Hola everyone

I've done a fresh install of BES 5.0 and applied MR1. Everything works nicely except..you guessed it...AD authentication when logging in to the BAS. I just get this error:

"The username, password, or domain is not correct. Please correct the entry."

I've tried resolving this myself for the past couple of days by doing the following:

1) The workaround where the password is stored in the database in plain text (fixed in MR1, supposedly!)
2) Tried multiple accounts, each of which can successfully perform LDAP lookups according to the server when you press the Verify button.
3) Reinstalled BES 5.0 4 times, and recreated the database twice.

ALso, in the BAS AS logs, I have seen this (names and IPs obscured):

(07/09 14:42:59:463):{http-<BESServerName>%2F<BESServerIP>-443-3} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=2140} LOGIN ERROR: getActiveDirectoryRootDseInformation could not get rootDSE attributes for URL ldap://RootDomain:389 error=javax.naming.CommunicationException: RootDomain:389 [Root exception is java.net.ConnectException: Connection refused: connect]

I am concerned that the name of the ldap server isn't showing up there, only the root domain i.e. ldap://mycompany.com:389. Is that normal?

BAS authentication is fine.

My BES is running on Windows Server 2003 SP2 and fully patched.

What do I do from here? Any suggestions appreciated!

Cheers

Richard

If a reboot doesn't fix it; try manually adding a hosts entry into the BES for company.com of a functioning / close domain controller to the BES.

After adding it do an ipconfig /flushdns and then relaunch the console and try to logon ... I don't think you need to reboot.

showing only mycompany.com:389 is normal ... in fact it is what you want; having it point to the domain will pick a DC on round-robin in the event that one is unresponsive the others will eventually pick up.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

Thanks hdawg. I think I'd already done that by adding the following:

ldapserver.domain.com x.x.x.x
ldapserver x.x.x.x

Which is right, or neither?

neither actually:

it should be the other way around; and be sure to include domain.com in the list.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

Thanks hdawg. I had the format of the hosts file right, just couldn't remember it when I posted last night I'll be sure to add domain.com as well.

Quick update, this is weird. It still wouldn't work after correcting the host file, so I had one of my AD guys come to take a look. We changed the LDAP path to a dfferent AD server and the port to 3268. Rebooted, and it worked! Wow, that felt good. After that I decided I wanted to install the collaboration components, so I went through setup again, verified the information and...ldad/domain auth to BAS stopped working.

Seriously buggy software imo.

You're pointed at the Global catalog port ... I'm pretty sure if you ever have to call RIM they're going to ask you to change this.

__________________
http://blog.port3101.org/hdawg/

The views expressed by me on Port3101 and its affiliated sites are my own and do not necessarily reflect the views of my employer.

For what it's worth, their implementation into LDAP is either quite unstable or it adds a tad more complexity above and beyond what many of them are used to seeing. This doesn't even get into the resource hog the BAS services are. I can't say I'm impressed, but we work with what we have, I suppose.

__________________
BCSA (4.1, 5.0) | BCSD (4.1)

The views expressed by me on Port3101.org are my own and do not necessarily reflect the views of my employer.

You didn't by any chance update JAVA did you? I had problems after I did that and had to reinstall my BAS and JAVA from scratch.