Administration Guide

Local Navigation

Configuring Integrated Windows authentication so that users can access resources on your organization's network

To permit BlackBerry® device users to access resources on your organization's network using BlackBerry devices without requiring the users to type a user name and password each time they access the network resources, you can configure the BlackBerry MDS Connection Service to support Integrated Windows® authentication. Users can then access network resources such as intranet sites and network shared folders on their devices using the BlackBerry® Browser or Files application without typing a user name and password.

Before you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, you must create a Microsoft® Active Directory® account in each Microsoft Active Directory domain that includes resources that you want to turn on Integrated Windows authentication for. You must configure constrained delegation for the Microsoft Active Directory accounts so that they delegate access to each intranet site or network shared folder in the Microsoft Active Directory domain.

You must also configure two-way trust between the Microsoft Active Directory domain that the BlackBerry MDS Connection Service is running on and other Microsoft Active Directory domains in other forests that the BlackBerry MDS Connection Service must connect to. The S4U2proxy extension that the BlackBerry MDS Connection Service uses to retrieve the Kerberos™ service tickets for users requires a two-way trust between Microsoft Active Directory domains.

After you turn on Integrated Windows authentication and specify a Microsoft Active Directory account in the BlackBerry Administration Service, you must specify web address patterns for the network resources that you want to permit users to access, create a pull rule for the web address patterns, permit access to the web address patterns using the pull rule, and assign the pull rule to users or a group.

After you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, the BlackBerry MDS Connection Service uses the Microsoft Active Directory account to verify login information for a user and access the network resources on behalf of the user. The BlackBerry Enterprise Server Express then sends information from the network resources to the user's device.

Configuring the Microsoft Active Directory account to delegate access

Prerequisites: Configuring the Microsoft Active Directory account to delegate access to an intranet site

  • Verify that you configured Integrated Windows® authentication for the application server that hosts the intranet site.
  • Verify that the application server that hosts the intranet site and the web application that runs on the application server support Kerberos™ authentication.
  • Verify that you have permission to update the Microsoft® Active Directory® account in Microsoft Active Directory.
  • Verify that you have access to the Windows Server® setspn tool that is included with the Windows Server Support Tools. For more information about the setspn tool, visit http://technet.microsoft.com to read Setspn Overview.
  • If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared folder, in Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the following conditions:
    • a password that meets the security requirements of your organization
    • the user is not required to change their password the next time that the user logs in
    • the user's password never expires
  • If you configured a pool of application servers to host the intranet site, and the pool is running on Microsoft® IIS and is located behind a load balancer, specify a user account (also known as the identity) for the pool that hosts the intranet site. For more information, see http://technet.microsoft.com/en-us/library/cc771170(WS.10).aspx.

Configure the Microsoft Active Directory account to delegate access to an intranet site

You are required to have only one Microsoft® Active Directory® account in each Microsoft Active Directory domain that includes the resources that you want to turn on Integrated Windows® authentication for.

For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active Directory, visit www.blackberry.com/btsc to read article KB22726.

  1. If a pool of application servers host a intranet site and the pool is running on Microsoft® IIS and is located behind a load-balancer, use setspn or ADSI to add the SPNs of the intranet site to the user account (also known as the identity) of the pool. You must configure the SPNs using the FQDN and the name of the intranet site that users type into their browsers (for example, if users type http://intranet_site in their browsers, the name of the intranet site is intranet_site).
  2. In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does not display, update the default HOST SPN registrations for the Microsoft Active Directory account.
  3. In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
    • trust this user for delegation to specified services only
    • use any authentication protocol
  4. Click Add.
  5. Perform one of the following tasks:
    • If a pool of application servers hosts the intranet site and the pool is running on Microsoft IIS and is located behind a load-balancer, select the user account that runs the application pools in the Microsoft IIS servers.
    • If the intranet site is hosted by one application server, select the application server that hosts the intranet site.
  6. Select the HTTP service type for the user account or application server that you specified.
  7. Repeat steps 1 to 6 for each intranet site that you want to turn on integrated Windows authentication for.
After you finish:
  • If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when the messaging server is in a remote Microsoft Active Directory domain.
  • Turn on Integrated Windows authentication when users access resources on your organization's network.

Prerequisites: Configuring the Microsoft Active Directory account to delegate access to a shared folder

  • Verify that you configured Integrated Windows® authentication for the file server that hosts the shared folders.
  • Verify that you have permission to update the Microsoft® Active Directory® account in Microsoft Active Directory.
  • Verify that you have access to the Windows Server® setspn tool that is included with the Windows Server Support Tools. For more information about the setspn tool, visit http://technet.microsoft.com to read Setspn Overview.
  • If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared folder, in Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the following conditions:
    • the password meets the security requirements of your organization
    • the user is not required to change their password the next time that the user logs in
    • the user's password never expires

Configure the Microsoft Active Directory account to delegate access to a shared folder

You are required to have only one Microsoft® Active Directory® account in each Microsoft Active Directory domain that includes the resources that you want to turn on Integrated Windows® authentication for.

