The issue occurs due to differences of Kerberos™ encryption requirements for a Windows Server® 2003 domain controller from the requirements for a Windows Server 2008 domain controller. The BlackBerry® Administration Service might encounter Microsoft® Active Directory® authentication errors when one or more Windows Server 2008 domain controllers are present in a Microsoft Active Directory forest operating in Windows Server 2003 forest functional level. The following generic error message appears:
The username, password, or domain is not correct. Please correct the entry.
- BlackBerry® Enterprise Server 5.0 to 5.0 SP1
- BlackBerry® Enterprise Server Express 5.0 SP1 (Bundle 5)
- Windows® Server 2003 and 2008
- DT 450284
This issue occurs when the BlackBerry Enterprise Server runs with Windows Server 2008 domain controllers in a Microsoft Active Directory domain operating in Windows Server 2003 Domain Functional Level. When the BlackBerry Administration Service attempts to authenticate using Microsoft Active Directory credentials, the Windows Server 2008 domain controller advertises to the BlackBerry Enterprise Server that it supports Advanced Encryption Standard (AES) for Kerberos pre-authentication. However, the domain controller will not accept AES encryption unless the forest is operating in Windows Server 2008 Forest Functional Level. In the event that this authentication request is received by a domain controller in this environment, the authentication attempt fails.
If this issue occurs, the following log entry is present in the BlackBerry Administration Service Application Server (BAS-AS) log file:
[com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean] [INFO] [ADAU-1000] {u=SystemUser, t=4690} loginAsLdapUser failed to authenticate LDAP user=besadmin, realm=<Domain>, kdc=<Domain Controller providing KDC services> javax.security.auth.login.LoginException: KDC has no support for encryption type (14)
Note: The realm=<Domain> and kdc=<Domain Controller providing KDC services> values are unique to each environment.
For BlackBerry Enterprise Server 5.0 to 5.0 SP1:
- Update to BlackBerry Enterprise Server 5.0 SP2
For BlackBerry Enterprise Server Express 5.0 SP1 (Bundle 5):
- Remove BlackBerry Enterprise Server Express 5.0 SP1 (Bundle 5)
- Download and install BlackBerry Enterprise Server Express 5.0 SP1 (Bundle 12)
To work around this issue, complete one of the appropriate following workarounds:
- Raise the functional level of the Microsoft Active Directory Domain to Windows Server 2008.
For more information on how to raise the domain functional Level, see KB322692, or visit the Microsoft Help and Support site and search for "How to raise Active Directory domain and forest functional levels".
Note: This change is not reversible.
- Configure the Kerberos pre-authentication encryption types to DES encryption type for each Microsoft Active Directory domain account used with the BlackBerry Administration Service.
Consult with the Microsoft Active Directory administrator on how to change the encryption type for a user account.
- Create a separate BlackBerry Administration Service Authentication administrator account for the administrator in question.
Disclaimer
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.