Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager
If you configure the BlackBerry® Administration Service to support Microsoft® Active Directory® authentication, you can turn on single sign-on authentication. Single sign-on authentication permits you to access the BlackBerry Administration Service and BlackBerry device users to access the BlackBerry Web Desktop Manager without requiring that you or the users type a Microsoft Active Directory user name and password. By default, if you log in to the BlackBerry Administration Service or users log in to the BlackBerry Web Desktop Manager using Microsoft Active Directory authentication, the browser prompts you or the users to type a Microsoft Active Directory user name and password. If you turn on single sign-on authentication, and you log in to a computer using a Microsoft Active Directory account, you can bypass the login screen and access the BlackBerry Administration Service and BlackBerry Web Desktop Manager directly. The BlackBerry Monitoring Service does not support single sign-on authentication.
Before you turn on single sign-on, you must configure constrained delegation for the Microsoft Active Directory account for the BlackBerry Administration Service.
Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication
- Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the Microsoft® Active Directory® account :
- If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each pool to the Microsoft Active Directory account.
- Configure the Microsoft Active Directory account for constrained delegation using the following settings:
- In the Microsoft Active Directory account properties, on the Delegation tab, add BASPLUGIN111/<BAS_pool_FQDN> to the list of services.
Turn on single sign-on authentication for the BlackBerry Administration Service
- In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution topology > BlackBerry Domain > Component view.
- Click BlackBerry Administration Service.
- On the Microsoft® Active Directory® authentication tab, click Edit component.
- In the Login domain section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, click Yes.
- To configure the Microsoft® Active Directory® account for each forest, in the Account forest name section, type the user domain name, user name, and password for the Microsoft Active Directory account.
- Click Save all.
- In the Windows® Services, restart all of the BlackBerry® Enterprise Server services.
- Instruct all administrators and device users to add the web addresses for the BlackBerry Administration Service and BlackBerry® Web Desktop Manager to the list of web sites in the local intranet zone and install the certificate for the BlackBerry Administration Service or BlackBerry Web Desktop Manager in the certificate store of their computers.
BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that support BlackBerry Administration Service single sign-on
For example, the security policies in your organization might require that administrators log in using BlackBerry Administration Service single sign-on and BlackBerry Web Desktop Manager users log in using IBM® Lotus Notes® user names and passwords. In this scenario, you can instruct administrators to log into the BlackBerry Administration Service console using the web address https://<BAS_pool_FQDN>/webconsole/login and instruct BlackBerry Web Desktop Manager users to log in to BlackBerry Web Desktop Manager using the web address https://<BAS_pool_FQDN>/webdesktop/app.