Welcome to the CrackBerry Forums Create Your Account or Ask a Question Answers in 5 minutes - no registration required!
Results 1 to 23 of 23
Like Tree3Likes
  • 1 Post By AquaGoat
  • 1 Post By chasdrury
  1. Xayinn's Avatar
    CrackBerry User

    Posts
    68 Posts
    Thread AuthorThread Author   #1  

    Question BES10 and AD user account password change

    Hi,

    At the moment, I have a BES5 in my organisation, but we're looking at the possibility to upgrade to BES10 / BB10.
    We're also using Microsoft Exchange and Active Directory. The IT department has set a policy that users must change their password every month.
    For our existing Blackberries, this is not a problem, because (if what I've read is true) it's the BES5 Service Account that accesses the user's mailbox, so a password change of the user account is not relevant, and their Blackberry just keeps working, without the need to enter the new password or anything.
    We also have some iOS devices here and there, but they're a real nightmare, because they're locking out user accounts every single month, due to saved passwords on the device!

    Now I was wondering, since BB10 also uses the ActiveSync protocol, how do those devices react to password changes?
    I suppose that, if they aren't connected to the BDS, they can also cause account lockouts, but what if they are?
    Is the BDS accessing the mailboxes with the Service Account, like BES5, or does it simply provide the information (username, domain, etc.) to setup an ActiveSync session directly to Exchange (thus completely bypassing the BDS)?

    Much appreciated if anyone can clear this up!
  2. oufc_gav's Avatar
    CrackBerry User

    Posts
    88 Posts
    Global Posts
    130 Global Posts
    #2  

    Default

    The BDS does not access the mailbox. Your device is talking direct via Activesync (via a BDS tunnel).
    Like any Activesync device you should get prompted to enter the new one as the existing one is now 'incorrect'. It can be problematical though, mainly because if the password expires and the user is only on the Activesync device the user does not know the password is expired (only 'incorrect') and will just re-enter their existing password (often repeatedly until lockout). You cannot change the password via Activesync.
    Thanked by:
    Xayinn (02-25-2013) 
  3. aragone79's Avatar
    CrackBerry Addict

    Posts
    691 Posts
    #3  

    Default Re: BES10 and AD user account password change

    You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.
    sent from anywhere
    @isatbb@isatbbplg
    #mybb10
    #BB10Believe
    Blog: bb10believe.blogspot.com

    HONK! IF YOU WANT BLACKBERRY 10

    9380, Black and White Z10, LG Nexus 4, Nokia Lumia 520
  4. VariisNetworks's Avatar
    CrackBerry User

    Posts
    15 Posts
    #4  

    Default

    ah, that's going to be a pain for support staff. The password dilema continues for help desks around the world.. lol
    I am a Mobile Device Management consultant, focusing primarily on BlackBerry Enterprise Server with Exchange & Lotus Domino e-mail.
  5. Xayinn's Avatar
    CrackBerry User

    Posts
    68 Posts
    Thread AuthorThread Author   #5  

    Default

    Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

    And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
    And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
    This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

    I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.
  6. smoothrunnings's Avatar
    CrackBerry Genius

    Posts
    1,531 Posts
    Global Posts
    1,532 Global Posts
    #6  

    Default

    Quote Originally Posted by Xayinn View Post
    Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

    And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
    And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
    This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

    I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.
    Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.
  7. aragone79's Avatar
    CrackBerry Addict

    Posts
    691 Posts
    #7  

    Default Re: BES10 and AD user account password change

    Quote Originally Posted by Xayinn View Post
    Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

    And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
    And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
    This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

    I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.
    I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

    That sounds better.
    sent from anywhere
    @isatbb@isatbbplg
    #mybb10
    #BB10Believe
    Blog: bb10believe.blogspot.com

    HONK! IF YOU WANT BLACKBERRY 10

    9380, Black and White Z10, LG Nexus 4, Nokia Lumia 520
  8. Xayinn's Avatar
    CrackBerry User

    Posts
    68 Posts
    Thread AuthorThread Author   #8  

    Default

    Quote Originally Posted by smoothrunnings View Post
    Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.
    I've used an HTC Desire X for a month. The browser (Chrome) was great; definately a great improvement over my BB 9360. The large amount of apps was also nice (though I'm not really an app addict). But other than that, I wasn't very enthousiastic about it. The standard ActiveSync client is rubbish, you can't even push a profile from BES10. And I missed some key EAS features, like my memopad. Of course you can install TouchDown mail, which does support EAS profiles and memopad, but that's another 10-20$.... Also, the shady "multitasking" frustrated me: I want to close an app when I'm not planning to use it again any time soon. But Android doesn't offer that option. All apps just seem to run in the background, somehow...
    After that month, I kinda had enough of Android and took my 9360 out of the shelf. According to my experience, I wouldn't advice anyone to use Android as a company phone OS.

