BlackBerry: Problems sending messages when using Enterprise Server

Many users that are currently utilizing BlackBerry Enterprise Server are experiencing a problem sending messages. Basically the message attempts to send and comes back with a red "X". The issue is documented by BlackBerry and Microsoft, however the information provided has proven inaccurate to a degree, at least in my experience. I am happy to announce that there is a fix for the problem, one slightly different than what is suggested.

First off, a little backgroun. If you are running Microsoft Updates on your MS Exchange Server than you are experiencing the problem. The same is true if you applied the hotfix described in "“Send As” permission behavior change in Exchange 2003", Article 895949, of the Microsoft Knowledgebase. Basically the behavior of the "Send As" feature has changed, and been torn away from the previous setting that controlled it - known as "Full Mailbox Access." According to Microsoft, the reason there is an issue to begin with is due to BlackBerry's installation and security assignment procedure that improperly utilizies the "Full Mailbox Access" setting. Microsoft suggests that they are simply enforcing a behavior in security that has been documented a long time ago and simply been patched now.

The solution to this problem is described by Microsoft KB-912918 and BlackBerry KB-04707. (NOTE: if the BB KB article link fails, increase the last number in the h-link incrementally as new versions will have higher numbers). However, it is my view that the articles miss out on vital information. So, I've written out the procedure with additional - critical - information. The revised procedure I've used successfully is as follows:

1. Stop the BlackBerry Router first (contrary to 04707). This prevents users from sending. If a send is made during this procedure, all changes will be undone.
2. Go to Active Directory and REMOVE all Domain Admin / Administrator privlidges from the users that have BlackBerries. If not, your changes will be automatically undone within 60 mintes of you doing them (again not documented). Currently there is no work around.
3. Go to the domain level and assign BESAdmin (or whatever you use) "Send As" rights (in Security Tab) to the *User Objects*, from the Advanced Button. This will propagate to most users but not all (Microsoft KB-912918 has the details).
4. Go to the users that were Admins before and go to Properties > Security > Advanced. You will likely have to add BESAdmin to their list. When doing it, make sure to switch to USER OBJECTS first, and then check "Send As". Failure to use User Objects will be a problem, so dont miss that.
5. Wait 20 minutes for the cache to clear and start BlackBerry Router.

This does clear up the issue, I've been able to do it successfully on multiple servers. Keep in midn that the alternative is not to do Microsoft Updates or not apply the hotfix, but then you are left with a potential security problem. It is a catch 22. My oppinion, I rather keep MS Update and deal with issues if they arise.

-Karl J.