So when I heard they released BES 5.0.2 (v5 SP2) I was super excited because they were finally enabling single sign-on for the admin and web desktop.
However like many things RIM they made it EXTREMELY hard to configure. When I called T-Support they didn’t know how to configure it but forwarded me to page 260 of the 5.0.2 admin guide.
For those that just want the steps scroll down, the next few paragraphs will be me ranting. Look for the larger underlined text for the steps.
Ok let’s see, Step 1 from the Admin Guide:
Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the
Microsoft® Active Directory® account :
• HTTP/<BAS_pool_FQDN> (for example, HTTP/BASconsole104.example.com)
• BASPLUGIN111/<BAS_pool_FQDN> (for example, BASPLUGIN111/BASconsole104.example.com)
Ok doesn’t really make any sense, doesn’t tell you for which AD account nor how to do those steps but I am sure step 2 will explain better.
If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances
in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each pool to the Microsoft Active
Directory account.
Nope, no help there. THANKS RIM! Super awesome instructions! I called back and got their overseas call center. He was not helpful at all, when I told him “listen it’s a new feature that came out yesterday, let’s just save us both some time and pass me along to someone who has actually enabled this before” I was told he could not. When I asked for his manager he told me that management wasn’t technical and couldn’t help me either. I insisted and magically I got elevated to level 2 (an “analyst”) without speaking to the manager.
Side Note: If they put as much thought into their tech documents as they do their technical support tier names I think I wouldn’t have to call them.
Level 2 wasn’t much more help, they definitely didn’t get any training on what I would think would be a highly requested feature. He put me on hold for 10 minutes and came back with a “private section of the admin guide”. I am going to spare you the 8 pages of nonsense from that and instead give you clear steps on how to enable this feature.
Configuring AD at accept BlackBerry Enterprise Server 5.0.2 Single Sign-on
Background info: I am going to be using a Windows 7 / 2008 R2 Active Directory Users and Computers MMC, if you don’t have this version you can use ADSI edit to do the same thing. For deployment I decided to make a new AD Account for the purpose of Single Sign-On instead of making AD changes to the existing BES Service Account we had been using. The documentation isn’t clear if this is the way you should do it or not.
Disclaimer: This is all at your own risk. This did work for me but I do not clam to know your exact environment. If you are in doubt of any of these steps contact T-Support and have them help you. Also if you find better ways or if I have items that are not accurate please leave me a comment so I can clean it up. For all my ranting at RIM the real reason I do this is so others don’t have to go through the hassle that I did.
1) Open ADUC (Active Directory Users and Computers MMC)
2) Make sure Advanced Features are enabled by clicking View -> Advanced Features (checked means its enabled)
3) Find a nice OU to put your new service account in and create the account. (For my example I called mine svc-blackberry-ldap)
4) Right click your new user account and go to properties
5) Go to the Attribute Editor (if not there you don’t have advanced features enabled or you are not using a later version of ADUC, if that is the case use ADSI edit)
6) Double click on “servicePrincipalName”
7) Add the following:
BASPLUGIN111/<poolname /w FQDN>
HTTP/<poolname w/FQDN>
If your blackberry pool is called blackberry and your domain name is company.local then it would be:
BASPLUGIN111/blackberry.company.local
HTTP/blackberry.company.local
That is SPN then forward slash then FQDN of Pool. No spaces.
8) Then click OK.
9) Next open the properties of the new account again by right click -> properties
10) You should see a delegation tab next to telephone
11) Select the “Trust this user for delegation to specified service only” and the sub option of “Use Kerberos only”
12) Next click Add on the bottom of the delegation screen
13) Click the “Users or Computers…” button
14) Type in the name of that service account you just created (that you also have the properties open for) my example is “svc-blackberry-ldap” and click OK
15) Next click Select All on the bottom then click OK
16) Then click OK the finish configuring AD.
Now your AD is setup correctly, we have to move onto configuring the BES/BAS Server to use this account. If you have a larger environment you may want to wait till AD replication is finished. In my setup both DC’s that my BES/BAS server used were local site, I waited 5 minutes anyways just to be safe.
Configuring BAS / BlackBerry Enterprise Server 5.0.2 Single Sign-on
1) Logon to your BES/BAS Admin Site (I recommend using the account you used to install but not required if you have full admin rights)
https://<apppool>/webconsole/login
2) Click on Administrator User -> Create an Administrator User
3) Next put in the account details from the service account you just created and click “create an administer user” (note | the password is of the BES Admin not the new account.)
4) Next navigate to Server and Components -> BlackBerry Solutions Topology -> BlackBerry Domain -> Component View -> BlackBerry Administration Service
Side note: these names and structure could have only been thought up by a java programmer who has total disregard for end user mental stability.
