[rst]

So I was able to fix the login issue but I am getting the login/krb5.conf error.

I have checked to make sure Windows AUTH is on and I have modified my .conf file so it has my domain info and DC info.

Is there another place to see where it might be failing or something I am missing.

[jsdc]

Quote:

Originally Posted by rst

So I was able to fix the login issue but I am getting the login/krb5.conf error.

I have checked to make sure Windows AUTH is on and I have modified my .conf file so it has my domain info and DC info.

Is there another place to see where it might be failing or something I am missing.

How did you fix the login issue? I think I have exactly the same issue.

[JavaJunkee]

Now . . . the "Client for OCS2007" is available.

BlackBerry - BlackBerry Enterprise Instant Messaging

Have at it boys!

[georgedavid]

I am also having an issue with authentication. =/
I have OCS 2007 with BES 4.1.6 and bb client 2.1.10

I have tried anonymous access enabled on the IIS site, no good
I have tried all sorts of different options on krb5.conf, no good

an additional difficulty i have is that my internal domain is different than the external and i want users to be able to login with their emails, not an internal suffix.

anyway, everything works via the web access portal and office communicator 2007.

i have changed the kerb5.conf to be .com and .lan. no success. same errors.

--------- kerb5.conf ---------
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc

[realms]
# change COMPANY.COM to your Kerberos realm
# change KDC:88 to the hostname:port of KDC
company.lan = {
kdc = DomainController:88
}
--------- kerb5.conf ---------

---------- BBIM_01 ---------
SIP URI = myusername[at]company.com>
Account = company.lan\myusername>
Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. ocs.company.lan:443/iwa/logon.html>
CWA Server -> IM Proxy failure response = CwaRequestFailedResponseType, rid = null>
CWA signon exception for ocs.company.lan:443/iwa/logon.html = CWA server did not return a cwaTicket in signon response>
---------- BBIM_01 ---------

-------BBIM Settings -------
Blackberry Collaboration Services Version: 4.1.6.26
Default Domain Name: company.lan
Host: ocs.company.lan
Port:443
Transport protocol: 1
-------BBIM Settings -------

--- OCS Server IIS logs with Anonymous Authentication Enabled ---
2008-07-31 06:48:45 W3SVC OCS_SERVER_IP POST /iwa/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 5 0
2008-07-31 06:48:45 W3SVC OCS_SERVER_IP POST /forms/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 0 0
--- OCS Server IIS logs with Anonymous Authentication Enabled ---

--- OCS Server IIS logs with Anonymous Authentication Disabled ---
2008-07-31 06:13:28 W3SVC OCS_SERVER_IP POST /iwa/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 401 2 2148074254
2008-07-31 06:13:28 W3SVC OCS_SERVER_IP POST /forms/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 0 0
--- OCS Server IIS logs with Anonymous Authentication Disabled ---

for those who are getting errors on /forms/logon.html. i think it tries both iwa (Integrated Windows authentication) and Form-based authentication. however i believe the bb client cannot use forms based authentication and you need to disable this in OCS 2007.

if i go to the /iwa/logon.html via a web browser on the network i get prompted for a username and password. i enter the same info as my bb client and it works fine. i get the success ticket.

note: i had to remove https:// because i dont have enough posts to insert links =/
any ideas?

[homeroarg]

Isn't required to enable the server's AD account for Kerberos delegation ?!?
No SPNs required ?!?

[jsdc]

I have been getting authentication issues in IIS logs etc similar to some of the posts in this thread, but have just discovered that users with older firmware (4.1,4.2) work OK. However my curve on 4.5 does not.

Does anyone have a 4.5 curve working against OCS 2007?

[kjarrodc]

Quote:

Originally Posted by jsdc

I have been getting authentication issues in IIS logs etc similar to some of the posts in this thread, but have just discovered that users with older firmware (4.1,4.2) work OK. However my curve on 4.5 does not.

Does anyone have a 4.5 curve working against OCS 2007?

Yes sir - my 8330 with 4.5 is working.

[send2brian]

Was any able to resolve this issue:

Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. URL = https://cwa.company.com:443/iwa/logon.html>

Authentication works fine if I access the URL from the BES server.