For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active Directory, visit www.blackberry.com/btsc to read article KB22726.

  1. In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does not display, update the default HOST SPN registrations for the Microsoft Active Directory account.
  2. In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:
    • trust this user for delegation to specified services only
    • use any authentication protocol
  3. Click Add.
  4. Select the the file server that hosts the shared folder.
  5. Select the CIFS service type for the file server that you specified.
  6. Repeat steps 3 to 5 for each shared folder that you want to turn on Integrated Windows authentication for.
After you finish:
  • If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when the messaging server is in a remote Microsoft Active Directory domain.
  • Turn on Integrated Windows authentication when users access resources on your organization's network.

Configuring the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain

If the computer that hosts the BlackBerry® MDS Connection Service is not located in the same Microsoft® Active Directory® domain as the global catalog server or messaging server and you want to configure support for Integrated Windows® authentication, you must create a Microsoft Active Directory account that the BlackBerry MDS Connection Service can use to connect to the global catalog server.

In a Microsoft® Exchange environment, you must create the Microsoft Active Directory account in the Microsoft Active Directory domain that includes the messaging server.

In an IBM® Lotus® Domino® environment, if the messaging server is located in the same Microsoft Active Directory domain as the global catalog server, you must create the Microsoft Active Directory account in that domain. If the messaging server is located in a different Microsoft Active Directory domain than the global catalog server, you must create the Microsoft Active Directory account in the Microsoft Active Directory domain that includes the global catalog server.

You do not need to configure constrained delegation for the Microsoft Active Directory account that you create in the Microsoft Active Directory domain that includes the messaging server or global catalog server.

Configure the BlackBerry MDS Connection Service when the messaging server is located in a remote Microsoft Active Directory domain

Before you begin: Create a Microsoft® Active Directory® account in the Microsoft Active Directory domain that the messaging server or global catalog server is located in.
  1. On the computer that hosts the BlackBerry® MDS Connection Service, navigate to <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\MDS\Servers\instance\config.
  2. In a text editor, open the rimpublic.properties file.
  3. In the rimpublic.properties file, type application.handler.exchange.domain=<domain_name> where <domain_name> is the Microsoft Active Directory domain that contains the messaging server. For example, type application.handler.exchange.domain=domain123.example.com.
  4. Save and close the rimpublic.properties file.
  5. In the Windows® Services, restart the BlackBerry MDS Connection Service service.
After you finish: Turn on Integrated Windows authentication when BlackBerry device users access resources on your organization's network.

Turn on Integrated Windows authentication so that users can access resources on your organization's network

Before you begin:
  • Configure the Microsoft® Active Directory® account to access resources on your organization's network.
  • If required, configure BlackBerry® MDS Connection Service to use a Microsoft Active Directory account when the messaging server is in a remote Microsoft Active Directory domain.
  1. In the BlackBerry Administration Service, on the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view.
  2. Click MDS Connection Service.
  3. Click Edit component.
  4. In the Integrated authentication turned on drop-down list, click Yes.
  5. For each Microsoft Active Directory account, provide the following information:
    • In the Delegation user domain field, type the FQDN (for example, ldap.example.com).
    • In the Delegation user name field, type the user name.
    • In the Password and Confirm fields, type the password.
  6. Click Save all.
  7. On the HTTP tab, click Edit component.
  8. In the Authentication support enabled drop-down list, click Yes.
  9. Click Save all.
  10. On the Pull URL Patterns tab, specify web address patterns for the intranet sites or shared folders that you want to permit BlackBerry device users to access (for example, intranet_site(:80)?(\/.*)?). The web address patterns are based on Java® regular expressions. Consider specifying the following web address patterns:
    • Specify .*\:.*\/.* as the web address pattern so that you can prevent users from using any other web address patterns to access intranet sites or shared network folders.
    • Specify .* as the web address pattern for OCSP, LDAP, and TCP to permit users to communicate with OCSP servers, LDAP servers, or TCP servers.
  11. On the Access control rules tab, create a pull rule for each of the web address patterns that you specified. When you create the pull rule, in the Authentication drop-down list, click Integrated or Integrated and RSA.
  12. Click Save all.
  13. Assign the pull rules to the users or groups that you want to access intranet sites or shared network folders.
  14. On the Servers and components menu, expand BlackBerry solution topology > BlackBerry Domain > Component view > MDS Connection Service.
  15. Click a BlackBerry MDS Connection Service instance.
  16. Click Edit instance.
  17. In the Pull Authorization drop-down list, click Yes.
  18. Click Save all.
  19. Repeat step 16 to 20 for each BlackBerry MDS Connection Service instance.

Was this information helpful? Send us your comments.