5) Click on the Microsoft Active Directory Authentication Tab
6) Click on Edit Components on the bottom
Side Note: Ah the final configuration screen, this was by far the hardest part. This page is riddled with bugs so you have to be very careful here.
8) Change the Username to the new account on the top box, make sure domain is in there, put the password of your new account, set the default domain, then set the Single sign-on to YES and click SAVE ALL.
If it works it will take a second then tell you it was ok and to restart the BAS service. If it failed there can be a number of reasons. One, if you only have one domain you do not need to put anything on the bottom box (which BTW doesn’t have a name!!! It’s not called the “account forest name” box is it??) If you have more than one domain my directions might not be exactly right for you but should give a good start.
9) Restart BAS. Easiest way is to use the services.msc console to restart the BAS-NC service, this will stop and start the app service as well.
So with any luck you should be good to go now. Enjoy and shame on you RIM for not documenting this properly! This only took me 6 hours on the phone with your support and 1 hour to write up. If you are going to take the time to release a feature you could take 1 hour to make sure that bullet listed features are easy to configure.
UPDATE / SIDE NOTE: Sandra from in the comments added that you can not test this on the server console locally, you must do it from another machine.
Glad that i’m not the only person in the world that suffers terrible headaches (mostly from banging my head against the table) while trying to decipher the BES admin manuals….
Been trying to accomplish SSO for an internal website for a few days now… hopefully following your instructions will sort this out…
Many thanks for posting this translation of the manual
No problem, I am glad you found it. Please post back and let us know if it worked for you.
-Eric
Hello, excuse me, I dont’ very well English,
I try activate SSO for BlackBerry device users to access intranet (http://s1-univ-url.compagy.lan/bes) using BlackBerry devices without requiring the users to type a user name and password each time the access the intranet sites. I configure the BlackBerry MDS connection service to support Integrated Windows authentification.
But I was able to do for Intranet websites is to just have the domain pre-entered during login, the user has then to enter the password if he has checked to remember the username, but haven’t achieved single sign-on. From what I’ve read this is not possible expect if you follow the other KB article that prompts you to delegate access to a site which in my case is not really applicable since we are talking about many sites (http://docs.blackberry.com/en/admin/deliverables/16661/SSO_for_MDS-CS_1086111_11.jsp).
To just have the domain pre-entered in the authentication popup but the users then have to enter their password everytime.
I tested from computer (Windows 7) in active domain for access to the intranet site (htt://s1-univ-url.compagy.lan/bes) and SSO success (Auto Logon). Why SSO does not work since the blackberry terminal ?
If anyone had better luck with AD authentication I would also be glad to hear it please.
Architecture:
Active directory (Windows 2003 R2 SP2) forest: Windows 2003 R2.
Adresse IP: 10.0.2.245
Domain: labotest.lan
FQDN: dc-labotest.lan
Service Account: s1-srv
SPN for service account: HTTP/ s1-univ-url.compagy.lan
HTTP/s1-univ-url
DNS record TYPE A: s1-univ-url : 10.0.2.244
Web server (Windows 2008 R2, IIS 7)
@ IP: 10.0.2.244
Account Pool application: s1-srv
Integrated Windows® authentication
URL : http://s1-univ-url.compagy.lan/bes
Anonymous Authentification : OFF
BlackBerry MDS Connection Service
Service Account : sso-bes-srv
Procedding in active directory
1. In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does not display, update the default HOST SPN registrations for the Microsoft Active Directory account sso-bes-srv.
2. In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
o trust this user for delegation to specified services only
o use any authentication protocol
3. Click Add.
4. Perform one of the following tasks:
o If a pool of application servers hosts the intranet site and the pool is running on Microsoft IIS and is located behind a load-balancer, select the user account that
S1-srv
5. Select two HTTP services type for the user account or application server that you specified. (HTTP/ s1-univ-url.compagy.lan and HTTP/ s1-univ-url)
Then I followed the procedure. http://docs.blackberry.com/en/admin/deliverables/16661/SSO_for_MDS-CS_1086111_11.jsp for BlackBerry MDS (URL PATTERNS, rules access…..)
Can you help me please because I Despere
thank you in advance
Where can I download software.
Not sure which software you are referring too. You can get BES 5.0 SP2 here: http://www.blackberry.com/go/serverdownloads
This is very intresting, You are a very skilled blogger. I have joined your feed and look forward to seeking more of your great post.
Hi,
Thanks for the great instructions.
I have a few question, hopefully you can shed some light on this.
– Is it necessary to create an administrator account for the AD account set up with spn? – it works without create an administrator account.
– By changing the AD authentication login information, will this affect BES logon to the messaging server/Configuration database?
– Can we assign the spn to more than one AD account for admins? (i thought the idea behind single sign-on is so that BlackBerry admin can auto login to BAS using their own AD account credential and illiminate the need to enter credentails?
