08-26-2010 12:16 PM
I have always created MDS Proxy Exclusion rules that tell the MDS CS to point to a proxy, and in order to authenticate through the proxy used a service account. This has always worked well, but we now have a requirement for each user to auth through the proxy. On desktops different users have different levels of access which permit them to get to certain sites. User A may not be allowed access to MySpace & Facebook but User B can! We now need to implement this on BlackBerry devices too. Is this possible?
Looking through the documentation it is possible to use AD authentication for internal websites hosted on IIS e.g.
Has anyone configured what I am trying to do before on BES 5.0.2 and got it working ??
08-26-2010 03:56 PM
What I was able to do for Intranet websites is to just have the domain pre-entered during login, the user has then to enter the password if he has checked to remember the username, but haven't achieved single sign-on. From what I've read this is not possible expect if you follow the other KB article that prompts you to delegate access to a site which in my case is not really applicable since we are talking about many sites.
Regarding Internet through a proxy, I am also using a service account for all users since the other way is as with Intranet sites, to just have the domain pre-entered in the authentication popup but the users then have to enter their password everytime.
If anyone had better luck with AD authentication I would also be glad to hear it.
08-29-2010 04:41 PM
I am trying to enable Intregrated Windows Authentication (Kerberos) but have had no success.
Prior to upgrading to 5.0.2 we were successfully using MDS with NTLM (domain name pre-populated). Our users could select remember username, enter their password and their credentials would be valid for up to 2 hours. Then our users could access any internal URL without having to re-authenticate at each new URL.
We're trying to enable single sign on with Kerberos constrained delegation but have not had much luck.
I've followed all of RIM's config docs and re-read them a few times as well.
BAS and MDS Connection Service are both using BESAdmin. BAS SSO is working. BESAdmin is configured with the two required SPNs. Delegation was enabled for BESAdmin (Kerberos only) to HTTP/internalwebappURL.
On the handheld the user is still prompted for credentials (yes we applied the pull access control rule to the user with a handheld).
Any ideas? Has anyone else been successful?
09-20-2010 09:28 AM
I am not sure, if "integrated authentication" works at all...
Maybe just somebody knowledged from RIM takes a litte time and explains us, how we get it to work ...
Thank you very much!
11-03-2010 04:08 PM
Seems like a pain to do that for every potential site that is in your environment. For a mom and pop store is may be good. For an enterprise this is way too much work. We have thousands of servers and new ones coming on board every day!
In my opinion this isn't ready for prime time yet.
11-11-2010 08:22 AM - edited 11-11-2010 08:27 AM
Don't use the BESADMIN as that's set to kerberos only for SSI
On the delegation account use the www AS WELL AS the http service.
That's 3 days of my life I'll not be getting back.