    I don't have that much experience with iPhone, but it definately is more CxO-proof than Android (more user-friendy, less chance that they mess something up). But it's insanely expensive (the newest one at least), and Apple isn't quite the innovator anymore (since Jobs passed away...).

    But what the password-problem concerns, there's no reason why I would pick iOS/Android over BlackBerry as company phone. It's just that BlackBerry lost a reason why I should pick them.


    Quote Originally Posted by aragone79 View Post
    I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

    That sounds better.
    I've never heard of EAP-SIM before. I'm gonna look into that.
    We do use MAC address authentication on a network level: when someone plugs an unknown PC in the switch, it gets rejected until the MAC address is entered in the switch by an administrator.
    The downside of MAC address authentication is that you will regularly (depending on the size of your company) get requests to add/delete MAC addresses when a new PC is installed.
    Also, MAC spoofing isn't all that hard, so it raises some security concerns as well.
  9. smilloy519's Avatar
    CrackBerry User

    Posts
    27 Posts
    #9  

    Default

    You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.
    What do you mean by owa website?

    This problem is starting to give me headaches.

    Our IT policy forces PW changes every month like the other poster above.
    I currently only have 10 z10s on the BES and iv gotten the question from 8 out of the 10 users as to why their devices "stopped working"

    It turns out they changed their PW on their Desktop, and the BB never prompted them to enter the up to date one, thus leaving the work portion of the device "dead".

    My problem is two fold.
    1. Why is it not prompting some users? (When i changed my PW it took 4h for the device to realize it was out of date, and then prompted for PW. During those 4h emails still worked).
    Meanwhile just today i had this problem with 2 users. 1 had to reboot the device to get the prompt (and be allowed to change PW), the other simply got no prompt.

    2. How do i manage users who either A, (dont use any form of work desktop), or B are away from their work desktop for extended periods (ie vacation).
    A is fairly easy, I can just set it for the PW not to expire.
    B is going to cause issues down the line. What am i supposed to tell the owner, when he goes on vacation for a few weeks, and his PW expires while he is away. He now has no way of communicating with me other than BBM/Text/Phone etc. I would then have to change his network PW for him, then send it to him, then have him change it.
    (And thats assuming he even notices the PW expired since it doesnt seem to give prompts sometimes.


    Little things but seem to cause the biggest headaches.
  10. AquaGoat's Avatar
    CrackBerry User

    Posts
    56 Posts
    #10  

    Default

    aragone79 was referring to the Outlook Web Application. If you set this up on your exchange, if one of your users is away from the office when the expiry hits he can log on to the OWA with his old credentials, which will prompt him to create a new password.

    In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.
  11. smilloy519's Avatar
    CrackBerry User

    Posts
    27 Posts
    #11  

    Default

    In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.
    Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.
  12. AquaGoat's Avatar
    CrackBerry User

    Posts
    56 Posts
    #12  

    Default

    Quote Originally Posted by smilloy519 View Post
    Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.
    On the monitor...too easy. I'll be really clever and hide it under my keyboard. No one will look there.
    green_ember likes this.
  13. smoothrunnings's Avatar
    CrackBerry Genius

    Posts
    1,531 Posts
    Global Posts
    1,532 Global Posts
    #13  

    Default

    Quote Originally Posted by AquaGoat View Post
    In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.
    This is why you enforce complexity on passwords so that ones like daughtername13 are rejected by AD. Failing to enforce the complexity on passwords is management problem not a user one. So if Joe Blow's account is compromised management should take the fall for not properly setting up password security in their own organization.
    Thanked by:
    syselek (04-04-2013) 
  14. Sith_Apprentice's Avatar
    Mod Team Emeritus

    Posts
    10,165 Posts
    Global Posts
    10,168 Global Posts
    PIN
    Changes way too often
    #14  

    Default

    You can try the DoD route and not use AD username/pw and instead use smart card logon (or force it better yet), then you cannot use BB10 yet. :-p
    ~S_A
    All views and opinions here are my own, and do not represent any views, opinions, or official communications either actual or implied of my employer.
  15. BarrySaunders's Avatar
    CrackBerry Newbie

    Posts
    2 Posts
    #15  

    Default

    Hi there

    No real answer to your original query but I have the same issue.
    Our workforce has a large number of users that don't have a desktop at all and our support is a nightmare.

