Symptoms

Various BlackBerry provisioning tasks fail in Parallels Operation Automation (POA) with the error message BESUserAdmin Error. User not authorized to perform the operation, as in the following example:

Task name    Update statuses of BlackBerry accounts for service #101
Output    Provisioning request failed. Unknown error 0x80131500 [<response><errorContext description="BESUserAdmin Error. User not authorized to perform the operation. Error code: -1." code="0x80131500" executeSeqNo="1"><errorSource namespace="BESProvider" procedure="getUser"/></errorContext></response>]

Cause

In most cases, the pem_admin account is misconfigured on the BES servers.

Resolution

To resolve the issue:

  1. Make sure that the password of the pem_admin AD domain user has not expired.

  2. Make sure that you can log into the BlackBerry Enterprise Server (BES) as the pem_admin AD domain user.

  3. Make sure that you can run the BlackBerry Administration Service (BAS) while logged into the server as the pem_admin domain user.

  4. Make sure that you can log into the BAS as pem_admin using the password of the pem_admin AD domain user.

  5. If BAS requires you to change the password of the pem_admin user, change it to the password of the pem_admin AD domain user.

  6. Make sure that the password expiration period of the pem_admin user in the BAS is set to a large value, not to the default 365 days:

    • In the BAS, on the Servers and components menu, click BlackBerry Solution topology > BlackBerry Domain > Component view.
    • Click BlackBerry Administration Service.
    • Click the Edit component.
    • In the Security settings section, set the password age of the pem_admin user in BAS to 100 years.
    • Click Save all.

  7. Check if the pem_admin user in the BAS is included in the Administrators group and include the user in the group if necessary:

    • Log in to the BAS as pem_admin.
    • Go to Group > Manage groups > View group (Administrators).
    • Add the pem_admin to the Administrators group (if the user is absent from the group).

    Example:

  8. check the log C:\Program Files\Research In Motion\BlackBerry Enterprise Server\yyyy-mm-dd\hostname_BBAS, it could contain the following error:

    com.rim.bes.bas.usermanager.CouldNotFindExternalAuthenticatorIdException: Message: 'LOGIN ERROR:  findExternalAuthenticatorIdLocal failed to login as LDAP user com.rim.bes.bas.pluginmanager.InvalidAuthenticationException: Message: 'LOGIN ERROR:  loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted'', nested exception: 'Message: 'LOGIN ERROR:  loginAsLdapUser exception during authentication com.rim.bes.bas.util.BASCouldNotCompleteRequestRollbackException: getAuthenticationCredentialsLocal stored password could not be decrypted', nested exception: 'getAuthenticationCredentialsLocal stored password could not be decrypted''
at com.rim.bes.basplugin.activedirectory.ActiveDirectoryManagerBean.findExternalAuthenticatorIdLocal(ActiveDirectoryManagerBean.java:601)

    This situation may occur if the credentials for the LDAP access account set in your Blackberry configuration are incorrect, or if the password contains a special symbol. Please review the following article to fix the issue: http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB18161&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Internal content