04-07-2011 11:09 AM
Not an area of expertise and you seem to want to authenticate in the Browser, but someone else managed to get digest authentication working in their program:
You are going to a lot of trouble to stop people who should not get your program downloading it. However once it has been downloaded to a phone, there is nothing to stop the user copying it from the phone to the PC, and then making it available for download. Are you in fact securing it in the correct place. It might be better for the application program to authenticate the user, then you can ship it to anyone.
04-07-2011 11:11 AM
In this instance BES is totally off topic since it is not the path of distribution, the answer to the problem if anyone else runs across it is rather bizzare, first, the BlackBerries have to be set to use Internet Explorer for their browser type, the BlackBerry Browser doesn't seem to support basic authentication either. So step 1 is to switch the phones to use IE, next, in IIS, set Directory Security to use Basic Authentication ONLY, set your default domain and your realm, disable anonymous. Install an SSL certificate if you haven't already then in the "Secure Communications" in IIS, switch to "Require secure channel" and enable the "require 128 bit", at the very least your connection now is SSL between the phone and the folder that houses your COD / JAD and JAR files.
04-07-2011 11:18 AM
The front door is the only thing that needs locked in this instance, I realize that someone can take any program and distribute it, there are other security measures in place once the program is installed, what the front door is allowing me to do is to track who is access the installation on the network. We already have pieces in place that basically kick out anyone who is using the program that should not be, that is built into both the program and on the server that it communicates with.
The steps are rather simple, first they have to be domain members to be able to install the program on the phone, and active users are the only ones who can do the initial download. Once installed, when the program loads, it uses a SOAP componenent to another application server to validate the users phone number and phone PIN through a different N-Tier system which has its own checks and balances in place. When an employee is terminated, their phones are whiped anyway.
I know it sounds rather strange method of locking it down, but it is as secure as I can get it for this type of distribution.
Would be nice if I could use the BES for distribution but I simply can't.
04-07-2011 11:39 AM
Well, to add pain to punishment, although this setup works for the phones, it does not work for the simulator, you have to switch to digest for it to work in any of the simulators and basic to work in the phone, so keep that in mind while testing.