"The username, password, or domain is not correct. Please correct the entry" error when trying to authenticate to BlackBerry Web Desktop Manager

Article ID: KB17950

Type: Support Content

Last Modified: 12-15-2011

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry® Enterprise Server version 5.0
  • SDR312881
CollapseOverview

While trying to authenticate to BlackBerry® Web Desktop Manager using a BlackBerry user account that was added from Microsoft® Active Directory®, you receive the error The username, password, or domain is not correct. Please correct the entry. However, the authentication credentials have passed and are correct.

When viewing the BlackBerry Administration Service Application Server log, located in C:\Program Files\Research In Motion\BlackBerry Enterprise Server\Logs\<date> , you see the following:

{http-SERVER.DOMAIN.COM%2F10.9.12.93-443-2} [com.rim.bes.basplugin.activedirectory.LdapSearch] [INFO] [ADAU-1001] {u=SystemUser, t=3767} performPagedLDAPSearch problem performing LDAP operation: url=ldap://server.domain.com:389 base=CN=Partitions,CN=Configuration,DC=domain,DC=com filter=(&(objectClass=crossRef)(systemFlags:1.2.840.113556.1.4.803:=3)(|(nETBIOSName=dsnet)(dnsRoot=dsnet))) scope=1error=javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]

CollapseCause

The BlackBerry Administration Service is unable to perform a reverse address lookup, or receives invalid results for the reverse lookup.

Cause 1

The server that hosts the Lightweight Directory Access Protocol (LDAP) that the BlackBerry Administration Service is trying to get a Kerberos™ ticket for, does not have a reverse Domain Name System (DNS) entry (PTR record) that resolves to the principal name registered in Microsoft Active Directory. For example, a PTR record may resolve an Internet Protocol (IP) address to ldapserver.domain.com, however the servicePrincipalName attribute on the server object in Microsoft Active Directory will not have an entry for ldap/ldapserver.domain.com. It could be that the reverse zone was manually created and configured to match a disjointed name space.

Cause 2

On the computer that hosts the BlackBerry Administration Service, there is an entry in the C:\Windows\System32\drivers\etc\hosts file that points to the IP address of the LDAP server, but references an incorrect host name. For example, an organization's LDAP server is ldapserver.domain.com with an IP address of 192.168.2.1, but the hosts file on the BlackBerry Administration Service computer has an entry such as the following:

192.168.2.1 <invalidhost>.domain.com

CollapseResolution

This is a previously reported issue that is being investigated by our development team. A resolution is currently unavailable.

CollapseWorkaround

Cause 1

The server that hosts the Lightweight Directory Access Protocol (LDAP) that the BlackBerry Administrative Service is trying to get a Kerberos ticket for, does not have a reverse Domain Name System (DNS) entry (PTR record) that resolves to the principal name registered in Active Directory

Workaround 1

Edit the PTR record in DNS for the IP address of the LDAP server so that it matches the name registered in Microsoft Active Directory. Kerberos needs to locate the principal name to a servicePrincipalName attribute in Microsoft Active Directory so the key distribution center can issue a ticket for the LDAP service.

Cause 2

On the computer that hosts the BlackBerry Administration Service, there is an entry in the C:\Windows\System32\drivers\etc\hosts file that points to the IP address of the LDAP Server, but references an incorrect host name.

Workaround 2

Complete the following steps:

  1. Open C:\Windows\System32\drivers\etc\hosts in a text editor like notepad.
  2. Mark the invalid line from the hosts file as a comment by placing a # before the IP address as indicated below, and save the file:

    #192.168.2.1 <invalidhost>.domain.com

  3. Open a command prompt and type ipconfig /flushdns to flush the local DNS cache.
  4. Restart the BlackBerry Administration Services.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.