:58 -0500] "POST /Microsoft-Server-ActiveSync?Cmd=Provision&DeviceT
*** I'm not sure if the "%40" in the email adress is a side-effect or a cause... or... well I'm not sure of anything so any thoughts would be welcome.