Users cannot send e-mail messages from a Blackberry mobile device through Exchange server

Published on Author peter.stilgoeLeave a comment

Active Directory users can receive email but not send through their Blackberry device

Granting the Full Mailbox Access permission implicitly granted permission to send as the mailbox owner. This meant that another account that has the Full Mailbox Access permission could send e-mail messages that appeared as if they were sent by the mailbox owner.

Many Microsoft Exchange customers have requested that Send As permission be separated from the Full Mailbox Access permission for the following two reasons:

• To deter e-mail spoofing.
• To make sure that e-mail messages that are sent by a delegate can always be clearly distinguished from e-mail messages that are sent by the actual mailbox owner.

All new versions of the Exchange Information Store will now explicitly require the Send As permission in order to send e-mail messages as the mailbox owner.

To override this to allow the user to send email from the Blackberry device follow the steps below:

Task 1:

Make sure that the BlackBerry Enterprise Server is running as a separate, unique account
Make sure that the BlackBerry Enterprise Server is running as a separate account that is specifically created for administrative tasks. By default, this account is called “BESAdmin.”

If you have a separate account for administering the BlackBerry Enterprise Server, go to task 2.

If you do not have a separate account, create a separate account. Then, use this account to perform administrative tasks. For instructions about how to do this, visit one of the following BlackBerry Web sites, as appropriate for the version of BlackBerry Enterprise Server that you are running.

If you are running BlackBerry Enterprise Server 4.0 or BlackBerry Enterprise Server 4.1, visit the following BlackBerry Web site:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=9174704&sliceId=&dialogID=11024244&stateId=1 0 11020632 (http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=9174704&sliceId=&dialogID=11024244&stateId=1 0 11020632)

If you are running BlackBerry Enterprise Server 3.6, visit the following BlackBerry Web site:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB04334&sliceId=SAL_Public&dialogID=11016727&stateId=1 0 11020358 (http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB04334&sliceId=SAL_Public&dialogID=11016727&stateId=1 0 11020358)

Task 2:

Make sure that the BlackBerry Enterprise Server service account has the correct permissions
Verify that the BlackBerry Enterprise Server service account has the correct permissions.

Note If the account is within a domain, make sure that the account is a member of only the Domain Users group. On a domain controller, the account should be member of the Built-in Administrators group. 1. On the BlackBerry Enterprise Server, follow these steps: a. Make sure that the account is a member of the Local Administrators Group.
b. Assign “Log on Locally” and “Log on as a Service” permissions to the account.

2. Grant Exchange View-Only Administrator permissions at the administrative group level. To do this, follow these steps:

a. In Exchange System Manager, right-click the first Exchange Server administrative group name, and then click Delegate Control.
b. Notice that the BlackBerry Enterprise Server service account is listed as having the role of Exchange View-Only Administrator.

3. Grant “Send As,” “Receive As,” and “Administer Information Store” permissions at the server level for each Exchange Server server. To do this, follow these steps:

a. In Exchange System Manager, right-click the first Exchange Server administrative group name, and then expand the Servers group.
b. Right-click an Exchange Server server, click Properties, and then click Security.
c. In the top pane, select the BlackBerry Enterprise Server service account. In the bottom pane, make sure that the “Send As,” “Receive As,” and “Administer Information Store” permissions are set to Allow.
d. Repeat steps 3b and 3c for each Exchange Server server.

4. Grant “Send As,” “Receive As,” and “Administer Information Store” permissions to the mailbox store. To do this, follow these steps:

a. In Exchange System Manager, right-click the first Exchange administrative group name, and then expand the Servers group.
b. Expand the first mailbox store group, right-click each mailbox store, click Properties, and then click Security.
c. In the top pane, select the BlackBerry Enterprise Server service account. In the bottom pane, make sure that the “Send As,” “Receive As,” and “Administer Information Store” permissions are set to Allow.
d. Repeat steps 4b and 4c for each mailbox store on each Exchange Server server.

5. In the Active Directory Users and Computers snap-in, follow these steps: a. Right-click the user for which you want to add permissions, and then click Properties.
b. On the Security tab, add the BlackBerry Enterprise Server service account, and then click to select the Send As check box.

If you are not running Exchange Server 2003, see task 3.

Task 3:

Clear the cache on the BlackBerry Enterprise Server

To clear the permissions cache in the Information Store, restart the Blackberry-related services and restart the Microsoft Exchange Information store. After you restart the Information Store, you must restart the RIM Blackberry-related services to give the “BESAdmin” account the newly-added Send As permission on the Exchange Information Store.

If you are an administrator in the domain (ie. a MS protected account) you need to also do the following:

(Note: Microsoft do not recommend doing the following but their best practise isn’t very usable for many blackberry / exchange users who are also admins for their Active Directory.)

Run the following command on a DC:

dsacls “cn=AdminSDHolder,cn=System,dc=domain,dc=com” /G “domain.comBESAdmin:CA;Send As”

Replacing Domain with YOUR domain.

The dsacls tool is not a standard util but you can download it from here:

http://www.microsoft.com/downloads/thankyou.aspx?familyId=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displayLang=en

Also if you are having trouble executing the above command it is probably because you are specifiying the LDAP info incorrectly, you can download a free tool http://www.ldapadministrator.com which will let you browse to the AdminSDHolder object. Then by looking at the tool bar you will see the exact path needed to use in the dsacls command example above.

All should work fine now!

Leave a Reply