Security Technical Overview

Local Navigation

Protecting your organization’s resources when using BlackBerry MDS Connection Service integrated authentication

You can configure the BlackBerry® MDS Connection Service to support Integrated Windows® authentication so that BlackBerry device users can access the intranet or shared files from the BlackBerry® Browser or the Files application on devices. By default, if you configure the BlackBerry MDS Connection Service and users access the intranet or a shared file, the users must authenticate with your organization’s domain controller by providing their Microsoft® Active Directory® account passwords. In BlackBerry® Enterprise Server 5.0 SP2, you can configure the BlackBerry MDS Connection Service so that users are not required to type a password each time they want to access a resource.

If you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, the BlackBerry MDS Connection Service uses the Kerberos™ protocol and constrained delegation to help protect your organization’s environment and authenticate and authorize users. The Kerberos protocol is designed to permit the BlackBerry MDS Connection Service to verify user accounts in Microsoft Active Directory. Constrained delegation is designed to limit the resources that the BlackBerry MDS Connection Service can provide authenticated users access to.

If you want to configure both BlackBerry Administration Service single sign-on and BlackBerry MDS Connection Service integrated authentication, you should configure separate Microsoft Active Directory accounts for the BlackBerry Administration Service and BlackBerry MDS Connection Service.

Architecture: BlackBerry MDS Connection Service integrated authentication

This diagram shows the elements that are described in the following text.

Component

Description

BlackBerry® MDS Connection Service

The BlackBerry MDS Connection Service permits BlackBerry device users to access web content, the Internet, or your organization's intranet. It also permits applications on devices to connect to your organization's application servers or content servers for application data and updates.

domain controller

A domain controller is a server that authenticates and authorizes Windows® users and Windows servers with a Windows domain.

Microsoft® Active Directory®

Microsoft Active Directory is an LDAP directory that stores user information.

Back To Top

How the BlackBerry MDS Connection Service uses Kerberos to help protect your organization's resources

BlackBerry® MDS Connection Service integrated authentication is designed to use the Kerberos™ protocol and constrained delegation to authenticate BlackBerry device users in your organization’s network in a highly secure manner. BlackBerry MDS Connection Service authenticates with Microsoft® Active Directory® on behalf of users, verify the users' identities, and retrieve the resource on behalf of the users.

The BlackBerry MDS Connection Service hosts a Kerberos service that permits it to verify users. To support BlackBerry MDS Connection Service integrated authentication, you must configure Microsoft Active Directory accounts in the Microsoft Active Directory domains that include the resources and configure constrained delegation for the Microsoft Active Directory accounts. To configure constrained delegation, you must configure the Microsoft Active Directory accounts to trust only the Kerberos service that is hosted by the BlackBerry MDS Connection Service.

When the BlackBerry MDS Connection Service starts, it authenticates with the Microsoft Active Directory domain using the Microsoft Active Directory account. The domain controller issues the Kerberos keys and Kerberos service ticket to the Kerberos service. The Kerberos keys permit the BlackBerry MDS Connection Service to verify the Kerberos service tickets for users.

Back To Top

Identifying the resources that users can access using BlackBerry MDS Connection Service integrated authentication

If you configure the BlackBerry® MDS Connection Service to support the Kerberos™ protocol and constrained delegation, you must use the BlackBerry Administration Service to specify the pull rules that identify the shared files or intranet resources that you want to permit Integrated Windows® authentication for. You must assign the pull rules to groups or user accounts so that the BlackBerry MDS Connection Service can determine which user accounts to apply the pull rules to. Pull rules permit you to specify the shared files or intranet resources in your organization’s network that you want users to access from BlackBerry devices and the authentication method that you want users to use to access the shared files or Intranet resources.

For information about configuring pull rules, see the BlackBerry Enterprise Server Administration Guide.

Back To Top

Process flow: Retrieving a resource when using BlackBerry MDS Connection Service integrated authentication

This diagram shows the elements that are described in the following process flow.
  1. The BlackBerry® device user navigates to a resource on your organization’s intranet or on a file share (for example, a web page or shared file) using the BlackBerry® Browser or Files application on the BlackBerry device.
  2. The device encrypts and compresses an HTTP request for the resource and sends the encrypted HTTP request to the BlackBerry Router using BlackBerry transport layer encryption.
  3. The BlackBerry Router forwards the encrypted HTTP request to the BlackBerry Dispatcher.
  4. The BlackBerry Dispatcher decrypts and decompresses the HTTP request and forwards the request to the BlackBerry MDS Connection Service.
  5. The BlackBerry MDS Connection Service performs the following actions:
    • verifies whether the resource is located in a Microsoft® Active Directory® domain that is configured for Integrated Windows authentication
    • checks the pull rules assigned to the user accounts and verifies that the user must use Integrated Windows authentication to access the resource
    • connects to the Microsoft Active Directory using its Microsoft Active Directory account that is configured for constrained delegation
    • retrieves the Microsoft Active Directory user name for the user from Microsoft Active Directory
    • retrieves the Kerberos™ service ticket for the user from Microsoft Active Directory using the S4U2proxy extension
    • encodes the service ticket using Base-64 encoding and adds the service ticket to the header of the HTTP request
    • resends the request for the resource to the web server or file system that hosts the resource
  6. The web server or file system returns the resource to BlackBerry MDS Connection Service.
  7. The BlackBerry MDS Connection Service forwards the resource to the BlackBerry Dispatcher.
  8. The BlackBerry Dispatcher encrypts and compresses the resource and splits it into packages and sends the packages to the BlackBerry Router.
  9. The BlackBerry Router sends the packages to the device using BlackBerry transport layer encryption.
  10. The device decrypts and decompresses the packages and displays the resource to the user.
Back To Top

Was this information helpful? Send us your comments.