Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Highlighted
New Member
Posts: 1
Registered: ‎02-06-2013
My Device: Z10
My Carrier: Rogers

BES 10 Kerberos Support

Has anyone had any luck in getting this to work? I've tried to set this up (configure the krb5.conf and mdslogin.conf for my environment). I've done packet traces and absolutely no authentication information is being sent to the webserver but it is definitely requesting a page. I get a prompt for a username and password on the Blackberry. I enter it and again there is no authentication information being passed by the BES to the server. I checked on IIS and it was reporting 401.2 which I always see if a device that does not support Kerberos tries to get to pages on this server. Any help would be greatly appreciated. Thanks!

New Contributor
Posts: 5
Registered: ‎10-22-2010
My Device: Not Specified

Re: BES 10 Kerberos Support

The new BlackBerry 10 server uses Heimdal Kerberos configuration which is different from the old BES 5 configuration that could use MIT Kerberos.

 

Below is a documentation of Heimdal and an example:

http://www.h5l.org/manual/HEAD/info/heimdal/Configuration-file.html#Configuration-file

 

Here is problably the document that you are already using from BTSC:

http://www.blackberry.com/btsc/KB33983

 

Please let me know if you could get the configuration to work and which options/variants you did declare.

Trusted Contributor
Posts: 100
Registered: ‎05-14-2009
My Device: Z30, PRIV
My Carrier: Bell

Re: BES 10 Kerberos Support

Were you able to get it working?

 

I'm just at the point of updating the Device settings in BDS 6.2 with an edited KRB5.conf file, but other than creating it, I don't see any info on potential impact, or back-out process.

 

Is it correct, that even if it fails, it will not affect e-mail, or the personal side browser?

To back out (if it failed to work), would it simply be uploading the default KRB5.conf file and waiting for it to push out to the devices? Or are there other remnants left on the device that could cause issues until a device was wiped?

BES 5.0.4
BES 10.2
BES 12.3
Exchange 2010
SQL2008R2
Trusted Contributor
Posts: 100
Registered: ‎05-14-2009
My Device: Z30, PRIV
My Carrier: Bell

Re: BES 10 Kerberos Support

So far in testing, it hasn't had any impact (good or bad).
The BB's still require a username\password to access the intranet for each new attempt.
BES 5.0.4
BES 10.2
BES 12.3
Exchange 2010
SQL2008R2
New Contributor
Posts: 5
Registered: ‎10-22-2010
My Device: Not Specified

Re: BES 10 Kerberos Support

Could you paste here the krb5.conf file that you are using? 

 

This document has more specifics on Heimdal Kerberos sintax:

http://manpages.ubuntu.com/manpages/oneiric/man5/krb5.conf.5heimdal.html

 

Please let me know if you find a solution.

 

Cheers!

Trusted Contributor
Posts: 100
Registered: ‎05-14-2009
My Device: Z30, PRIV
My Carrier: Bell

Re: BES 10 Kerberos Support

Hi,

I just took the default from http://btsc.webapps.blackberry.com/btsc/viewdocument.do;jsessionid=325CD430044CAB36C0156F8F125B7615?...

 

and edited it with our domain info as below.

Saved it as a krb5.conf file and imported it through the BDS console.

 

[libdefaults]
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
default_realm = OURDOMAIN.COM
 
[realms]
OURDOMAIN.COM = {
kdc = tcp/ourdc.ourdomain.com:88
}
[domain_realm]
.ourdomain.com = OURDOMAIN.COM

BES 5.0.4
BES 10.2
BES 12.3
Exchange 2010
SQL2008R2
New Contributor
Posts: 7
Registered: ‎03-15-2013
My Device: Bold 9900
My Carrier: .

Re: BES 10 Kerberos Support

Were you successful in your attempts at getting this working? I have been working on the same issue at my location. I noticed at the bottom of the KB you linked to it does show that the user will be prompted for credentials on first visit to the site. Were you able to figure a way around this?

Trusted Contributor
Posts: 100
Registered: ‎05-14-2009
My Device: Z30, PRIV
My Carrier: Bell

Re: BES 10 Kerberos Support

Unfortunately I haven't had a chance to investigate the credential prompt (each time) issue we have.
BES 5.0.4
BES 10.2
BES 12.3
Exchange 2010
SQL2008R2
BlackBerry Employee
Posts: 750
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: BES 10 Kerberos Support

How are you typing in the domain and user when authenticating to the site.  I believe it currently needs to be in the format (case sensitive) of username@DOMAIN.COM.   Try it with this and if you are taking a pakcet capture on MDS you should see Kerberos traffic requesting a ticket.