BES10 and AD user account password change

**Xayinn** · 02-23-2013, 04:44 PM

Hi,

At the moment, I have a BES5 in my organisation, but we're looking at the possibility to upgrade to BES10 / BB10.
We're also using Microsoft Exchange and Active Directory. The IT department has set a policy that users must change their password every month.
For our existing Blackberries, this is not a problem, because (if what I've read is true) it's the BES5 Service Account that accesses the user's mailbox, so a password change of the user account is not relevant, and their Blackberry just keeps working, without the need to enter the new password or anything.
We also have some iOS devices here and there, but they're a real nightmare, because they're locking out user accounts every single month, due to saved passwords on the device!

Now I was wondering, since BB10 also uses the ActiveSync protocol, how do those devices react to password changes?
I suppose that, if they aren't connected to the BDS, they can also cause account lockouts, but what if they are?
Is the BDS accessing the mailboxes with the Service Account, like BES5, or does it simply provide the information (username, domain, etc.) to setup an ActiveSync session directly to Exchange (thus completely bypassing the BDS)?

Much appreciated if anyone can clear this up!

**oufc_gav** · 02-24-2013, 04:06 AM

The BDS does not access the mailbox. Your device is talking direct via Activesync (via a BDS tunnel).
Like any Activesync device you should get prompted to enter the new one as the existing one is now 'incorrect'. It can be problematical though, mainly because if the password expires and the user is only on the Activesync device the user does not know the password is expired (only 'incorrect') and will just re-enter their existing password (often repeatedly until lockout). You cannot change the password via Activesync.

**aragone79** · 02-24-2013, 04:35 AM

You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.

**VariisNetworks** · 02-25-2013, 12:48 PM

ah, that's going to be a pain for support staff. The password dilema continues for help desks around the world.. lol

**Xayinn** · 02-25-2013, 02:08 PM

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

**smoothrunnings** · 02-28-2013, 07:25 PM

Originally Posted by Xayinn

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.

**aragone79** · 03-01-2013, 01:18 PM

Originally Posted by Xayinn

Aww that's really too bad... One of the main reasons why we chose BlackBerry as smartphone platform, was because password changes didn't affect the device.

And unfortunately, we also have a wifi network for BYODs that uses 802.1X and... domain credentials.
And there's still the PC... with Microsoft Outlook, and Microsoft Lync, and single-sign-on intranet sites... all complaining when the saved domain password doesn't work anymore.
This is not going to be pretty.... I think we will have to reconcider our frequent use of domain credentials....

I don't know if it would be technically possible to implement something that resembles the old system: mailbox access via Service Account, but it sure would be very nice if it was.

I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

That sounds better.

**Xayinn** · 03-01-2013, 02:14 PM

Originally Posted by smoothrunnings

Switch to iPhone or Android and see if that works for you...they both use ActiveSync so both will have the same problem.

I've used an HTC Desire X for a month. The browser (Chrome) was great; definately a great improvement over my BB 9360. The large amount of apps was also nice (though I'm not really an app addict). But other than that, I wasn't very enthousiastic about it. The standard ActiveSync client is rubbish, you can't even push a profile from BES10. And I missed some key EAS features, like my memopad. Of course you can install TouchDown mail, which does support EAS profiles and memopad, but that's another 10-20$.... Also, the shady "multitasking" frustrated me: I want to close an app when I'm not planning to use it again any time soon. But Android doesn't offer that option. All apps just seem to run in the background, somehow...
After that month, I kinda had enough of Android and took my 9360 out of the shelf. According to my experience, I wouldn't advice anyone to use Android as a company phone OS.

I don't have that much experience with iPhone, but it definately is more CxO-proof than Android (more user-friendy, less chance that they mess something up). But it's insanely expensive (the newest one at least), and Apple isn't quite the innovator anymore (since Jobs passed away...).

But what the password-problem concerns, there's no reason why I would pick iOS/Android over BlackBerry as company phone. It's just that BlackBerry lost a reason why I should pick them.

Originally Posted by aragone79

I think your IT and mine need to be updated. Using domain credentials are a traditional way. Better for IT to use EAP SIM for the mobile handset or use Mac address for both mobile and workstation.

That sounds better.

I've never heard of EAP-SIM before. I'm gonna look into that.
We do use MAC address authentication on a network level: when someone plugs an unknown PC in the switch, it gets rejected until the MAC address is entered in the switch by an administrator.
The downside of MAC address authentication is that you will regularly (depending on the size of your company) get requests to add/delete MAC addresses when a new PC is installed.
Also, MAC spoofing isn't all that hard, so it raises some security concerns as well.

**smilloy519** · 03-14-2013, 12:20 PM

You can change the password by accessing the owa website through the browser at Z10. Your case is same like mine.

What do you mean by owa website?

This problem is starting to give me headaches.

Our IT policy forces PW changes every month like the other poster above.
I currently only have 10 z10s on the BES and iv gotten the question from 8 out of the 10 users as to why their devices "stopped working"

It turns out they changed their PW on their Desktop, and the BB never prompted them to enter the up to date one, thus leaving the work portion of the device "dead".

My problem is two fold.
1. Why is it not prompting some users? (When i changed my PW it took 4h for the device to realize it was out of date, and then prompted for PW. During those 4h emails still worked).
Meanwhile just today i had this problem with 2 users. 1 had to reboot the device to get the prompt (and be allowed to change PW), the other simply got no prompt.

2. How do i manage users who either A, (dont use any form of work desktop), or B are away from their work desktop for extended periods (ie vacation).
A is fairly easy, I can just set it for the PW not to expire.
B is going to cause issues down the line. What am i supposed to tell the owner, when he goes on vacation for a few weeks, and his PW expires while he is away. He now has no way of communicating with me other than BBM/Text/Phone etc. I would then have to change his network PW for him, then send it to him, then have him change it.
(And thats assuming he even notices the PW expired since it doesnt seem to give prompts sometimes.

Little things but seem to cause the biggest headaches.

**AquaGoat** · 03-14-2013, 01:55 PM

aragone79 was referring to the Outlook Web Application. If you set this up on your exchange, if one of your users is away from the office when the expiry hits he can log on to the OWA with his old credentials, which will prompt him to create a new password.

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

**smilloy519** · 03-15-2013, 07:31 AM

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.

**AquaGoat** · 03-15-2013, 08:15 AM

Originally Posted by smilloy519

Or the sticky note on the monitor with their PW since the requirements for a unique PW are so outrageous the user simply cant remember it.

On the monitor...too easy. I'll be really clever and hide it under my keyboard. No one will look there.

**smoothrunnings** · 04-04-2013, 11:59 AM

Originally Posted by AquaGoat

In my experience, expiring passwords never really worked well for me anyways. Joe Blow has a password and it's been compromised and we don't know yet. One month later the leak should be solved. Except Joe Blow just increments the number on the end of his password. Our friend with the stolen password isn't going to have a tough time figuring out Joe Blow's password went from daughtername12 to daughtername13.

This is why you enforce complexity on passwords so that ones like daughtername13 are rejected by AD. Failing to enforce the complexity on passwords is management problem not a user one. So if Joe Blow's account is compromised management should take the fall for not properly setting up password security in their own organization.