|
|
|
07-30-2008, 02:57 PM
|
#61
|
New Member
Join Date: Jul 2008
Model: 8830
PIN: N/A
Carrier: Bell
Posts: 5
|
Please Login to Remove!
So I was able to fix the login issue but I am getting the login/krb5.conf error.
I have checked to make sure Windows AUTH is on and I have modified my .conf file so it has my domain info and DC info.
Is there another place to see where it might be failing or something I am missing.
|
Offline
|
|
07-30-2008, 05:08 PM
|
#62
|
Knows Where the Search Button Is
Join Date: Dec 2004
Model: 8800
Carrier: O2 UK
Posts: 28
|
Quote:
Originally Posted by rst
So I was able to fix the login issue but I am getting the login/krb5.conf error.
I have checked to make sure Windows AUTH is on and I have modified my .conf file so it has my domain info and DC info.
Is there another place to see where it might be failing or something I am missing.
|
How did you fix the login issue? I think I have exactly the same issue.
|
Offline
|
|
07-31-2008, 02:20 AM
|
#64
|
New Member
Join Date: May 2008
Model: 8320
PIN: N/A
Carrier: T-Mobile
Posts: 2
|
I am also having an issue with authentication. =/
I have OCS 2007 with BES 4.1.6 and bb client 2.1.10
I have tried anonymous access enabled on the IIS site, no good
I have tried all sorts of different options on krb5.conf, no good
an additional difficulty i have is that my internal domain is different than the external and i want users to be able to login with their emails, not an internal suffix.
anyway, everything works via the web access portal and office communicator 2007.
i have changed the kerb5.conf to be .com and .lan. no success. same errors.
--------- kerb5.conf ---------
[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
# change COMPANY.COM to your Kerberos realm
# change KDC:88 to the hostname:port of KDC
company.lan = {
kdc = DomainController:88
}
--------- kerb5.conf ---------
---------- BBIM_01 ---------
SIP URI = myusername[at]company.com>
Account = company.lan\myusername>
Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. ocs.company.lan:443/iwa/logon.html>
CWA Server -> IM Proxy failure response = CwaRequestFailedResponseType, rid = null>
CWA signon exception for ocs.company.lan:443/iwa/logon.html = CWA server did not return a cwaTicket in signon response>
---------- BBIM_01 ---------
-------BBIM Settings -------
Blackberry Collaboration Services Version: 4.1.6.26
Default Domain Name: company.lan
Host: ocs.company.lan
Port:443
Transport protocol: 1
-------BBIM Settings -------
--- OCS Server IIS logs with Anonymous Authentication Enabled ---
2008-07-31 06:48:45 W3SVC OCS_SERVER_IP POST /iwa/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 5 0
2008-07-31 06:48:45 W3SVC OCS_SERVER_IP POST /forms/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 0 0
--- OCS Server IIS logs with Anonymous Authentication Enabled ---
--- OCS Server IIS logs with Anonymous Authentication Disabled ---
2008-07-31 06:13:28 W3SVC OCS_SERVER_IP POST /iwa/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 401 2 2148074254
2008-07-31 06:13:28 W3SVC OCS_SERVER_IP POST /forms/logon.html - 443 - BES_SERVER_IP MDS_4.1.6.26+(MSIE) 200 0 0
--- OCS Server IIS logs with Anonymous Authentication Disabled ---
for those who are getting errors on /forms/logon.html. i think it tries both iwa (Integrated Windows authentication) and Form-based authentication. however i believe the bb client cannot use forms based authentication and you need to disable this in OCS 2007.
if i go to the /iwa/logon.html via a web browser on the network i get prompted for a username and password. i enter the same info as my bb client and it works fine. i get the success ticket.
note: i had to remove https:// because i dont have enough posts to insert links =/
any ideas?
|
Offline
|
|
07-31-2008, 03:47 PM
|
#65
|
Knows Where the Search Button Is
Join Date: Aug 2006
Model: 8100
Carrier: Telecom Personal
Posts: 46
|
Isn't required to enable the server's AD account for Kerberos delegation ?!?
No SPNs required ?!?
|
Offline
|
|
08-01-2008, 02:31 PM
|
#66
|
Knows Where the Search Button Is
Join Date: Dec 2004
Model: 8800
Carrier: O2 UK
Posts: 28
|
I have been getting authentication issues in IIS logs etc similar to some of the posts in this thread, but have just discovered that users with older firmware (4.1,4.2) work OK. However my curve on 4.5 does not.
