Administration Guide

Local Navigation

Configuring how BlackBerry devices authenticate to content servers

If you configured the content servers in your organization's environment to use an authentication protocol to authenticate the sources of the data requests that they receive, you can control how BlackBerry® devices authenticate to content servers to receive application data and application updates.

Configure how BlackBerry devices authenticate to content servers

You can configure whether BlackBerry® devices authenticate to content servers directly, or whether the BlackBerry MDS Connection Service authenticates to content servers on behalf of BlackBerry devices. If you configure BlackBerry devices to authenticate directly to content servers but you do not configure an authentication method for BlackBerry MDS Connection Service connections, authenticated BlackBerry devices prompt users to provide login information every 60 minutes. The BlackBerry devices prompt users only if the connection to the content server persists for more than 60 minutes.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the HTTP tab, in the Protocol service information section, in the Authentication support enabled drop-down list, perform one of the following actions:
    • If you want BlackBerry devices to authenticate to content servers directly, click No.
    • If you want the BlackBerry MDS Connection Service to store authentication information and perform HTTP authentication on behalf of BlackBerry devices, click Yes.
  5. If necessary, in the Authentication timeout field, type the length of time, in milliseconds, that you want authentication information for BlackBerry devices to remain valid on the content server. By default, the authentication timeout limit is 1 hour.
  6. Click Save all.
After you finish: If you set Authentication support enabled to Yes, configure the BlackBerry MDS Connection Service to authenticate to content servers that use NTLM, Kerberos™, LTPA, or RSA® Authentication Manager on behalf of BlackBerry devices.

Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use NTLM

Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf of BlackBerry devices.
  1. Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance\config.
  2. Configure the MdsLogin.conf file.
For more information about the Java® Authentication and Authorization Service configuration file, visit http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html.

Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use Kerberos

Before you begin: Configure the BlackBerry® MDS Connection Service to authenticate to content servers on behalf of BlackBerry devices.
  1. Navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\Instance\config.
  2. Configure the krb5.conf file.
For more information about the Kerberos™ 5 configuration file, visit web.mit.edu/kerberos/www/krb5-1.3/krb5-1.3.3/doc/krb5-admin.html#krb5.conf.

Configure the BlackBerry MDS Connection Service to authenticate BlackBerry devices to content servers that use LTPA

BlackBerry® devices that are running BlackBerry® Device Software version 3.8 or later manage how HTTP cookies are stored and used to authenticate to content servers that use LTPA authentication technology. For BlackBerry devices that use previous versions of the BlackBerry Device Software, you must permit the BlackBerry MDS Connection Service to manage HTTP cookie storage on BlackBerry devices.
Before you begin: Configure the BlackBerry MDS Connection Service to authenticate to the content servers in your organization's environment on behalf of BlackBerry devices.
  1. In the BlackBerry Administration Service, in the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the HTTP tab, in the Protocol service information section, in the Cookie support enabled drop-down list, click Yes.
  5. Click Save all.

Configuring the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager

You can configure the BlackBerry® MDS Connection Service to require that BlackBerry device users pass RSA® authentication when they access the Internet or intranet from BlackBerry devices. You can configure the BlackBerry MDS Connection Service to require that users use RSA authentication in one of the following scenarios:
  • when users access every web site and intranet site from devices
  • when users access intranet sites from devices
  • when users access web addresses or intranet addresses that you specify

If you configure the BlackBerry MDS Connection Service to require that users use RSA authentication to access web addresses or intranet addresses that you specify, you can choose to apply this option to specific user accounts or to all user accounts that are associated with a BlackBerry® Enterprise Server Express instance.

After the RSA Authentication Manager authenticates the devices, if you configured proxy authentication, the devices prompt users to authenticate to the proxy server.

Prerequisites: Configuring the BlackBerry MDS Connection Service to support RSA authentication when the BlackBerry MDS Connection Service runs on Windows Server 2008

  • If required, remove the RSA® Authentication Agent from the computer that hosts the BlackBerry® MDS Connection Service.
  • If required, in the RSA® Authentication Manager, delete the node secret data for the computer that hosts the BlackBerry MDS Connection Service.
  • If required, delete the node secret data that is located on the computer that hosts the BlackBerry MDS Connection Service.
  • Retrieve the RSA Authentication API version 5.0.3.2 from RSA.

Configure the BlackBerry MDS Connection Service to support RSA authentication when the BlackBerry MDS Connection Service runs on Windows Server 2008

  1. On the computer that hosts the BlackBerry® MDS Connection Service, copy the aceclnt.dll file and sdmsg.dll file from the RSA® Authentication API to one of the following folders:
    • If you are running a 32-bit version of Windows Server® 2008, the <drive>:\WINDOWS\system32 folder
    • If you are running a 64-bit version of Windows Server 2008, the <drive>:\WINDOWS\SysWow64 folder
  2. In the RSA® Authentication Manager, create an Agent Host record for the BlackBerry® Enterprise Server Express. The RSA Authentication Manager generates an sdconf.rec file.
  3. On the computer that hosts the BlackBerry MDS Connection Service, copy the sdconf.rec file that the RSA Authentication Manager generates to one of the following folders:
    • If you are running a 32-bit version of Windows Server 2008, the <drive>:\WINDOWS\system32 folder
    • If you are running a 64-bit version of Windows Server 2008, the <drive>:\WINDOWS\SysWow64 folder
  4. In the Windows® Services, restart the BlackBerry MDS Connection Service.

Configure the BlackBerry MDS Connection Service to authenticate devices to the RSA Authentication Manager

Before you begin:
  • Configure the BlackBerry® MDS Connection Service to authenticate to the content servers in your organization's environment on behalf of BlackBerry devices.
  • To specify the web addresses that require RSA® authentication, configure URL patterns and access control rules that restrict user access to specific web addresses or intranet addresses.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. On the RSA tab, in the Protocol service information section, in the RSA® authentication support drop-down list, select one of the following options:
    • If you want users to use RSA authentication when they access every web address or intranet address, select Turn on globally.
    • If you want users to use RSA authentication when they access the intranet only, select Turn on for Intranet only.
    • If you want users to use RSA authentication for web addresses or intranet addresses that you specify, select Turn on for specific sites only.
  5. In the RSA authentication timeout field, type a number, in minutes, to specify how long devices that the RSA Authentication Manager authenticates can remain connected to your organization's network while the users are active. By default, the authenticated connection persists for 24 hours.
  6. In the RSA inactivity timeout field, type a number, in minutes, to specify how long devices can remain connected to your organization's network while the users are inactive. By default, an authenticated connection persists for 60 minutes of user inactivity on the devices.
  7. Click Save all.

Was this information helpful? Send us your comments.