Configure constrained delegation for the Microsoft Active Directory account to support single sign-on
To support single sign-on, you need to configure constrained delegation for the Microsoft Active Directory account that you create. Constrained delegation allows the browser to use the credentials of the user to authenticate with Microsoft Active Directory.
For more information about configuring constrained delegation for the Microsoft Active Directory account, visit www.blackberry.com/go/kbhelp to read article KB34183.- At a command prompt, use the setspn command to add the following SPNs for the consoles to the
Microsoft Active
Directory account:
Deployment SPNs to create Installed all BlackBerry Enterprise Service 10 components on a single computer - HTTP/<computer_FQDN>
- BASPLUGIN111/<computer_FQDN>
Installed the administration consoles on a separate computer from the BlackBerry Enterprise Service 10 core components - HTTP/<console_computer_FQDN>.
- HTTP/<core_computer_FQDN>
- BASPLUGIN111/<console_computer_FQDN>
- BASPLUGIN111/<core_computer_FQDN>
Created a BlackBerry Administration Service pool
- HTTP/<console_computerA_FQDN>
- HTTP/<console_computerB_FQDN>
- If you installed core components on a separate computer, HTTP/<core_computer_FQDN>
- HTTP/< BAS_pool_FQDN >
- BASPLUGIN111/<console_computerA_FQDN>
- BASPLUGIN111/<console_computerB_FQDN>
- If you installed core components on a separate computer, BASPLUGIN111/<core_computer_FQDN>
- BASPLUGIN111/<BAS_pool_FQDN>
Configured high availability by installing active and standby instances of core components
- HTTP/<active_core_computer_FQDN>
- HTTP/<standby_core_computer_FQDN>
- If you installed the consoles on a separate computer, HTTP/<console_computer_FQDN>
- If you created a BlackBerry Administration Service pool, HTTP/<BAS_pool_FQDN>
- BASPLUGIN111/<active_core_computer_FQDN>
- BASPLUGIN111/<standby_core_computer_FQDN>
- If you installed the consoles on a separate computer, BASPLUGIN111/<console_computer_FQDN>
- If you created a BlackBerry Administration Service pool, BASPLUGIN111/<BAS_pool_FQDN>
For example:- setspn -F -S BASPLUGIN111/<FQDN_of_BAS_pool_name> <domain_name>\<user_name>. For example, setspn -F -S BASPLUGIN111/BASconsole104.example.com EXAMPLE\ldapreader
- setspn -F -S HTTP/<FQDN_of_BAS_pool_name> <domain_name>\<user_name>. For example, setspn –F –S HTTP/BASconsole104.example.com EXAMPLE\ldapreader
You must ensure that the SPNs are not duplicated in the Microsoft Active Directory forest.
- If you create separate sub-pools of BlackBerry Administration Service instances and BES10 Self-Service instances in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each sub-pool to the Microsoft Active Directory account.
-
Configure the Microsoft Active
Directory account for constrained delegation using the following settings:
- Trust this user for delegation to specific services only
- Use Kerberos only
- In the Microsoft Active Directory account properties, on the Delegation tab, add the SPNs that you created in steps 1 and 2 to the list of services.