Unable to add Active Directory users on BlackBerry Administration Service console or unable to update Active Directory Configuration page on BAS console

Article ID: KB35638

Type: Support Content

Last Modified: 01-21-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Service 10
CollapseEnvironment
  • BlackBerry Enterprise Service 10 version 10.0 to 10.2
CollapseOverview
Updating and saving the Microsoft Active Directory Configuration page on the BlackBerry Administration Service console could fail and display the following error message:

The username, password, or domain is not correct. Please correct the entry.

The same error message appears when attempting to log in to the BlackBerry Administration Service using a Microsoft Active Directory administrative account.

Also, the Administrator might not be able to add Microsoft Active Directory users on BlackBerry Administration Service console.
CollapseCause

BlackBerry Administration Service can not obatin the list of the Global Catalog/Domain Controller server in the domain or there is a misconfiguration in the DNS server.

<BAS-AS log>

(01/20 13:32:44:516):{http-BESNAME.MYDOMAIN.COM%2F123.1.1.1-38443-3} [com.rim.bes.bas.activedirectory.authentication.ActiveDirectoryDCLocator] [DEBUG] [BBAS-200] {u=1, uc=0, o=0, t=4831} getGCHostCould not find Global Catalog Server in the domain 'MYDOMAIN.COM'
(01/20 13:32:44:516):{http-BESNAME.MYDOMAIN.COM%2F123.1.1.1-38443-3} [com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean] [DEBUG] [ADAU-200] {u=1, uc=0, o=0, t=4831} LOGIN ERROR:  _validateAuthenticationAttributes failed to determine the GC host for the Active Directory user domaincom.rim.bes.bas.activedirectory.authentication.CouldNotGetGCInfoException: getGCHostCould not find Global Catalog Server in the domain 'MYDOMAIN.COM'
(01/20 13:32:44:519):{http-BESNAME.MYDOMAIN.COM%2F123.1.1.1-38443-3} [com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean] [DEBUG] [ADAU-200] {u=1, uc=0, o=0, t=4831} _validateAuthenticationAttributesFromServiceInstance invalid LDAP login, com.rim.bes.basplugin.activedirectory.InvalidLDAPLoginException: LOGIN ERROR:  _validateAuthenticationAttributes failed to determine the GC host for the Active Directory user domaincom.rim.bes.bas.activedirectory.authentication.CouldNotGetGCInfoException: getGCHostCould not find Global Catalog Server in the domain 'MYDOMAIN.COM'

*** Start of original stack trace ***

com.rim.bes.basplugin.activedirectory.InvalidLDAPLoginException: LOGIN ERROR:  _validateAuthenticationAttributes failed to determine the GC host for the Active Directory user domaincom.rim.bes.bas.activedirectory.authentication.CouldNotGetGCInfoException: getGCHostCould not find Global Catalog Server in the domain 'MYDOMAIN.COM'
    at com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean._validateAuthenticationAttributes(ActiveDirectoryManagerBean.java:2529)
    at com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean._validateAuthenticationAttributesFromServiceInstance(ActiveDirectoryManagerBean.java:6710)
    at com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean._setActiveDirectoryServiceInstance(ActiveDirectoryManagerBean.java:5566)

CollapseResolution

Complete the following tasks to resolve the issue:

Task 1

Verify the list of the Global Catolog returned by the DNS server that is used by the server hosting the BlackBerry Administration Service using nslookup by following the steps below:

  1. From the command prompt, type nslookup. (C:\nslookup)
  2. Set the type to server. (>set type=srv)
  3. Find the Global Catalog Server(s) (>_gc._tcp.<DnsForestName>
    Example: >_gc._tcp."your domain.com"
     
  4. The results will include the hostname and IP address of each Global Catalog Server.
  5. Type exit to leave the nslookup session.

Task 2

Verify that the proper SRV record(s) for LDAP protocol for the Global Catalog servers are in the DNS by following the steps below:

  1. From the command prompt, type nslookup. (C:\nslookup)
  2. Set the type to server. (>set type=srv)
  3. Find the Global Catalog Server(s). (>_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.<DnsForestName>)
    Example: >_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs."your domain.com"
  4. The results will include the hostname and IP address of each LDAP server on the Global Catalog server.
  5. Type exit to leave the nslookup session.

Task 3

To resolve the issue, open the DNS server and create/update the proper SRV entries for the Global Catalog server (_gc._tcp."your domain.com") and for the LDAP protocol for the Global Catalog servers (_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs."your domain.com").

For more information on how to configure and register a Domain Name Server in the environment visit Microsoft's Tech library or search Microsoft Help and Support site for Verify DNS registration for domain controllers using the nslookup command.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.