Thanks
Got it all sorted out.
The SPN is to be assigned to the BESadmin account, an Administrator account is to be created for each BlackBerry Admin to bypass the need to enter credentails.
Thanks
I need to create a new account with the SPNs on AD and on BES and the use it in the “Microsoft Active Directory login information” at BAS? I get it right?
Because is not working for me…
Yes that is what I had done. Create a new AD account, add the two SPN’s to that account. Add that account as an administrator in BAS, then finally enter all that info into the MS AD Login Info section. Given replication of AD maybe simply trying again now that some time has expired will make it work. If not I would double check the everything! Make sure the SPN’s are correctly in there without spaces or typo’s.
Hi,
If we create a new a new AD account to assign the two SPN’s to that account.
Does this new AD account require the same rights as the BESadmin account has to Exchange or SQL server that BES connected to?
Thanks
Blue, no that second account does NOT need to have the same Exchange Rights as your standard BES account.
Does the AD account dedicated for single sign-on need to have a mailbox?
No it does not. It is used just to do the AD lookups.
Thank you for these very helpful instructions. I came to the same conclusions as you but glad to confirm them with your experience.
And i thought it was just me….. Are these the same instructions required to enable AD authentication for the Blackberry Administration Service web logon? Trawling through Blackberry’s documentation it seems rather difficult to fathom as to how to enable such a simple feature. I wouldnt have thought i needed to dig around in ADSI just to enable LDAP authentication? Can you shed any light on this? By the way great blog. Il be subscribing to your feed.
Shawn, ADSI edit is not needed as long as you are using the 2K8/Win7 RSAT tools (AD Users and Computers). You could use ADSIEdit to do the same thing but I find it harder to use with less hand rails. Also these directions will enable SSO for both the end user portal as well as the admin site. Thanks for the great feedback!
Thanks so much for the clear, easy to follow instructions! This saved me a ton of time.
Thank you very much Eric, great post!
One question, I have done everything as you post and apparently everything was correctly configured because I get no errors and the services restart ok. But, I think SSO is still not working because when I open BAS in IE I still get asked for login credentials…
Aty last, I’m in the same boat at you. RIM support is somewhat not super great. They never figured out how come my SSON wasn’t working. I simply followed your steps and tada! it worked. Thanks alot and shame on RIM….
Thanks a lot for this. I did everything according to the instructions, but SSO didn’t work. After one hour research, I found that RIM has noted in one of their docs that it doesn’t work if the browser is on the same machine as BAS. So I started the browser on a different machine… and it worked!
Thanks for the added info Sandra, I will add that to the post. Glad I was able to help!
SSO will work in the BES server or a remote workstation as long as you login to the server / workstation using the AD account that has Administration rights to the BAS console.
Hi Eric,
Great article. You description of RIM is great and now I am sure there are many other users with the same experience. One Question – Running SSO for the BAS work pretty great, but I never had the MDS working with SSO e.g for connecting to an internal website. Did you realize that? RIM is searching for two month with no results.
You are god to us. Thank you very very much.
Eric,
THANK YOU for this. Working beautifully now.
Ed
The AD portion works great now but I am still asked to enter the credentials in the BAS
Given its so complex it could be many things. I would make sure you are using FQDN to access to server and using the correct urls. You want to go to https://servername.domain.domanext//webdesktop/login
Also are you being asked for creds by the browser in a pop up auth box OR are you seeing the standard logon page for BAS?
Has anyone been able to get SSO to work with Intranet sites? We are getting prompted for credentials everytime. I have tried multiple things and none seem to work.
Thanks
It should work just fine, I would make sure the site is being classified in the intranet zone and the zone settings allow for automatic authentication. (I know settings it to low will do that) you can also adjust the setting for authentication directly although it escapes me ATM what it is called.
I have this narrowed down to our PDC not allowing Kerberos logins. The delegate account I have setup for MDS is trying to login. The MDS log on our server shows the login failed because of the PDC. I am not sure what changed to make the log give me that error (That is a good thing). All previous errors were really cryptic.
Hi, good article, I am having issue timeouts, after logging in I notice I need to reauthenticate after 30 mins and in the recent weeks after 10 mins. It has become frustrating and got to the stage now need to log a call to TSupport. Any clues before I go down this channel, would be most appreciated?? thanks in advance
Sorry not really sure, I would think it has to do with something in the product although maybe related to bad kerberous tickets. I would call T-Support and see if they can be any help.
Hi, I install BESX whit Exchange 2010 in same server running windows 2008 r2.
I follow your guide step by step, but it still had an error:
The Microsoft® Active Directory® account that you specified is not configured to support single sign-on authentication. You must associate a service principal name to the Microsoft Active Directory account before you can add the account to the BlackBerry® Administration Service.
Please hlep