-------------
OCS 2007
CWA 2007
BES 4.1.6.10
Enterprise Messenger 2.1.10 for OC 2007

[danedel]

Yeaaa for me, upgraded my BES's and setup the enterprise messenger. Only took five uninterupted hours this morning. Thanks for all the tips...You guys are great!

I think I am getting the hang of how the BES works....its all about the services.

[Dirky]

Is it possible to configure OCS 2007 to allow communications with MSN messenger clients, via the BB OCS client??

D

[danedel]

Quote:

Originally Posted by Dirky

Is it possible to configure OCS 2007 to allow communications with MSN messenger clients, via the BB OCS client??

D

Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.

Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection

[Dirky]

Quote:

Originally Posted by danedel

Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.

Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection

Well it seems you can configure OCS 2007 to communicate with external IM server at hotmail.com, so I guess you can use the BB OCS 2007 client to talk to external contacts.

However i see OCS 2007 needs Exchange 2007 and this is not supported by RIM.

A nice setup would be Server 2008 env with OCS 2007 and Exchange 2007 but I guess thats not possible.

[Dirky]

Do you think this scenario would work:-

Box A
Server 2008
Exchange 2007
File server

Box B
Server 2003
OCS 2007
BES 4.1.6

?
D

[danedel]

I think you could get that to work, but like I said, it would be an exposure to your enterprise, from a sox perspective.

[scorp508]

Quote:

Originally Posted by Dirky

Well it seems you can configure OCS 2007 to communicate with external IM server at hotmail.com, so I guess you can use the BB OCS 2007 client to talk to external contacts.

However i see OCS 2007 needs Exchange 2007 and this is not supported by RIM.

OCS 2007 does not require Exchange to work, but can integrate with it and give you some hella-awesome presence features. OCS 2007 can also integrate with Exchange 2007 Unified Messaging services. We have OCS 2007 running with Exchange 2003.

External Federation to MSN/AOL/Yahoo requires pricey licenses to work. Otherwise everyone and their brother would be connecting to those company's chat servers with their own.

[scorp508]

Quote:

Originally Posted by danedel

Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.

Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection

You need a special federation license to connect to those other services. You can use polcies within OCS to lock out who can and cannot talk to external chat servers too. You can have say 10,000 people on a system with 7,000 only allowed to do internal IM and then another 3,000 who are allowed to talk to AOL/Yahoo/MSN, whatever license you purchased.

[Dirky]

Quote:

Originally Posted by scorp508

OCS 2007 does not require Exchange to work, but can integrate with it and give you some hella-awesome presence features. OCS 2007 can also integrate with Exchange 2007 Unified Messaging services. We have OCS 2007 running with Exchange 2003.

External Federation to MSN/AOL/Yahoo requires pricey licenses to work. Otherwise everyone and their brother would be connecting to those company's chat servers with their own.

Thanks for info.
I assume these licenses are not included in the MS Action pack subsrciption?

Also I understood that OCS 2007 would only work with Exchange 2007 but perhaps this is microsoft pushing us to upgrade?

D

[scorp508]

Quote:

Originally Posted by Dirky

Thanks for info.
I assume these licenses are not included in the MS Action pack subsrciption?

Definitely not. Not with a TechNet subscription either.

Quote:

Also I understood that OCS 2007 would only work with Exchange 2007 but perhaps this is microsoft pushing us to upgrade?

Well it depends on what you want it to do. Sure there are some features which only Exchange 2007 allows, but it most certainly doesn't require E2K7 to work. It works quite wonderfully for most things (No UM-integration) with Exchange 2003.

[mattigan]

Quote:

Originally Posted by send2brian

Was any able to resolve this issue:

Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. URL = https://cwa.company.com:443/iwa/logon.html>

Authentication works fine if I access the URL from the BES server.

-------------
OCS 2007
CWA 2007
BES 4.1.6.10
Enterprise Messenger 2.1.10 for OC 2007

I am having the exact same problem , and can't for the life of me figure out where it's falling over, any suggestions?

[danedel]

Quote:

Originally Posted by mattigan

I am having the exact same problem , and can't for the life of me figure out where it's falling over, any suggestions?

Have you guys looked at your server certs on the cwa site created when you install the web access component?