Configure BES 5.0.2 SSO / Auto Logon (Active Directory)

So when I heard they released BES 5.0.2 (v5 SP2) I was super excited because they were finally enabling single sign-on for the admin and web desktop.

However like many things RIM they made it EXTREMELY hard to configure. When I called T-Support they didn’t know how to configure it but forwarded me to page 260 of the 5.0.2 admin guide.

For those that just want the steps scroll down, the next few paragraphs will be me ranting. Look for the larger underlined text for the steps.

Ok let’s see, Step 1 from the Admin Guide:

Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the

Microsoft® Active Directory® account :

• HTTP/<BAS_pool_FQDN> (for example, HTTP/

• BASPLUGIN111/<BAS_pool_FQDN> (for example, BASPLUGIN111/

Ok doesn’t really make any sense, doesn’t tell you for which AD account nor how to do those steps but I am sure step 2 will explain better.

If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances

in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each pool to the Microsoft Active

Directory account.

Nope, no help there. THANKS RIM! Super awesome instructions! I called back and got their overseas call center. He was not helpful at all, when I told him “listen it’s a new feature that came out yesterday, let’s just save us both some time and pass me along to someone who has actually enabled this before” I was told he could not. When I asked for his manager he told me that management wasn’t technical and couldn’t help me either. I insisted and magically I got elevated to level 2 (an “analyst”) without speaking to the manager.

Side Note: If they put as much thought into their tech documents as they do their technical support tier names I think I wouldn’t have to call them.

Level 2 wasn’t much more help, they definitely didn’t get any training on what I would think would be a highly requested feature. He put me on hold for 10 minutes and came back with a “private section of the admin guide”. I am going to spare you the 8 pages of nonsense from that and instead give you clear steps on how to enable this feature.

Configuring AD at accept BlackBerry Enterprise Server 5.0.2 Single Sign-on

Background info: I am going to be using a Windows 7 / 2008 R2 Active Directory Users and Computers MMC, if you don’t have this version you can use ADSI edit to do the same thing. For deployment I decided to make a new AD Account for the purpose of Single Sign-On instead of making AD changes to the existing BES Service Account we had been using. The documentation isn’t clear if this is the way you should do it or not.

Disclaimer: This is all at your own risk. This did work for me but I do not clam to know your exact environment. If you are in doubt of any of these steps contact T-Support and have them help you. Also if you find better ways or if I have items that are not accurate please leave me a comment so I can clean it up. For all my ranting at RIM the real reason I do this is so others don’t have to go through the hassle that I did.

1) Open ADUC (Active Directory Users and Computers MMC)

2) Make sure Advanced Features are enabled by clicking View -> Advanced Features (checked means its enabled)

3) Find a nice OU to put your new service account in and create the account. (For my example I called mine svc-blackberry-ldap)

4) Right click your new user account and go to properties

5) Go to the Attribute Editor (if not there you don’t have advanced features enabled or you are not using a later version of ADUC, if that is the case use ADSI edit)

6) Double click on “servicePrincipalName”

7) Add the following:

BASPLUGIN111/<poolname /w FQDN>
HTTP/<poolname w/FQDN>

If your blackberry pool is called blackberry and your domain name is company.local then it would be:


That is SPN then forward slash then FQDN of Pool. No spaces.

8) Then click OK.

9) Next open the properties of the new account again by right click -> properties

10) You should see a delegation tab next to telephone

11) Select the “Trust this user for delegation to specified service only” and the sub option of “Use Kerberos only”

12) Next click Add on the bottom of the delegation screen

13) Click the “Users or Computers…” button

14) Type in the name of that service account you just created (that you also have the properties open for) my example is “svc-blackberry-ldap” and click OK

15) Next click Select All on the bottom then click OK

16) Then click OK the finish configuring AD.

Now your AD is setup correctly, we have to move onto configuring the BES/BAS Server to use this account. If you have a larger environment you may want to wait till AD replication is finished. In my setup both DC’s that my BES/BAS server used were local site, I waited 5 minutes anyways just to be safe.

Configuring BAS / BlackBerry Enterprise Server 5.0.2 Single Sign-on

1) Logon to your BES/BAS Admin Site (I recommend using the account you used to install but not required if you have full admin rights)

2) Click on Administrator User -> Create an Administrator User

3) Next put in the account details from the service account you just created and click “create an administer user” (note | the password is of the BES Admin not the new account.)

4) Next navigate to Server and Components -> BlackBerry Solutions Topology -> BlackBerry Domain -> Component View -> BlackBerry Administration Service

Side note: these names and structure could have only been thought up by a java programmer who has total disregard for end user mental stability.

