So when I heard they released BES 5.0.2 (v5 SP2) I was super excited because they were finally enabling single sign-on for the admin and web desktop.
However like many things RIM they made it EXTREMELY hard to configure. When I called T-Support they didn’t know how to configure it but forwarded me to page 260 of the 5.0.2 admin guide.
For those that just want the steps scroll down, the next few paragraphs will be me ranting. Look for the larger underlined text for the steps.
Ok let’s see, Step 1 from the Admin Guide:
Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the
Microsoft® Active Directory® account :
• HTTP/<BAS_pool_FQDN> (for example, HTTP/BASconsole104.example.com)
• BASPLUGIN111/<BAS_pool_FQDN> (for example, BASPLUGIN111/BASconsole104.example.com)
Ok doesn’t really make any sense, doesn’t tell you for which AD account nor how to do those steps but I am sure step 2 will explain better.
If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances
in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each pool to the Microsoft Active
Directory account.
Nope, no help there. THANKS RIM! Super awesome instructions! I called back and got their overseas call center. He was not helpful at all, when I told him “listen it’s a new feature that came out yesterday, let’s just save us both some time and pass me along to someone who has actually enabled this before” I was told he could not. When I asked for his manager he told me that management wasn’t technical and couldn’t help me either. I insisted and magically I got elevated to level 2 (an “analyst”) without speaking to the manager.
Side Note: If they put as much thought into their tech documents as they do their technical support tier names I think I wouldn’t have to call them.
Level 2 wasn’t much more help, they definitely didn’t get any training on what I would think would be a highly requested feature. He put me on hold for 10 minutes and came back with a “private section of the admin guide”. I am going to spare you the 8 pages of nonsense from that and instead give you clear steps on how to enable this feature.
Configuring AD at accept BlackBerry Enterprise Server 5.0.2 Single Sign-on
Background info: I am going to be using a Windows 7 / 2008 R2 Active Directory Users and Computers MMC, if you don’t have this version you can use ADSI edit to do the same thing. For deployment I decided to make a new AD Account for the purpose of Single Sign-On instead of making AD changes to the existing BES Service Account we had been using. The documentation isn’t clear if this is the way you should do it or not.
Disclaimer: This is all at your own risk. This did work for me but I do not clam to know your exact environment. If you are in doubt of any of these steps contact T-Support and have them help you. Also if you find better ways or if I have items that are not accurate please leave me a comment so I can clean it up. For all my ranting at RIM the real reason I do this is so others don’t have to go through the hassle that I did.
1) Open ADUC (Active Directory Users and Computers MMC)
2) Make sure Advanced Features are enabled by clicking View -> Advanced Features (checked means its enabled)
3) Find a nice OU to put your new service account in and create the account. (For my example I called mine svc-blackberry-ldap)
4) Right click your new user account and go to properties
5) Go to the Attribute Editor (if not there you don’t have advanced features enabled or you are not using a later version of ADUC, if that is the case use ADSI edit)
6) Double click on “servicePrincipalName”
7) Add the following:
BASPLUGIN111/<poolname /w FQDN>
HTTP/<poolname w/FQDN>
If your blackberry pool is called blackberry and your domain name is company.local then it would be:
BASPLUGIN111/blackberry.company.local
HTTP/blackberry.company.local
That is SPN then forward slash then FQDN of Pool. No spaces.
8) Then click OK.
9) Next open the properties of the new account again by right click -> properties
10) You should see a delegation tab next to telephone
11) Select the “Trust this user for delegation to specified service only” and the sub option of “Use Kerberos only”
12) Next click Add on the bottom of the delegation screen
13) Click the “Users or Computers…” button
14) Type in the name of that service account you just created (that you also have the properties open for) my example is “svc-blackberry-ldap” and click OK
15) Next click Select All on the bottom then click OK
16) Then click OK the finish configuring AD.
Now your AD is setup correctly, we have to move onto configuring the BES/BAS Server to use this account. If you have a larger environment you may want to wait till AD replication is finished. In my setup both DC’s that my BES/BAS server used were local site, I waited 5 minutes anyways just to be safe.
Configuring BAS / BlackBerry Enterprise Server 5.0.2 Single Sign-on
1) Logon to your BES/BAS Admin Site (I recommend using the account you used to install but not required if you have full admin rights)
https://<apppool>/webconsole/login
2) Click on Administrator User -> Create an Administrator User
3) Next put in the account details from the service account you just created and click “create an administer user” (note | the password is of the BES Admin not the new account.)
4) Next navigate to Server and Components -> BlackBerry Solutions Topology -> BlackBerry Domain -> Component View -> BlackBerry Administration Service
Side note: these names and structure could have only been thought up by a java programmer who has total disregard for end user mental stability.
5) Click on the Microsoft Active Directory Authentication Tab
6) Click on Edit Components on the bottom
Side Note: Ah the final configuration screen, this was by far the hardest part. This page is riddled with bugs so you have to be very careful here.
8) Change the Username to the new account on the top box, make sure domain is in there, put the password of your new account, set the default domain, then set the Single sign-on to YES and click SAVE ALL.
If it works it will take a second then tell you it was ok and to restart the BAS service. If it failed there can be a number of reasons. One, if you only have one domain you do not need to put anything on the bottom box (which BTW doesn’t have a name!!! It’s not called the “account forest name” box is it??) If you have more than one domain my directions might not be exactly right for you but should give a good start.
9) Restart BAS. Easiest way is to use the services.msc console to restart the BAS-NC service, this will stop and start the app service as well.
So with any luck you should be good to go now. Enjoy and shame on you RIM for not documenting this properly! This only took me 6 hours on the phone with your support and 1 hour to write up. If you are going to take the time to release a feature you could take 1 hour to make sure that bullet listed features are easy to configure.
UPDATE / SIDE NOTE: Sandra from in the comments added that you can not test this on the server console locally, you must do it from another machine.