    We have deployed BES 10.1 and are supporting both Apple and BES 10 devices.

    There is good and bad news:
    Both act in a similar fashion to password changes.
    Bearing in mind that all now happens via Activesync we observed the following:
    "When changing the active directory password at a desktop, the mobile device continued to work unaffected with no prompt. We tested each hour and still no prompt - till the next day when we were prompted which confused the end-user as the two events were seemingly unrelated/unconnected. We suspect that BES went off around midnight and refreshed from the Global catalogue, found a change and caused the prompt"
    "Next time we repeated the above, we got prompted after 15 mins (device remained connected during this time) which we think is the default for Active Directory or ActiveSync ?"
    "Why the difference ? We suspect that the device lost connection in the 1st instance but can't be sure"
    "We then tried switching the device off over the weekend, changed the password and returned to be prompted on Monday morning"

    Now the good news is that this worked for the Apple (via UDS) in the same way as the BB10 device. Previously the Apple simply locked out....
    The challenge is understanding what is taking place as opposed to guessing.

    Is there anyone out there that can actually comment on how it should work (in theory) that can help me get a better understanding ?

    Thanks in advance....
  16. Sith_Apprentice's Avatar
    Mod Team Emeritus

    Posts
    10,165 Posts
    Global Posts
    10,168 Global Posts
    PIN
    Changes way too often
    #16  

    Default

    Both situations you listed above would be AD related, not BES related. If the AD password changes, the BlackBerry should stop communicating (because of ActiveSync) relatively quickly (15 minutes is about right). The fact that it took an entire day the first time means any changes likely didn't propagate through your network until that point. The BES doesnt have anything to do with this aspect of it, so for a root cause I would check your DCs. Perhaps point the BES to the primary DC instead of a child?
    ~S_A
    All views and opinions here are my own, and do not represent any views, opinions, or official communications either actual or implied of my employer.
  17. smoothrunnings's Avatar
    CrackBerry Genius

    Posts
    1,531 Posts
    Global Posts
    1,532 Global Posts
    #17  

    Default

    Quote Originally Posted by aragone79 View Post
    You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.
    Please note this feature you are talking about must be enabled by the IT Administrator on the server otherwise it doesn't work.
  18. chasdrury's Avatar
    CrackBerry Abuser

    Posts
    122 Posts
    #18  

    Default

    Use certificate authentication. Then you dont need password

    Posted via CB10
    Thanked by:
    jj482 (06-21-2013) 
    jj482 likes this.
  19. jj482's Avatar
    CrackBerry Abuser

    Posts
    162 Posts
    #19  

    Default

    Quote Originally Posted by chasdrury View Post
    Use certificate authentication. Then you dont need password

    Posted via CB10
    That's what I'm thinking. We were going to let our BES infrastructure die but I'm going to push for a POC

    My understanding is the BES can help with client certificate enrollment or at least assignment


    Posted via CB10 on my sweet Z10
  20. BarrySaunders's Avatar
    CrackBerry Newbie

    Posts
    2 Posts
    #20  

    Default

    Yup, I figure this has to do with AD or ActiveSync rather than BES.

    Did some further testing.
    Set up BES 10 UDS libary ActiveSync Profile :

    1. On the menu bar, click Library.
    2. In the Microsoft ActiveSync pane, click the + icon.
    3. In the Profile name field, type the profile name.
    4. In the Credentials drop-down list, perform one of the following actions:
    • Select None for basic authentication (for example, using a username and password).
    • For iOS devices, if you select Certificate as the authentication type and Single reference as the type of certificate
    linking, in the Certificate identifier drop-down list, select a certificate.
    • For iOS devices, if you select Certificate as the authentication type and Variable injection as the type of
    certificate linking, type the profile name of the certificate profile. For SCEP, type scep-<SCEP_profile_name>-
    %UserName% where <SCEP_profile_name> is the name of the SCEP profile. If the Microsoft ActiveSync profile is
    for one user, type the username instead of %UserName%.
    5. Type the domain name of the Microsoft ActiveSync server.
    6. In the Email address field, perform one of the following actions:
    • If the profile is for one user, type the email address of the user.
    • If the profile is for multiple users, type %UserEmailAddress%.
    7. Type the host name or IP address for the Microsoft ActiveSync server.

