• BlackBerry® Enterprise Server versions 4.1 and 5.0
• Microsoft® Internet Information Services (IIS)

1. Configure the Microsoft IIS web server to support Kerberos authentication as follows:
   
   1. If the Microsoft IIS web server is a member of the domain but is not a domain controller, the computer account must be trusted for delegation for Kerberos authentication to work properly.
   2. Select the Integrated Windows Authentication option on the directory security of the web site.
   3. Determine whether you are connecting to the web site by using the actual NetBIOS name of the server or by an alias name, such as a DNS name. If you are accessing the web site by using a name other than the actual name of the server, a new service principal name (SPN) must have been registered by using the Setspn tool from the Windows Server® Resource Kit.
   4. Ensure that the correct authentication methods are listed in the metabase for the Microsoft IIS server or particular web site. For example, if your server was upgraded from Windows NT® 4.0 to Windows® 2000, the Negotiate authentication method is not available, and you must add it manually. For full details of how to configure these settings please go to http://support.microsoft.com and search for Troubleshooting Kerberos-related issues in IIS.
2. Configure the BlackBerry MDS Connection Service to support Kerberos authentication as follows.
   1. Ensure the BlackBerry MDS Connection Service has the Support HTTP Authentication option set to True by completing the following steps:
      1. In BlackBerry Manager, select <BlackBerry_Enterprise_Server_name>_MDS-CS_1
      2. Click Edit Properties.
      3. In the Properties window, click HTTP.
      4. Under Authentication set the Support HTTP Authentication to True.
         
         If you change this configuration, you will need to restart the BlackBerry MDS service in the Windows Services window.
         
         When this is set to True, the BlackBerry MDS Connection Service will prompt the BlackBerry smartphone user for credentials and pass this information to the relevant authentication service on behalf of the BlackBerry smartphone user.
         
         When this option is set to False, the BlackBerry smartphone user will be prompted for credentials to authenticate directly with the web server's internal security database and not through an external authentication service. For instance, if the web site is configured for Basic Authentication, instead of, or as well as, Integrated Authentication.
   2. Amend the MDSLogin.conf file. The MdsLogin.conf file is the Java® Authentication and Authorization Service (JAAS) pluggable authentication configuration file. A description of this file can be found in the Sun Microsystems® Java Development Kit (JDK) document. Go to http://www.sun.com and search for Where to Specify Which Login Configuration File Should Be Used to learn more about the JAAS Login Configuration File.
      BlackBerry MDS Connection Service uses 3 login modules.
      
      • com.sun.security.auth.module.Krb5LoginModule - Sun Microsystems Kerberos 5 login module for JAAS. This module is used for Kerberos authentication.
      • net.rim.security.auth.module.ntlm.NtlmLoginModule - Research In Motion® (RIM®) NTLM login module for JAAS. This module is used for NTLM authentication.
      • net.rim.security.auth.module.pwd.PwdLoginModule - RIM clear password login module for JAAS. This module is used for network authentication mechanisms using clear passwords, such as HTTP Basic authentication.
      The <flag> entered for each option can take one of the 4 values: optional, request, Requisite and Sufficient. For a complete explanation of the <flag> please go to http://www.sun.com and search for javax.security.auth.login class configuration.
      The LoginModule options are module specific; each module has its own set of options. For details of options in Sun Microsystems Kerberos module please go to http://www.sun.com and search for Class Krb5LoginModule.
      Configure the MDSLogin.conf file to include your domain name. This will populate the domain field for the BlackBerry smartphone user when they are prompted for credentials on their BlackBerry smartphone. Complete the following steps:
      
      1. On the BlackBerry Enterprise Server, go to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\servername\config.
      2. Open the MDSLogin.conf file in a text editor.
      3. Edit the MDS_Default section by replacing COMPANY.COM with your domain name.
         
         Note: If the domain name starts with a number, surround the domain name with quotes ("")
      4. If you wish to force a particular authentication type you can change the relevant optional entry to required.
      5. Save and close the file.
3. Configure the krb5.conf file to include details relevant to your specific Microsoft® Active Directory® environment as follows:
   1. On the BlackBerry Enterprise Server navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\servername\config.
   2. Open and edit the krb5.conf in a text editor. The default sections and entries contained within this file are as follows:
      [libdefaults]
      default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
      
      default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
      [realms]
      # change COMPANY.COM to your Kerberos realm
      
      # change KDC:88 to the hostnameort of KDC
      
      COMPANY.COM = {
      
      kdc = your_kdc.your_domain.com:88
      
      }
   3. Replace the COMPANY.COM entry under the [realms] section with your domain name. Ensure this entry is in UPPER case.
   4. Enter the Fully Qualified Domain Name (FQDN) of the KDC within your Microsoft Active Directory environment and port number (if changed from the default of 88). Ensure host names and domain names are in lower case.
   5. Restart the BlackBerry MDS Connection Server service in Windows Services.

[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc

default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc

des-cbc-md5 = DES cbc mode with RSA-MD5

des-cbc-crc = DES cbc mode with CRC-32

[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc; or rc4-hmac

default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc or rc4-hmac