KDC has no support for encryption type (14) Sean Rector, MCSE
From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Tuesday, September 29, 2009 4:38 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service K, was testing to make sure what I was going to suggest actually works. Kick up logging on BAS-AS Login with the local admin -> expand BB Solution Top. -> BB Domain -> Component View -> Logging -> your instance_LOG -> Logging Details Tab -> Scroll to the bottom -> Edit Instance -> Change Log level for BAS - AS to DEBUG. Restart the BAS Service. Log back in with the account that won't work, search the logs @ install location ...\Research In Motion\BlackBerry Enterprise Server\Logs\20090929\servername_BBAS-AS_01_20090929.txt for the account name that fails, There should be corresponding info in the log to help sort this out. Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Tuesday, September 29, 2009 1:00 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Created the user account, but get "The username, password, or domain is not correct. Please correct the entry." When I try to log into the Web Desktop Manager. Sean Rector, MCSE From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Tuesday, September 29, 2009 3:53 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Cool. Login with the local admin and add your user as an administrative user and/or activate your handheld on it. Log out and then test with LDAP and your user account. You have to be added as a user before you can login via LDAP. Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Tuesday, September 29, 2009 12:47 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service MR2 installed - I hadn't known it was available. LDAP configuration had been set to use port 389 - and settings verified - I changed it to 3268 and settings still verified. I haven't done anything regarding setting up any users yet. No handheld to test yet. Sean Rector, MCSE From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Tuesday, September 29, 2009 12:52 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Demo version will allow you to patch it, I would throw MR2 on it, lots of bug fixes from RTM -> MR2. What happens with your LDAP configuration within the BlackBerry Server cfg tool -> Admin Service - LDAP tab? Ldap://domain.com:3268 DC=domain,DC=com LDAP user credentials, when you hit verify does it come back and say LDAP settings are valid? As far as trying to logon to the Web Desktop manager, are the users you are trying with setup on the BES server? Have you logged in with the local admin and setup your account to be an administrator or activated or migrated your handheld to the server yet? Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Tuesday, September 29, 2009 4:08 AM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Ok...re-installed BES. I'm able to login using the BAS Admin login I created during the install. Thanks for your assistance, John. I don't know if this is MR2 - it's the demo download at this point as we're within 60 days of buying the software. New (perhaps not really new) problem - it appears that LDAP lookups are not happening. If I try to log in to the Web Desktop, no matter which user I try in my organization, the login does not authenticate. I'm not sure which log to look in to see if there are errors, but on the DC (WS2k8R2), I am seeing Kerberos-Key-Distribution-Center error 14 messages. Sean Rector, MCSE ________________________________ From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Monday, September 28, 2009 4:19 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Are you running MR2? I believe there was an similar issue from MR1 but I can't recall if it was both auth methods or just LDAP.. Just a guess, but possibly reinstall BAS... Last ditch effort try resetting the local pwd..Backup your DB up first... http://supportforums.blackberry.com/rim/board/message?board.id=bes5&message.id=844&query.id=3326021#M844 " Log into the BES server itself Open SQL administrator Go to the BESMgmt database Expand tables Open the dbo.BASUsers table If you have not created any other admin users, and chances are you did not if you are reading this, the last user listed will be the system admin user Scroll right to the LoginPassword collumn Paste this hash into that field - 431d615b2de61fb1 - this will change your BAS login to "berry" Now log in with that password and go to Manage Users and click on search to populate you list Click on the System Administrator user and select edit user Click on the wrench to the right of the user and type in your new password, then click the green check mark tot he right MOST IMPORTANT - click SAVE ALL at the bottom Now you are all set to log out and back in with your new secure password " Out of curiosity, your LDAP cfg is fine/validates on the BES cfg tool? Do you have any users activated on this server? If so, can they log into the BAS interface via ldap? Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Monday, September 28, 2009 12:01 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Yes. Right on both questions... Sean Rector, MCSE From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Monday, September 28, 2009 2:59 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service But you mentioned you are using the AD login in your OP? So have you selected BAS from the drop down and tried that local acct? Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Monday, September 28, 2009 11:50 AM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Yes...and it won't accept that - with nothing noted in the BAS AS log. Sean Rector, MCSE From: Barsodi.John [mailto:john.bars...@igt.com] Sent: Monday, September 28, 2009 2:42 PM To: MS-Exchange Admin Issues Subject: RE: 1st BES Install - can't login to Administration Service Did you create the local admin pwd? In BES 5.0, the svc account model for interactive and management logon has changed....by default, unless you are upgrading and had set the permissions there, the svc account has no BAS rights. Do you remember the local Admin pwd? It prompted you for it during the install. Thanks, JB From: Sean Rector [mailto:sean.rec...@vaopera.org] Sent: Monday, September 28, 2009 11:31 AM To: MS-Exchange Admin Issues Subject: 1st BES Install - can't login to Administration Service BES 5.0 - on Windows Server 2003 Std. When I try to log in using the admin account I specified in the setup process returns "The username, password, or domain is not correct. Please correct the entry." I'm using Active Directory for the login method - which I specified and verified in the setup wizard. When I check the DC (Server 2008 R2), I see the following Event ID: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 9/28/2009 2:26:17 PM Event ID: 4768 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: VOA-NOR-DC01.vaopera.net Description: A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: sean.rector.adm Supplied Realm Name: VAOPERA.NET User ID: NULL SID Service Information: Service Name: krbtgt/VAOPERA.NET Service ID: NULL SID Network Information: Client Address: 10.0.0.45 Client Port: 3420 Additional Information: Ticket Options: 0x0 Result Code: 0xe Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4768</EventID> <Version>0</Version> <Level>0</Level> <Task>14339</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2009-09-28T18:26:17.831284900Z" /> <EventRecordID>7226755</EventRecordID> <Correlation /> <Execution ProcessID="940" ThreadID="1680" /> <Channel>Security</Channel> <Computer>VOA-NOR-DC01.vaopera.net</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">sean.rector.adm</Data> <Data Name="TargetDomainName">VAOPERA.NET</Data> <Data Name="TargetSid">S-1-0-0</Data> <Data Name="ServiceName">krbtgt/VAOPERA.NET</Data> <Data Name="ServiceSid">S-1-0-0</Data> <Data Name="TicketOptions">0x0</Data> <Data Name="Status">0xe</Data> <Data Name="TicketEncryptionType">0xffffffff</Data> <Data Name="PreAuthType">-</Data> <Data Name="IpAddress">10.0.0.45</Data> <Data Name="IpPort">3420</Data> <Data Name="CertIssuerName"> </Data> <Data Name="CertSerialNumber"> </Data> <Data Name="CertThumbprint"> </Data> </EventData> </Event> Your help is appreciated! Sean Rector, MCSE Information Technology Manager Virginia Opera Association E-Mail: sean.rec...@vaopera.org<mailto:sean.rec...@vaopera.org> Phone: (757) 213-4548 (direct line) {*} {+}