KB17949 - “The username, password, or domain is not correct. Please correct the entry” error when trying to authenticate to BlackBerry Administration Service
Environment
- BlackBerry® Enterprise Server version 5.0
- SDR312881
Overview
While trying to authenticate to BlackBerry Administration Service using a BlackBerry Administration Service administrative account that was added from Microsoft® Active Directory®, you receive the error The username, password, or domain is not correct. Please correct the entry. However, the authentication credentials have passed and are correct.
When viewing the BlackBerry Administration Service Application Server log, located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\, you see the following:
{http-SERVER.DOMAIN.COM%2F10.9.12.93-443-2} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=3767} performPagedLDAPSearch problem performing LDAP operation: url=ldap://server.domain.com:389 base=CN=Partitions,CN=Configuration,DC=domain,DC=com filter=(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=3)(|(nETBIOSName=dsnet)(dnsRoot=dsnet))) scope=1error=javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
Cause
The BlackBerry Administration Service is unable to perform a reverse address lookup, or receives invalid results for the reverse lookup.
Cause 1
The server that hosts the Lightweight Directory Access Protocol (LDAP) BlackBerry Administrative Service is trying to get a Kerberos™ ticket for, does not have a reverse Domain Name System (DNS) entry (PTR record) that resolves to the principal name registered in Microsoft Active Directory. For example, a PTR record may resolve an Internet Protocol (IP) address to ldapserver.domain.com, however the servicePrincipalName attribute on the server object in Microsoft Active Directory will not have an entry for ldap/ldapserver.domain.com. It could be that the reverse zone was manually created and configured to match a disjointed name space.
Cause 2
On the computer that hosts the BlackBerry Administration Service, there is an entry in the C:\Windows\System32\drivers\etc\hosts file that points to the IP address of the LDAP server, but references an incorrect host name. For example, an organization's LDAP server is ldapserver.domain.com with an IP address of 192.168.2.1, but the hosts file on the BlackBerry Administration Service computer has an entry such as the following:
192.168.2.1 .domain.com
Workaround
Cause 1
The server that hosts the Lightweight Directory Access Protocol (LDAP) BlackBerry Administrative Service is trying to get a Kerberos ticket for, does not have a reverse Domain Name System (DNS) entry (PTR record) that resolves to the principal name registered in Active Directory
Workaround 1
Edit the PTR record in DNS for the IP address of the LDAP server so that it matches the name registered in Active Directory. Kerberos needs to locate the principal name to a servicePrincipalName attribute in Active Directory so the key distribution center can issue a ticket for the LDAP service.
Cause 2
On the computer that hosts the BlackBerry Administration Service, there is an entry in the
C:\Windows\System32\drivers\etc\hosts file that points to the IP address of the LDAP Server, but references an incorrect host name.
Workaround 2
- Open C:\Windows\System32\drivers\etc\hosts in a text editor like notepad
- Comment the invalid line from the hosts file by placing a # before the IP address as indicated below, and save the file:
#192.168.2.1 .domain.com
- Open a command prompt and type ipconfig /flushdns in order to flush the local dns cache.
- Restart the BlackBerry Administration Service
KB17949 - Username, password, or domain is not correct. ... error with BAS
Linear Mode
