KB17711 - Setting up Microsoft Office Communications Server 2007 with BlackBerry Enterprise Server 4.1 SP6
Environment
- BlackBerry® Enterprise Server version 4.1 SP6 for Microsoft® Exchange
- Microsoft® Office Communications Server 2007
Overview
This article provides a brief overview of the actions needed to connect the Microsoft Office Communications Server 2007 and the BlackBerry Enterprise Server, it assumes that Microsoft Office Communications Server 2007 is currently installed and running with the environment and that the Microsoft® Internet Information Server has been setup to support Kerberos™ authentication.
This articles covers the following:
- Installing a Microsoft® Communicator Web Access 2007 Virtual Server.
- Configuring the MDSlogin.conf and krb5.conf files.
Installing a Microsoft Communicator Web Access 2007 Virtual Server
- Expand Microsoft Office Communicator Web Access Manager.
- Right-click the server and then select Create Virtual Web Server.
- In the Wizard, select the following options:
- Internal (The BES only supports internal server types)
- Use Built-in Authentication
- Forms-based and integrated (NTLM/Kerberos) authentication
- HTTP or HTTPS (select based on your preferences)
- Machine IP and Port to use
- Provide the virtual server a name
Configuring the MDSlogin.conf and krb5.conf files
Task 1 - Configure the MDSLogin.conf file to include your domain name
- On the BlackBerry Enterprise Server navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BBIM\Servers\servername\config.
- Open the MDSLogin.conf file in a text editor.
- Edit the MDS_Default section by replacing COMPANY.COM with your domain name.
- Save and close the file.
Task 2 - Configure the krb5.conf file to include details relevant to your specific Microsoft® Active Directory® environment
- On the BlackBerry Enterprise Server navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BBIM\Servers\servername\config.
- Open the krb5.conf file in a text editor.
- The default sections and entries contained within this file are as follows:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
# change COMPANY.COM to your Kerberos realm
# change KDC:88 to the hostname
ort of KDC
COMPANY.COM = {kdc = KDC:88}
Note: At a minimum the COMPANY.COM should be replaced with your domain name.
The KDC:88 entry may need to be replaced with the fully qualified domain name (FQDN) of the KDC within your Microsoft Active Directory environment and port number (if changed from the default of 88). However, your Domain Name System (DNS) infrastructure should provide the required server details when queried.
Additional Information
Kerberos is an authentication system developed at the Massachusetts Institute of Technology (MIT). Dependent on the complexity of your Microsoft Active Directory environment, further sections and entries may be required within the krb5.conf file. For full details of what should be contained in possible sections and entries, see the
MIT web site.
In large, complex Microsoft Active Directory environments, multiple realms sections may be required for your computer to be able to communicate with the KDC for each realm. The tag must be given a value in each realm subsection in the configuration file, or there must be valid DNS SRV records specifying the KDCs. However, the [libdefaults] section may require a default realm entry which identifies the default Kerberos realm for the BlackBerry Enterprise Server.
Also, the session key encryption types that are set as default in the krb5.conf file that is installed during the BlackBerry Enterprise Server installation, are contained under the [libdefaults] section:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
From the MIT web site the definition of these encryption types are as follows:
des-cbc-md5 = DES cbc mode with RSA-MD5
des-cbc-crc = DES cbc mode with CRC-32
Note: The additional session key encryption key types may be required within the krb5.conf file if your environment supports or require additional key types. See the following web site for more details:
JGSS Security Enhancement List
For instance starting from Java® Platform, Standard Edition (Java SE) 6, support for RC4-HMAC encryption type in Java GSS/Kerberos is available, therefore this encryption type can be added to the krb5.conf under the [libdefaults] section:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc; or rc4-hmac
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc or rc4-hmac
KB17711 - Setting up Microsoft OCS 2007 with BES 4.1 SP6
Linear Mode
