As I write this entry, I am on the phone with RIM technical support. Let me tell you the story of upgrading my BES server to version 5.0.
*NOTE: The second time for this issue, the issue was DNS related insofar, the entry had gotten changed with the wrong server name through replication.
I have been working with BES for a long time (since version 2) and my current environment is 4.6. I downloaded the 5.0 upgrade media and kicked off the install. I was pleased with the progress and the install seemed to be moving right along with no major issues. Every other time I have upgraded my BES servers, something always went crazy mid install, be it my fault or not.
The first option which I am still regretting is the option to select windows authentication for the Blackberry Administration Service. I had thought, why would I need another hardset password, my organization would just use the besadmin account anyways! As you will see, this is a huge mistake.
The install finishes without any noticeable problems and the first thing I realized was that the Blackberry manager snapin no longer works. I read up on the features that version 5.0 brings, but for some reason, I never knew that it would take it to a webdav. Regardless, I launch the shortcut and it brings me to a pretty login page where I enter the besadmin creds. It then provides the error message:
“The username, password, or domain is not correct. Please correct the entry”
The first thing I do is enter it again, and again, and again. Next, I check to make sure that the time is correct on the bes server and the LDAP domain controller. It is. This rules out TIME KB. I then verify that my reverse DNS and proper ldap settings are correct. They are. This rules out the LDAP kb.
After further reading, I see that the test LDAP settings button may be corrupted. I did hit the test LDAP button (who wouldn’t????) and thought, HA that MUST be my problem. I followed the following steps in option 1, and rebooted the BES, but the error still occurred.
Option 1
- On the server where the BlackBerry Administration Service is installed, navigate to this directory:<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin
- Run the following command:basUtility “C:\Program Files\Java\jre1.5.0_15″ “C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS” encode “<LDAP Password>” > C:\Output.txt
- Open the text file created in Step 2.
- Copy the hashed version of the password to your Microsoft SQL Server.
- Run the following SQL Query against the BlackBerry Configuration Database:update BASAuthenticationCredentials set password = ‘<contents of output.txt>’ where AuthenticationType LIKE ’1′
- Restart the BlackBerry Administration Service services.
- Log in to the BlackBerry Administration Service using Microsoft Active Directory.
Option 2
Install the BlackBerry Administration Service again.
I then went down the path of option 2, but this also did not fix my issue. At this point, I was at wits end, and decided to give RIM tech support a call. Applying the latest SPs actually allowed me to login, and I was happy. This worked until my VM got rebooted, and now today, the problem is still occuring. Once the BES tech gets back on the phone, (I have been on hold for 40 minutes now, while he “reviews” my case, I will paste the resolve)
August 20th, 2009 at 3:20 pm
So what was the fix? Are you still on the phone with RIM… I am having the same issue and have been back a forth with RIM for several days now. Thanks
August 21st, 2009 at 5:53 am
Whats the update to this? Were you able to get this resolved?
August 24th, 2009 at 5:26 pm
Were you able to get this resolved? I have the same issues. I have LDAP working, but can not log into web desktop manager, nor administration console with LDAP credentials.
September 4th, 2009 at 3:03 pm
Nice wall of text to bad it is USELESS without a fix, I am glad I skipped to the comments and noticed you did not provide or came across a fix instead of wasting my time reading what I already know.
October 19th, 2009 at 8:06 pm
All it was for me was that if you looked carefully during your LDAP query verification it will succeed – but it’s kind of a faux pas. Because in reality if you used the default besadmin user to query it – sure it will find it – but it doesn’t have AD permissions to perform an actual query and password authentication. Just use a domain administrator account to do the LDAP query – and it works just fine after that. I thnk you can change your LDAP query username in the configuration without having to re-run the entire setup like I did
Cheers! I won’t find my way back to this blog – but I hope I helped someone.