Does anyone have a 4.5 curve working against OCS 2007?
|
Offline
|
|
08-01-2008, 04:03 PM
|
#67
|
Thumbs Must Hurt
Join Date: Jan 2008
Model: 8830
PIN: N/A
Carrier: verizon
Posts: 82
|
Quote:
Originally Posted by jsdc
I have been getting authentication issues in IIS logs etc similar to some of the posts in this thread, but have just discovered that users with older firmware (4.1,4.2) work OK. However my curve on 4.5 does not.
Does anyone have a 4.5 curve working against OCS 2007?
|
Yes sir - my 8330 with 4.5 is working.
|
Offline
|
|
08-02-2008, 01:43 AM
|
#68
|
New Member
Join Date: Aug 2008
Model: 3210
PIN: N/A
Carrier: ATT
Posts: 1
|
Was any able to resolve this issue:
Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. URL = https://cwa.company.com:443/iwa/logon.html>
Authentication works fine if I access the URL from the BES server.
-------------
OCS 2007
CWA 2007
BES 4.1.6.10
Enterprise Messenger 2.1.10 for OC 2007
|
Offline
|
|
08-02-2008, 03:01 PM
|
#69
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: Denver, Co
Model: 9000
Carrier: The "new" at&t
Posts: 210
|
Yeaaa for me, upgraded my BES's and setup the enterprise messenger. Only took five uninterupted hours this morning. Thanks for all the tips...You guys are great!
I think I am getting the hang of how the BES works....its all about the services.
__________________
Crackberry 9000 (4.6.0.190) New at&t
BES 4.1.6 Exchange 2007 08.01.0240
Last edited by danedel; 08-02-2008 at 03:04 PM..
|
Offline
|
|
08-03-2008, 08:53 AM
|
#70
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Is it possible to configure OCS 2007 to allow communications with MSN messenger clients, via the BB OCS client??
D
|
Offline
|
|
08-03-2008, 10:54 AM
|
#71
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: Denver, Co
Model: 9000
Carrier: The "new" at&t
Posts: 210
|
Quote:
Originally Posted by Dirky
Is it possible to configure OCS 2007 to allow communications with MSN messenger clients, via the BB OCS client??
D
|
Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.
Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection
__________________
Crackberry 9000 (4.6.0.190) New at&t
BES 4.1.6 Exchange 2007 08.01.0240
|
Offline
|
|
08-03-2008, 01:53 PM
|
#72
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Quote:
Originally Posted by danedel
Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.
Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection
|
Well it seems you can configure OCS 2007 to communicate with external IM server at hotmail.com, so I guess you can use the BB OCS 2007 client to talk to external contacts.
However i see OCS 2007 needs Exchange 2007 and this is not supported by RIM.
A nice setup would be Server 2008 env with OCS 2007 and Exchange 2007 but I guess thats not possible.
|
Offline
|
|
08-03-2008, 02:39 PM
|
#73
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Do you think this scenario would work:-
Box A
Server 2008
Exchange 2007
File server
Box B
Server 2003
OCS 2007
BES 4.1.6
?
D
|
Offline
|
|
08-03-2008, 03:57 PM
|
#74
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: Denver, Co
Model: 9000
Carrier: The "new" at&t
Posts: 210
|
I think you could get that to work, but like I said, it would be an exposure to your enterprise, from a sox perspective.
__________________
Crackberry 9000 (4.6.0.190) New at&t
BES 4.1.6 Exchange 2007 08.01.0240
|
Offline
|
|
08-03-2008, 06:08 PM
|
#75
|
Knows Where the Search Button Is
Join Date: Aug 2005
Location: Boston, MA
Model: 0000
Carrier: VZW
Posts: 43
|
Quote:
Originally Posted by Dirky
Well it seems you can configure OCS 2007 to communicate with external IM server at hotmail.com, so I guess you can use the BB OCS 2007 client to talk to external contacts.
However i see OCS 2007 needs Exchange 2007 and this is not supported by RIM.
|
OCS 2007 does not require Exchange to work, but can integrate with it and give you some hella-awesome presence features. OCS 2007 can also integrate with Exchange 2007 Unified Messaging services. We have OCS 2007 running with Exchange 2003.
