Process flow: Accessing the BlackBerry Administration Service console and BlackBerry Web Desktop Manager when you configure BlackBerry Administration Service single sign-on

This diagram shows the elements that are described in the following process flow.

  1. An administrator or a BlackBerry® Web Desktop Manager user uses a browser to navigate to the BlackBerry® Administration Service web page (https://<BAS_pool_FQDN>/webconsole/login) or BlackBerry Web Desktop Manager web page (https://<BAS_pool_FQDN>/webdesktop/login).
  2. The BlackBerry Administration Service web server sends an HTTP Negotiate request to the browser to start single sign-on authentication.

    For more information about the HTTP Negotiate request, see http://msdn.microsoft.com/en-us/library/ms995330.aspx.

  3. The browser retrieves the TGT of the administrator or user from the ticket cache on the computer that the administrator or user is using.

    The browser uses the TGT to request the service ticket for the BlackBerry Administration Service web server (which is named HTTP/<BAS_pool_FQDN>) from the domain controller.

  4. The domain controller provides the browser with the service ticket for the BlackBerry Administration Service web server.
  5. The browser sends the service ticket to the BlackBerry Administration Service web server in response to the HTTP-Negotiate request.
  6. The BlackBerry Administration Service web server performs the following actions:
    • It validates the service ticket using the Kerberos™ key that it received from the domain controller when the BlackBerry Administration Service services started.
    • It requests a service ticket for the BlackBerry Administration Service application server (which is named BASPLUGIN111/<BAS_pool_FQDN>) on behalf of the user.
  7. The domain controller provides the BlackBerry Administration Service web server with the service ticket for the BlackBerry Administration Service application server.
  8. The BlackBerry Administration Service web server sends the service ticket to the BlackBerry Administration Service application server.
  9. The BlackBerry Administration Service application server performs the following actions:
    • It validates the service ticket using the Kerberos key that it received from the domain controller when the BlackBerry Administration Service services started. If the service ticket is valid, the administrator or user is authenticated successfully with the BlackBerry Administration Service using Kerberos.
    • It checks if the administrator or user is a BlackBerry device user or a BlackBerry Administration Service administrator.
    • It checks the role of the administrator or user and assigns the administrator or user the permissions that are associated with the role.
    • It sends a security session to the BlackBerry Administration Service web server for the administrator or user.
  10. The BlackBerry Administration Service web server redirects the administrator or user to the BlackBerry Administration Service console home page or BlackBerry Web Desktop Manager home page.

Was this information helpful? Send us your comments.