Unable to administer the BlackBerry Administration Service after using the BlackBerry Server Configuration tabs

Article ID: KB18161

Type: Support Content

Last Modified: 04-23-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
CollapseEnvironment
  • BlackBerry Enterprise Server 5.0 for Microsoft Exchange
  • DT 299265
CollapseOverview

After editing the Lightweight Directory Access Protocol (LDAP) password field on the Administration Service - LDAP tab in the BlackBerry Server Configuration tool, administrators can no longer log into the BlackBerry Administration Service console using Microsoft Active Directory authentication.

CollapseCause

For security reasons, the LDAP password is hashed before being stored in the BlackBerry Configuration Database. This ensures that it cannot be accessed and used directly from the Microsoft SQL Server. To use the password, the BlackBerry Administration Service must retrieve the password from the hash value that was created when the password was inserted into the BlackBerry Configuration Database. When the password is edited on the BlackBerry Server Configuration screen, it is put in the database as plain text instead of the hashed value. Because the BlackBerry Administration Service automatically attempts to retrieve the password from hash, it does not understand the plain text password. This prevents the BlackBerry Administration Service from authenticating against Microsoft Active Directory, and therefore from authenticating other users for login.

When this issue occurs, the following log line appears in the BAS-AS log file:

[WARN] [BBAS-2015] {u=1, uc=-1, o=0, t=150975} _getExternalAuthenticatorId could not find external authenticator identifier - com.rim.bes.bas.usermanager.CouldNotFindExternalAuthenticatorIdException: Message: 'LOGIN ERROR: findExternalAuthenticatorIdLocal failed to login as LDAP user com.rim.bes.bas.pluginmanager.InvalidAuthenticationException: Message: 'LOGIN ERROR: loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted'', nested exception: 'Message: 'LOGIN ERROR: loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted''

CollapseResolution

This issue has been resolved in BlackBerry Enterprise Server version 5.0 MR1.

Note: Make sure that no invalid characters are used in the password, such as a comma or any of the following: !, #, $, %, ^, (, ), &, =, ', ", ;, >, <, |, \

Note: The above invalid characters do not apply to any version of BlackBerry Enterprise Server following 5.0 MR1. In any later version, this field accepts any characters which can be assigned to a Windows password.

To apply BlackBerry Enterprise Server version 5.0 MR1, complete the following steps:

  1. Log in as the BlackBerry Enterprise Server service account.
  2. Click Start > Run > Services.msc.
  3. Stop all BlackBerry Enterprise Server services.
  4. Double-click bes500mr1.msp to install BlackBerry Enterprise Server version 5.0 MR1.
  5. Start all BlackBerry Enterprise Server services.
    Important: Restarting certain BlackBerry Enterprise Server services will delay email message delivery to BlackBerry smartphones. For more information, see KB04789.
    For more information about BlackBerry Enterprise Server version 5.0.0 MR1, see the Release Notes.

To enusre that the password is stored in the database as the correct hashed value, complete the following steps:

  1. Click Start > Programs > BlackBerry Enterprise Server > BlackBerry Server Configuration.
  2. Click the Administration Service - LDAP tab.
  3. Type the LDAP password for the corresponding LDAP user account.
  4. Click Verify.
  5. Click Apply and OK.
  6. Restart the BlackBerry Administration Service - Native Code Container service.
    Note: Restarting the BlackBerry Administration Service - Native Code Container service also restarts the BlackBerry Administration Service - Application Server service.
CollapseWorkaround

To work around the issue, perform one of the following options:

Option 1

  1. On the computer where the BlackBerry Administration Service is installed, navigate to the following directory from a command prompt:
    1. For a 32bit (x86) Operating System:
      <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin
       
    2. For a 64bit (x64) Operation System:
      <drive>:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin
       
  2. Run the following command:
    1. For BlackBerry Enterprise Server 5.0 to 5.0 SP2:
      basUtility "C:\Program Files\Java\jre1.5.0_15" "C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" encode "<LDAP Password>" > C:\Output.txt
       
    2. For BlackBerry Enterprise Server 5.0 SP3:
      basUtility "C:\Program Files\Java\jre1.5.0_18" "C:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" hash "<LDAP Password>" > C:\Output.txt
       
  3. Open the text file created in step 2.
  4. Copy the hashed version of the password to the Microsoft SQL Server.
  5. Run the following SQL Query against the BlackBerry Configuration Database:
    update BASAuthenticationCredentials set password = '<contents of output.txt>' where AuthenticationType LIKE '1'
     
  6. Restart the BlackBerry Administration Service services.
  7. Log in to the BlackBerry Administration Service using Microsoft Active Directory.

Option 2

Install the BlackBerry Administration Service again.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.