Help Center

Local Navigation

Protecting your organization’s resources when you configure BlackBerry Administration Service single sign-on

You can configure the BlackBerry® Administration Service so that administrators or BlackBerry® Web Desktop Manager users must log in to the BlackBerry Administration Service console or BlackBerry Web Desktop Manager using Microsoft® Active Directory® authentication. If you configure the BlackBerry Administration Service to support Microsoft Active Directory authentication in BlackBerry® Enterprise Server 5.0 SP2, you can also configure single sign-on so that administrators or users can access the BlackBerry Administration Service console or BlackBerry Web Desktop Manager directly without logging in.

If you configure single sign-on, the BlackBerry Administration Service uses the Kerberos™ protocol and constrained delegation to help protect your organization’s environment and authenticate and authorize administrators and users. The Kerberos protocol is designed to permit the BlackBerry Administration Service to verify administrator accounts and user accounts in Microsoft Active Directory. Constrained delegation is designed to limit the resources that the BlackBerry Administration Service can provide authenticated administrators and users access to.

Architecture: BlackBerry Administration Service single sign-on

This diagram shows the elements that are described in the following text.

Component

Description

BlackBerry® Administration Service

The BlackBerry Administration Service permits you to manage the BlackBerry Domain, which includes BlackBerry® Enterprise Server components, user accounts, and features for BlackBerry device administration.

domain controller

A domain controller is a server that authenticates and authorizes Windows® users and Windows servers with a Windows domain.

Microsoft® Active Directory®

Microsoft Active Directory is an LDAP directory that stores user information.

How BlackBerry Administration Service single sign-on uses Kerberos to help protect your organization’s resources

BlackBerry® Administration Service single sign-on implements Kerberos™ authentication which permits the BlackBerry Administration Service to authenticate administrators and BlackBerry® Web Desktop Manager users in your organization’s network in a highly secure manner.

The BlackBerry Administration Service includes two Kerberos services that it uses to authenticate with browsers. The BlackBerry Administration Service application server and BlackBerry Administration Service web server host the Kerberos services. The BlackBerry Administration Service requires two Kerberos services so that it can authenticate the web layer and application layer. The Kerberos service that the BlackBerry Administration Service web server hosts verifies requests from browsers to access the web layer. The Kerberos service that the BlackBerry Administration Service application server hosts verifies requests from the BlackBerry Administration Service web server to access the application layer.

The Kerberos services are identified using SPNs that you create and assign to a Microsoft® Active Directory® account. You must create the Microsoft Active Directory account as a Kerberos service account in the Microsoft Active Directory domain that includes the BlackBerry Administration Service and configure constrained delegation for the Microsoft Active Directory account. You must configure the Microsoft Active Directory account to trust only the Kerberos service that the BlackBerry Administration Service application server hosts for constrained delegation and only when the BlackBerry Administration Service application service is using Kerberos.

If your organization’s environment includes multiple Microsoft Active Directory account forests, you must configure a Microsoft Active Directory account for each account forest. However, you do not need to configure constrained delegation for the Microsoft Active Directory accounts that you configure in the account forests.

How the BlackBerry Administration Service completes Kerberos authentication

When the BlackBerry® Administration Service starts, it authenticates with the Microsoft® Active Directory® domain using the Microsoft Active Directory account. The domain controller issues the Kerberos™ keys and Kerberos service ticket for the two Kerberos services. The Kerberos keys permit the BlackBerry Administration Service to verify the Kerberos service tickets that browsers send during single sign-on.

Browsers that support Integrated Windows® authentication can obtain the Kerberos service ticket automatically for the BlackBerry Administration Service when administrators or users browse to the BlackBerry Administration Service console or BlackBerry® Web Desktop Manager.

The Kerberos service that the BlackBerry Administration Service web server hosts uses its Kerberos keys to verify the Kerberos service tickets that browsers send when they request access to the BlackBerry Administration Service console or BlackBerry Web Desktop Manager. If the Kerberos service tickets are valid, the BlackBerry Administration Service web server delegates the request to the BlackBerry Administration Service application server.

To delegate the request, the BlackBerry Administration Service web server creates a service ticket using its identity for the Kerberos service that the BlackBerry Administration Service application server hosts. When the Kerberos service that the BlackBerry Administration Service application server hosts verifies the service ticket, the BlackBerry Administration Service completes the Kerberos authentication process for the administrators or users and the administrators or users can view the BlackBerry Administration Service console home page or BlackBerry Web Desktop Manager home page.

Process flow: Accessing the BlackBerry Administration Service console and BlackBerry Web Desktop Manager when you configure BlackBerry Administration Service single sign-on

This diagram shows the elements that are described in the following process flow.

  1. An administrator or a BlackBerry® Web Desktop Manager user uses a browser to navigate to the BlackBerry® Administration Service web page (https://<BAS_pool_FQDN>/webconsole/login) or BlackBerry Web Desktop Manager web page (https://<BAS_pool_FQDN>/webdesktop/login).
  2. The BlackBerry Administration Service web server sends an HTTP Negotiate request to the browser to start single sign-on authentication.

    For more information about the HTTP Negotiate request, see http://msdn.microsoft.com/en-us/library/ms995330.aspx.

  3. The browser retrieves the TGT of the administrator or user from the ticket cache on the computer that the administrator or user is using.

    The browser uses the TGT to request the service ticket for the BlackBerry Administration Service web server (which is named HTTP/<BAS_pool_FQDN>) from the domain controller.

  4. The domain controller provides the browser with the service ticket for the BlackBerry Administration Service web server.
  5. The browser sends the service ticket to the BlackBerry Administration Service web server in response to the HTTP-Negotiate request.
  6. The BlackBerry Administration Service web server performs the following actions:
    • It validates the service ticket using the Kerberos™ key that it received from the domain controller when the BlackBerry Administration Service services started.
    • It requests a service ticket for the BlackBerry Administration Service application server (which is named BASPLUGIN111/<BAS_pool_FQDN>) on behalf of the user.
  7. The domain controller provides the BlackBerry Administration Service web server with the service ticket for the BlackBerry Administration Service application server.
  8. The BlackBerry Administration Service web server sends the service ticket to the BlackBerry Administration Service application server.
  9. The BlackBerry Administration Service application server performs the following actions:
    • It validates the service ticket using the Kerberos key that it received from the domain controller when the BlackBerry Administration Service services started. If the service ticket is valid, the administrator or user is authenticated successfully with the BlackBerry Administration Service using Kerberos.
    • It checks if the administrator or user is a BlackBerry device user or a BlackBerry Administration Service administrator.
    • It checks the role of the administrator or user and assigns the administrator or user the permissions that are associated with the role.
    • It sends a security session to the BlackBerry Administration Service web server for the administrator or user.
  10. The BlackBerry Administration Service web server redirects the administrator or user to the BlackBerry Administration Service console home page or BlackBerry Web Desktop Manager home page.

Was this information helpful? Send us your comments.