Symptoms
Various BlackBerry provisioning tasks fail in Parallels Operation Automation (POA) with the error message BESUserAdmin Error. User not authorized to perform the operation, as in the following example:
Task name Update statuses of BlackBerry accounts for service #101
Output Provisioning request failed. Unknown error 0x80131500 [<response><errorContext description="BESUserAdmin Error. User not authorized to perform the operation. Error code: -1." code="0x80131500" executeSeqNo="1"><errorSource namespace="BESProvider" procedure="getUser"/></errorContext></response>]
Cause
In most cases, the pem_admin account is misconfigured on the BES servers.
Resolution
To resolve the issue:
Make sure that the password of the pem_admin AD domain user has not expired.
Make sure that you can log into the BlackBerry Enterprise Server (BES) as the pem_admin AD domain user.
Make sure that you can run the BlackBerry Administration Service (BAS) while logged into the server as the pem_admin domain user.
Make sure that you can log into the BAS as pem_admin using the password of the pem_admin AD domain user.
If BAS requires you to change the password of the pem_admin user, change it to the password of the pem_admin AD domain user.
Make sure that the password expiration period of the pem_admin user in the BAS is set to a large value, not to the default 365 days:
- In the BAS, on the Servers and components menu, click BlackBerry Solution topology > BlackBerry Domain > Component view.
- Click BlackBerry Administration Service.
- Click the Edit component.
- In the Security settings section, set the password age of the pem_admin user in BAS to 100 years.
- Click Save all.
Check if the pem_admin user in the BAS is included in the Administrators group and include the user in the group if necessary:
- Log in to the BAS as pem_admin.
- Go to Group > Manage groups > View group (Administrators).
- Add the pem_admin to the Administrators group (if the user is absent from the group).
Example:
check the log C:\Program Files\Research In Motion\BlackBerry Enterprise Server\yyyy-mm-dd\hostname_BBAS, it could contain the following error:
com.rim.bes.bas.usermanager.CouldNotFindExternalAuthenticatorIdException: Message: 'LOGIN ERROR: findExternalAuthenticatorIdLocal failed to login as LDAP user com.rim.bes.bas.pluginmanager.InvalidAuthenticationException: Message: 'LOGIN ERROR: loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted'', nested exception: 'Message: 'LOGIN ERROR: loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted'' at com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean.findExternalAuthenticatorIdLocal(ActiveDirectoryManagerBean.java:601)
This situation may occur if the credentials for the LDAP access account set in your Blackberry configuration are incorrect, or if the password contains a special symbol. Please review the following article to fix the issue: http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB18161&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl