Test intranet access from Blackberry and other mobile platforms

If you’re accessing intranet websites using Blackberries and other mobile platforms like Good for Enterprise you can get Kerberos working to provide single sign-on/passthough authentication. Staff can then browse intranet pages that are secured by Windows authentication, URL filtering or NTFS without having to type in their (probably complex) Windows password on a teeny tiny phone keypad.

I use the Active Server Page (ASP) below on IIS to test if Kerberos is working. On a test website, turn off anonymous access and turn on Windows authentication. Then get your service principle names lined up (SPNs). Test with Internet Explorer before moving onto other browsers or mobile devices. You can drop this ASP page into other IIS websites (if ASP support is enabled) but I recommend get your Kerberos config working on a test intranet site before messing with the authentication config on live intranet sites.

This test page is also useful for testing Kerberos authentication from other web browsers like Firefox (this browser needs extra config to define what your intranet domain is and to allow NTLM and Kerberos to this domain).

<%
   DIM userID, agent, ip
   Dim AuthMethod
   Dim AuthType
   Dim AuthLength
   Dim AuthOther

   ' Get the authentication method being used.
   userID= Request.ServerVariables("LOGON_USER")
   agent = Request.ServerVariables("http_user_agent") 
   ip = Request.ServerVariables("REMOTE_ADDR") 

   Response.Write "IIS connection test page"
   
   Response.Write " User Id = " & userID
   Response.Write " Agent string = " & agent
   Response.Write " Remote IP = " & ip
   Response.Write " UNC = " & Request.ServerVariables("APPL_PHYSICAL_PATH")
   Response.Write " Time = " & Now() & "</br>"

   ' Get the authentication method being used.
   AuthMethod = Request.ServerVariables("AUTH_TYPE")

   ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
   AuthLength = Request.ServerVariables ("HTTP_Authorization")

   ' If some other authentication method (other than Negotiate) is used, call it "Other".
   If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod

   ' If Negotiate is used, go straight to the subroutine to handle it.
   If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod

   Sub AuthOtherMethod()
   	' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
   	If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"	
   	Response.Write "The user was logged in using the " & AuthMethod & " authentication method." 
   	Response.Write "    If you were expecting a different method to be used," 
   	Response.Write " please check the settings for the resource you are accessing. Remember, selecting" 
   	Response.Write " multiple authentication methods, or allowing anonymous access can result in a " 
   	Response.Write " different method being used." 
   End Sub 

Sub AuthNegotiateMethod() 
   	' Typically, NTLM yields a 150 - 300 byte header, while Kerberos is more like 5000 bytes. 
   	If LEN(AuthLength) > 1000 Then AuthType = "Kerberos" 
   	If LEN(AuthLength) < 1000 Then AuthType = "NTLM" 
	Response.Write "The Negotiate method was used!" ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script). 
	Response.Write "The user was logged on using " & AuthType & "." 
	Response.Write "    If you do use refresh, <b>Kerberos</b> will always show up as <b>NTLM</b>." 
	Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used." 
	Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser" 
	Response.Write " for any subsequent requests. " 
End Sub %&gt;

If Kerberos is working your test page will look like this.

IIS connection test page
User Id = DOMAIN\userID
Agent string = Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Remote IP = 172.16.1.2
UNC = \\mycompany.com\it\live\mywebsite\
Time = 31/12/2014 10:02:25
The <b>Negotiate</b> method was used!
The user was logged on using <b>Kerberos</b>

Blackberry (BES) MDS config

Follow the admin guides.  Note: this file is weirdly case sensitive
c:\program files(x86)\Research in Motion\Blackberry Enterprise Server\MDS\Servers\instance\config\krb5.conf

[libdefaults]
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc ; rc4-hmac
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc ; rc4-hmac

[realms]
    # change COMPANY.COM to your Kerberos realm
    # change KDC:88 to the hostname:port of KDC
    COMPANY.COM = {
        kdc = domaincontroller.company.com:88
     }

BES Configuration

Pull rules
These are Java Regular Expressions that describe inTRAnet sites for which BES will attempt automatic kerberos authentication. They’re like filters for classifying types of websites. You want BES to bypass proxy for intranet sites to attempt Kerberos authentication.

*\.mycompany.com.*
fully qualified domain names for intranet sites

[^.]+/.*
http:// and a forward slash followed by anything. Shortnames for intranet site web pages

[^.]+
http:// and no slash. Shortnames for intranet site roots

Good for Enterprise configuration

See Good admin docs for Kerberos config.  Update the krb5.ini file

[libdefaults]
default_realm = MYCOMPANY.COM
[realms]
MYCOMPANY.COM = {
kdc = DC1.MYCOMPANY.COM:88
kdc = DC2.MYCOMPANY.COM:88
kdc = DC3.MYCOMPANY.COM:88
kdc = DC4.MYCOMPANY.COM:88
admin_server = DC1.MYCOMPANY.COM
admin_server = DC2.MYCOMPANY.COM
admin_server = DC3.MYCOMPANY.COM
admin_server = DC4.MYCOMPANY.COM
default_domain = MYCOMPANY.COM
}
[domain_realm]
.mycompany.com = MYCOMPANY.COM
mycompany.com = MYCOMPANY.COM

Configure Service Principle Names (SPNs) for intranet websites

Do not use setspn.exe -a (this can introduce duplicate SPNs). Use setspn.exe -s instead to search first before adding.
If the IIS pool is running as a service account then use that in the SPN. If the website is running as system then use the machine account. Setup SPNs for fully qualified domain names and shortnames if these are still used in your organisation (check IIS website bindings to see what site names are used).
If DNS aliases point to machine name then you don’t need additional SPNs. But if you’ve made A records pointing to website IP address then you will need SPNs (as far as I can remember).

setspn.exe -s http/%computername% domain\websiteServiceAccount
setspn.exe -s http/%computername%.mycompany.com domain\websiteServiceAccount

It’s quite difficult to get everything lined up so I recommend change one thing at a time, test often and keep notes. Good luck!!

This post is partly from memory so send me feedback if anything isn’t quite right.

 


Find more IT Infrastructure tips at www.alexmags.com

Leave a Reply