Authentication methods for the BlackBerry Enterprise Server User Administration Tool
Supported authentication models
In BlackBerry® Enterprise Server 5.0 and later, the models for authentication (login) and authorization (roles or permissions) for administration are different from the models that were used in previous versions.
BlackBerry Enterprise Server 5.0 and later supports the following authentication models:
- BlackBerry Administration Service authentication (default)
- Microsoft® Active Directory® authentication
- single sign-on authentication for the BlackBerry Administration Service (uses Microsoft Active Directory authentication)
- IBM® Lotus® Domino® mailbox authentication (Lotus Domino environment only)
- Novell® GroupWise® mailbox authentication (Novell GroupWise environment only)
BlackBerry Enterprise Server 5.0 and later does not support Windows® authentication or Microsoft® SQL Server® authentication.
Roles or permissions that are based on database user accounts are not supported in BlackBerry Enterprise Server 5.0 and later.
For more information about how to create a BlackBerry Administration Service administrator, visit www.blackberry.com/go/serverdocs to read the BlackBerry Enterprise Server Administration Guide.
Default authentication method for the BlackBerry Administration Service
If you do not specify authentication credentials when you type a command in the BlackBerry Enterprise Server User Administration Tool, the tool tries to log in to the BlackBerry Administration Service using your Windows® authentication credentials. You can also specify the -sso_auth parameter if you want the tool to log in to the BlackBerry Administration Service using your Windows authentication credentials.
Authentication credentials
The BlackBerry Enterprise Server User Administration Tool uses the values associated with these options for the authentication and authorization models that are supported in the BlackBerry® Enterprise Server. The tool does not support Microsoft® SQL Server® authentication or roles or permissions that are defined on the Microsoft SQL Server database engine.
If you do not specify authentication credentials when you type a command in the BlackBerry Enterprise Server User Administration Tool, the tool tries to log in to the BlackBerry Administration Service using your Windows® authentication credentials. You can also specify the -sso_auth parameter if you want the tool to log in to the BlackBerry Administration Service using your Windows authentication credentials.
Syntax for authentication credentials
In the BlackBerry® Enterprise Server User Administration Tool, the variable <credentials> represents the user name, password, and domain that you use for authentication with the BlackBerry Administration Service.
The BlackBerry Enterprise Server User Administration Tool uses the following syntax for authentication credentials.
Item |
Description |
|---|---|
-username <user name> -sqluser <user name> |
authentication user name |
-password <password> -sqlpass <password> |
authentication password |
-sso_auth |
use instead of the user name and password parameters if you want the tool to log in to the BlackBerry Administration Service using your Windows® authentication credentials. If you do not specify authentication credentials when you type a command, by default, the tool tries to log in to the BlackBerry Administration Service using your Windows authentication credentials even if you do not specify the -sso_auth parameter. |
-domain <domain> |
authentication domain |
-bas_auth |
|
-mailbox_auth |
use IBM® Lotus® Domino® mailbox authentication (Lotus Domino environment only) |
-gw_auth |
use Novell® GroupWise® mailbox authentication (Novell GroupWise environment only) |
-ad_auth |
Setting authentication credentials
You can configure the BlackBerry Enterprise Server User Administration Tool to retrieve a set of stored authentication credentials from an .xml configuration file when you use specific subparameters.
Storing an encrypted set of authentication credentials
The BlackBerry® Enterprise Server User Administration Tool uses the -set_client_auth <credentials> -set_p <password> command to store authentication credentials in an .xml configuration file. You can then use the -p subparameter in the tool to extract the credentials from the .xml configuration file and insert the credentials into the command line options. The configuration file is located at <drive>:\Documents and Settings\<user_name>\Local Settings\Application Data\Research_in_Motion_Ltd\BESUserAdminClient.exe_Url_<serial_number>\<version>\user.config. The -set_client_auth command must be set for each administrator account that you want to use stored credentials.
Extracting credentials that are stored in the configuration file
String value requirements
To specify -set_client_auth values that contain characters in double quotation marks, you must surround the entire string with double quotation marks. You must use a set of quotation marks to escape every embedded set of characters that are in double quotation marks.
Example: Using double quotation marks to specify a work location nickname for a user
If you have two users with the same name, Julie Palmer, one of whom works in Waterloo and the other in New York, you can specify the work location for the user as a nickname.
BESUserAdminClient -username \"Julie \"\"Waterloo\"\" Palmer\" -password password -status
You store this option and value in the configuration file using the following command:
BESUserAdminClient -set_p password1 -set_client_auth "-username ""Julie \"\"Waterloo\"\" Palmer"" -password password"