5) Click on the Microsoft Active Directory Authentication Tab

6) Click on Edit Components on the bottom

Side Note: Ah the final configuration screen, this was by far the hardest part. This page is riddled with bugs so you have to be very careful here.

8) Change the Username to the new account on the top box, make sure domain is in there, put the password of your new account, set the default domain, then set the Single sign-on to YES and click SAVE ALL.

If it works it will take a second then tell you it was ok and to restart the BAS service. If it failed there can be a number of reasons. One, if you only have one domain you do not need to put anything on the bottom box (which BTW doesn’t have a name!!! It’s not called the “account forest name” box is it??) If you have more than one domain my directions might not be exactly right for you but should give a good start.

9) Restart BAS. Easiest way is to use the services.msc console to restart the BAS-NC service, this will stop and start the app service as well.

So with any luck you should be good to go now. Enjoy and shame on you RIM for not documenting this properly! This only took me 6 hours on the phone with your support and 1 hour to write up. If you are going to take the time to release a feature you could take 1 hour to make sure that bullet listed features are easy to configure.

UPDATE / SIDE NOTE: Sandra from in the comments added that you can not test this on the server console locally, you must do it from another machine.

Cannot connect to Outlook Anywhere (Outlook 2007 RPC over HTTP)

While am a sure there are a ton of reasons Outlook Anywhere will not work, here are the two huge issues we ran into when getting this working.

1) Wild Card Certificates (special handling)

If you are using a wild card certificate, you will need to run the following connect on whatever CAS server you are using:

Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*

You can also check what the current settings are by using:

Note: * is replaced with your wildcard certificate name.


by changing that setting it will update autodiscovery to set that into the outlook client configuration as shown here:

For more details about wildcards and Outlook Anywhere go here:

2) Issues with IIS and Certificate Settings

Everyone who is trying to get Outlook Anywhere working should triple check that on the root of the IIS site is set to ignore client certificates.

To do that first go to the properties of the IIS website that has your RPC proxy (the root of the website)

Then click the directory Security Tab, and click Edit on Secure communications

Make sure “Ignore Client Certificates” is selected.

You can change all of the sub folders but you must make sure it is set to ignore on the root site.

So there you have it, those were to two issues we had and were able to resolve.

I would like to thank Jason B (one of my Network Administrators) who did the research to discover the second issue.

Disable IE8 “Set up Windows Internet Explorer 8” Wizard

So nothing bothers me more than every time I open a new server or desktop on my network then seeing the “Welcome to Internet Explorer8” setup screen.

It was a good idea but not executed well.

The main problem I have with it is users have zero idea what to do or click. Users are very much like sheep and don’t want to think or read anything unexpected for fear they might damage the computer.

However using ether registry setting or GPO you can disable this unwelcomed screen and save yourself some helpdesk calls.

DWORD : “DisableFirstRunCustomize” set to 1 under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Use any tool you have to push this to your desktops. I personally use ScriptLogic Software’s Desktop Authority to do this.

Go to a GPO then pick computer or user then Policies (in Vista / 2008 and Windows 7) -> Administrative Templates -> Windows Components -> Internet Explorer

Select “Prevent performance of First Run Customize settings”

Then select Enabled, and “Go Directly to home page”

Thanks to Axel S. for providing the GPO method that I and my team had overlooked!

Network Name slowing failover of clusters

So after building a recent cluster I was looking at time it took to failover and failback. I noticed that it took a long time to bring the “SQL Network Name” resource online. After doing some searches on the internet I found this:

If you uncheckRegister this connection’s address in DNS” for the Network Properties of the Client Access / Public Network interface it would go to a few seconds to fire this up this resource.

Fix: “The current SKU is invalid” when adding second node to SQL 2008 Cluster

Quick post, was building a SQL 2008 Active / Passive cluster today on Windows 2003 x64 and got stuck when adding the second node.

Turns out to be a bug in the install media. Microsoft has a hotfix posted but that doesn’t seem to work correctly.

Got the correct fix from here:

The Workaround:

In the install media folder under \x64 find the DefaultSetup.ini file.

Just comment out the key (while you’re in the file copy the key) and put the key in during the installation.

Worked perfectly.

MSA 500 on Windows 2008

I had a HP MSA 500 G1 and G2 Storage array lying around that I got with some DL380 G3’s. I figured I would buy new DL380 G5’s add in a HBA and I would have a nice shiny new cluster for SQL 2008 x64.

I was dead wrong. First the MSA500 with HBA is not even recognized by the OS. Then I used a Smart Array 6402 Storage Controller card and was able to see the MSA500 in the OS. Still no go, Clustering services in Windows 2008 requires some sort of SCSI protocol v3 which the MSA500 cannot do.

Just figured I would save anyone else the pain of having to order and return all of those parts.

I ended up installing Server 2003 x64 and that’s working great.