KB15803 - Configure BlackBerry MDS for Kerberos Auth to a web site hosted on IIS

hdawg · #1 (**permalink**) 07-30-2009, 03:18 PM

KB15803 - Configure BlackBerry Mobile Data Service for Kerberos Authentication to a web site hosted on an IIS web server

Environment

BlackBerry® Enterprise Server versions 4.0 and 4.1
BlackBerry® Mobile Data Service (BlackBerry MDS in 4.0 or BlackBerry MDS-CS in 4.1)
Microsoft® Internet Information Services (IIS)

Overview

Task 1 - Configure the Microsoft IIS web server to support Kerberos™ authentication

If the IIS web server is a member of the domain but is not a domain controller, the computer account must be trusted for delegation for Kerberos to work properly.
Enable Integrated Windows Authentication check box on the directory security of the web site.
Determine whether you are connecting to the web site by using the actual NetBIOS name of the server or by an alias name, such as a DNS name. If you are accessing the web server by using a name other than the actual name of the server, a new service principal name (SPN) must have been registered by using the Setspn tool from the Windows® Server Resource Kit.
Ensure that the correct authentication methods are listed in the metabase for the IIS server or particular web site. For example, if your server was upgraded from Windows NT® 4.0 to Windows 2000, the Negotiate authentication method is not available, and you must add it manually. For full details of how to configure these settings, see Microsoft Knowledge Base Article 326985 at - Microsoft Help and Support

Task 2 - Configure the BlackBerry MDS or BlackBerry MDS-CS to support Kerberos authentication

Step 1 - Ensure that the BlackBerry MDS or BlackBerry MDS-CS has the Support HTTP Authentication setting configured. This can be checked in the following way and if not set should be changed to allow HTTP Authentication: BlackBerry Enterprise Server version 4.0:
1. In BlackBerry Manager, right click the relevant BlackBerry Enterprise Server.
2. Select Mobile Data Service Properties.
3. On the HTTP tab, select Allows the Mobile Data Service to support HTTP Authentication.
4. Click Apply and OK.
5. Restart the BlackBerry MDS.
BlackBerry Enterprise Server version 4.1:
1. In BlackBerry Manager, select _MDS-CS_1.
2. Click Edit Properties.
3. In the Properties window, click HTTP.
4. Set Support HTTP Authentication to True.
5. Click Apply and OK.
6. Restart the BlackBerry MDS-CS service.
Configure the MDSLogin.conf file to include your domain name:
1. On the BlackBerry Enterprise Server, navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\servername\config.
2. Open the MDSLogin.conf file in Notepad.
3. Edit the MDS_Default section by replacing COMPANY.COM with your domain name.
4. Save and close the file.
Configure the krb5.conf file to include details relevant to your specific Microsoft® Active Directory® environment:
1. On the BlackBerry Enterprise Server, navigate to C:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\servername\config.
2. Open the krb5.conf file in Notepad.
3. The default sections and entries contained within this file are as follows: [libdefaults]
  default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
  default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
  [realms]
  # change COMPANY.COM to your Kerberos realm
  # change KDC:88 to the hostnameort of KDC
  COMPANY.COM = {
  kdc = KDC:88
  }
At a minimum the COMPANY.COM should be replaced with your domain name.
The KDC:88 entry may be required to be replaced with the FQDN of the KDC within your Microsoft Active Directory environment and port number (if changed from the default of 88). However, your DNS infrastructure should provide the required server details when queried.

Additional Information (opt):

Kerberos is an authentication system developed at the Massachusetts Institute of Technology (MIT). Dependent on the complexity of your Microsoft Active Directory environment, further sections and entries may be required within the krb5.conf file. For full details of possible further sections and entries that each section can contain can be referenced at the MIT website at the following location:
Kerberos V5 System Administrator's Guide.
In large, complex Microsoft Active Directory environments, multiple realms sections may be required for your computer to be able to communicate with the KDC for each realm. The tag must be given a value in each realm subsection in the configuration file, or there must be valid DNS SRV records specifying the KDCs. However, the [libdefaults] section may require a default realm entry which identifies the default Kerberos realm for the BlackBerry Enterprise Server.
Also, the session key encryption types that are set as default in the krb5.conf file that is installed during the BlackBerry Enterprise Server installation, are contained under the [libdefaults] section:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
From the MIT website, the definition of these encryption types are as follows:
des-cbc-md5 = DES cbc mode with RSA-MD5
des-cbc-crc = DES cbc mode with CRC-32
Please note that additional session key encryption key types may be required within the krb5.conf file if your environment supports or require additional key types. See the following website for details:
JGSS Security Enhancement List
For instance starting from Java® SE 6, support for RC4-HMAC encryption type in Java GSS/Kerberos is available, therefore this encryption type can be added to the krb5.conf under the [libdefaults] section:
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc; or rc4-hmac
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc or rc4-hmac

Additional Information

Incorrect or invalid encryption types within the krb5.conf file can result in HTTP 500 errors when attempting to browse to websites that require Kerberos authentication.

Follow Us On

Forum Sponsors

Google Advertisements