December 30th, 2009 at 5:14 pm
Had this problem last night. Adjusting the LDAP settings causeses a plain text password (not a hashed password) to be stored in the ldap preventing login. Please see http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18161
May 23rd, 2010 at 7:00 pm
Found this; Hope it helps the people here who find this on google and get annoyed that it does not provide answers!
I had about eight or nine hours trying to resolve this yesterday and this is what I finally did to get this working. I am posting this here for others who may have the same issue and hopefully it may help the OP of this thread.
I made a discovery in the Security log of the Event viewer on my Server
that was hosting both BES Express 5.0.1 as well as Exchange 2007. They are both on the same box. The Security log entry made reference to a Kerberos right being denied to the BESADMIN active directory account around the time I tried to login to the BES Admin service website. This was irrespective of whether I wanted to login to the BES Express Admin website as BESADMIN or as another login (Say my domain admin account).
I deduced from this that when the BES Express Admin Web service needs to verify your login it is being denied some sort of Kereberos Ticket and or elevated privilege. Since the Message indicated the problem to be with the BESADMIN Active Directory user that I created for installing BESX and of course used by the BESX background services to execute under, I checked out the properties of this account I had created and made the following changes / settings.
Using Active Directory Users and Computers
I went to the users container and right clicked on the user BESADMIN and selected properties. Under the Account Tab I set the following items in the “Account Options” list at the bottom of that tab.
Use Kerberos DES etc – Checked.
This account Supports Kerberos AES 128bit encryption – checked.
This account supports Kerberos AES 256bit encryption – checked.
Do not require Kerberos preauthentication – UNCHECKED.
I rebooted the server (Not just restarting the background services!) and finally I was able to login to the BESX Administration Service web site under BESADMIN or under my Domain Admin login ID.
Hope that helps anyone else in this predicament. It was an unnecessarily long day yesterday getting this going thanks to that one stupid little problem.
May 11th, 2011 at 8:21 pm
i have the same problem, but i cant call to black berry service because they dont have help in spanish, i gona try the users account checks is my last hope.
thanks.
if it works i post it.
May 11th, 2011 at 8:46 pm
dont work.
May 12th, 2011 at 2:03 am
BTW: The fix for me was to use blackberry authentication instead of windows authentication…..
May 12th, 2011 at 7:32 pm
nothings works im using the bes express version 5.0.2 with mr1 (bunnlde 25)
and still cant log, using AD DS or BES.
im lost any hel please ….
May 13th, 2011 at 8:12 pm
Esteban,
Reinstall and select BES instead of AD. DO NOT INSTALL WITH AD.
On top of that, do not use characters for the password. I have another post on the site that says what characters you can use.
Good luck!
Koopa
August 5th, 2011 at 12:12 am
fuck you
September 19th, 2011 at 6:06 pm
I found out that there was entries in DNS from an old server that once hosted DNS and was retired. That server was in the SOA all over the DNS tree. I went into each section that has the -TCP and removed the old server from DNS. After I confirmed nothing in DNS was pointing to that retired server, I reset the cache and the DNS server.
I ran on the BES ipconfig /flushdns
I restarted BlackBerry Administration Service – Native Code Container
I then watched the task manager to show BAS-AS at over 500,00K Memory usage and )-1% on CPU
I then tried again and Viola’ it worked!!
October 22nd, 2011 at 3:42 am
I really have a a big hate on for bes right now…
no one could log on to the bes admin site
here is how I fixed the problem
I found link that said that bes does not like special characters.. I was able to change the pw in the bes configuration console active directory ( or ldap ) tab
to a pw that only included letters and numbers
I restarted the server..
But I still could not log in to the Bes administration site
I found that I got a security bar” that internet explorer is blocking access to the website “ when I tried to load the blackberry web desktop manager
I added https:// servername to the list of trusted sites.. I then reloaded “ blackberry web desktop manager” without an error
Then when I tried Blackberry administration service and what do ya know … it now works
I have seen no reference to any such internet explorer problem in any bes blog or posting
hope this helps someone