    Now at this point we entered the ActiveSync Server Address.
    We then forced the password change at the AD level.
    This take around 10 minutes to fully replicate in the environment.
    Using Wi-Fi the device almost immediately prompts for a password authentication - proving the AD reset has taken place.

    However, via the GSM network, it can take between 15min-24hours.....
    As a further test while waiting :
    1. Switched the device off for 15 min
    - result was that the old password continued to work until eventually prompted (up to 24 hours)

    2. Switched to Aeroplane Mode
    - Waited at least 10 min
    - Switched back and was prompted immediately for the new password

    3. No matter what, it always prompted the next day.....

    Okay, we think ActivSync is the delay although we can't find where but logically :
    AD change --> ActiveSync --> IIS (?) ---> UDS ---> Device

    Now I think that the iOS devices can't talk to AD directly ? only ActiveSync ?
    So if we could point the UDS at AD rather than ActiveSync we would avoid the delay and have a role for UDS....

    AD <----------> UDS <---------------ActiveSync------> iOS device

    Not sure of the above but it would need us to use an Active Directory server address rather than an ActiveSync Server Address in the profile definition.
    Is this what you are suggesting with the DC above ?

    Am I making any sense here ?

    Seems MobileIron, Airwatch, Maas360 etc all claim AD capability in their features...... Is this a differentiator in the scenarios above ?

    Any new ideas ?
  21. tk-093's Avatar
    CrackBerry Abuser

    Posts
    188 Posts
    Global Posts
    1,725 Global Posts
    #21  

    Default

    I know this doesn't really help your issues now, but changing your password every 30 days seems a little much, IMO. I think the Microsoft best practices guide for accounts suggests 42 days for a Medium and a High security company. We are actually doing 90 days.

    Now that BES10 has gone ActiveSync, I think Good Mobile Messaging might be the only MDM left that does the account impersonation that BES5.x did.
  22. bawoodvine's Avatar
    CrackBerry Newbie

    Posts
    1 Posts
    #22  

    Default

    Sorry, no new ideas, but will add that we are seeing this as well. On both devices through MDM and BES10 servers, so it's definitely related to ActiveSync. I've found some articles referencing delays, but nothing recent or definitive.

    We use an MDM for iOS and Android, and i can tell you that any AD integration they offer is unrelated to the email traffic or the exchange account authentication. That is still reliant on ActiveSync, so the issue has to be somewhere in the AD to ActiveSync communications. On thing to check is replication between AD sites if you have a user connected to one and changing their password, but their device using a different site for authentication. This isn't the issue for us though.

    Anyone?
  23. smoothrunnings's Avatar
    CrackBerry Genius

    Posts
    1,531 Posts
    Global Posts
    1,532 Global Posts
    #23  

    Default

    Call Microsoft PSS and ask them!

Similar Threads

  1. Unable to configure GMail account after password change
    By nmadd in forum General BlackBerry Discussion
    Replies: 18
    Last Post: 10-16-2012, 03:35 AM
  2. deleting and adding gmail account
    By rox51 in forum BlackBerry PlayBook
    Replies: 0
    Last Post: 04-03-2012, 03:14 PM
  3. New User Need Help with Adding Email accounts and Phone log
    By dsrealty in forum BlackBerry 8830 WE
    Replies: 1
    Last Post: 06-23-2009, 06:24 AM
  4. Help. Email password changed, dont' know BB user name and PW
    By trudawg in forum BlackBerry 8830 WE
    Replies: 4
    Last Post: 05-01-2009, 07:10 PM
  5. Switching BB and adding user to the old BB
    By Stevenbb in forum General BlackBerry Discussion
    Replies: 0
    Last Post: 11-25-2008, 10:09 AM

Posting Permissions