External Federation to MSN/AOL/Yahoo requires pricey licenses to work. Otherwise everyone and their brother would be connecting to those company's chat servers with their own.
|
Offline
|
|
08-03-2008, 06:10 PM
|
#76
|
Knows Where the Search Button Is
Join Date: Aug 2005
Location: Boston, MA
Model: 0000
Carrier: VZW
Posts: 43
|
Quote:
Originally Posted by danedel
Like external to your network? Messenger clients that are not on the enterprise? I am thinking you could, but all you would really need to do it create some tunnel to a public messaging server on the net. This would essentially be a "back door" to people trying to get into your intranet from the extranet.
Of course my SOX compliance people would freak the heck out if I did this!! I see it being a huge vulnerability. I run gtalk on my device, it allows you to have "buddies" from aim and I believe msn. This is much safer than making your enterprise messaging open, but you will need the appropriate IT policy to allow this type of connection
|
You need a special federation license to connect to those other services. You can use polcies within OCS to lock out who can and cannot talk to external chat servers too. You can have say 10,000 people on a system with 7,000 only allowed to do internal IM and then another 3,000 who are allowed to talk to AOL/Yahoo/MSN, whatever license you purchased.
|
Offline
|
|
08-04-2008, 06:49 AM
|
#77
|
Talking BlackBerry Encyclopedia
Join Date: Jul 2006
Location: Up North - UK
Model: 8320
Carrier: T-Mobile UK
Posts: 265
|
Quote:
Originally Posted by scorp508
OCS 2007 does not require Exchange to work, but can integrate with it and give you some hella-awesome presence features. OCS 2007 can also integrate with Exchange 2007 Unified Messaging services. We have OCS 2007 running with Exchange 2003.
External Federation to MSN/AOL/Yahoo requires pricey licenses to work. Otherwise everyone and their brother would be connecting to those company's chat servers with their own.
|
Thanks for info.
I assume these licenses are not included in the MS Action pack subsrciption?
Also I understood that OCS 2007 would only work with Exchange 2007 but perhaps this is microsoft pushing us to upgrade?
D
|
Offline
|
|
08-04-2008, 11:15 AM
|
#78
|
Knows Where the Search Button Is
Join Date: Aug 2005
Location: Boston, MA
Model: 0000
Carrier: VZW
Posts: 43
|
Quote:
Originally Posted by Dirky
Thanks for info.
I assume these licenses are not included in the MS Action pack subsrciption?
|
Definitely not. Not with a TechNet subscription either.
Quote:
Also I understood that OCS 2007 would only work with Exchange 2007 but perhaps this is microsoft pushing us to upgrade?
|
Well it depends on what you want it to do. Sure there are some features which only Exchange 2007 allows, but it most certainly doesn't require E2K7 to work. It works quite wonderfully for most things (No UM-integration) with Exchange 2003.
|
Offline
|
|
08-05-2008, 04:12 AM
|
#79
|
New Member
Join Date: Aug 2008
Model: 8310
PIN: N/A
Carrier: O2 (UK)
Posts: 4
|
Quote:
Originally Posted by send2brian
Was any able to resolve this issue:
Integrated Authentication fails due to invalid username/password or incorrect config/krb5.conf. URL = https://cwa.company.com:443/iwa/logon.html>
Authentication works fine if I access the URL from the BES server.
-------------
OCS 2007
CWA 2007
BES 4.1.6.10
Enterprise Messenger 2.1.10 for OC 2007
|
I am having the exact same problem , and can't for the life of me figure out where it's falling over, any suggestions?
|
Offline
|
|
08-05-2008, 06:22 PM
|
#80
|
Talking BlackBerry Encyclopedia
Join Date: Aug 2006
Location: Denver, Co
Model: 9000
Carrier: The "new" at&t
Posts: 210
|
Quote:
Originally Posted by mattigan
I am having the exact same problem , and can't for the life of me figure out where it's falling over, any suggestions?
|
Have you guys looked at your server certs on the cwa site created when you install the web access component?
__________________
Crackberry 9000 (4.6.0.190) New at&t
BES 4.1.6 Exchange 2007 08.01.0240
|
Offline
|
|
|
|