Administration Guide

Local Navigation

Configuring single sign-on authentication for the BlackBerry Administration Service and BlackBerry Web Desktop Manager

If you configure the BlackBerry® Administration Service to support Microsoft® Active Directory® authentication, you can turn on single sign-on authentication. Single sign-on authentication permits you to access the BlackBerry Administration Service and BlackBerry device users to access the BlackBerry Web Desktop Manager without requiring that you or the users type a Microsoft Active Directory user name and password. By default, if you log in to the BlackBerry Administration Service or users log in to the BlackBerry Web Desktop Manager using Microsoft Active Directory authentication, the browser prompts you or the users to type a Microsoft Active Directory user name and password. If you turn on single sign-on authentication, and you log in to a computer using a Microsoft Active Directory account, you can bypass the login screen and access the BlackBerry Administration Service and BlackBerry Web Desktop Manager directly.

Before you turn on single sign-on, you must configure constrained delegation for the Microsoft Active Directory account for the BlackBerry Administration Service.

Configure constrained delegation for the Microsoft Active Directory account to support single sign-on authentication

  1. Use the Windows Server® ADSI Edit tool to add the following SPNs for the BlackBerry® Administration Service pool to the Microsoft® Active Directory® account :
    • HTTP/<BAS_pool_FQDN> (for example, HTTP/BASconsole104.example.com)
    • BASPLUGIN111/<BAS_pool_FQDN> (for example, BASPLUGIN111/BASconsole104.example.com)
  2. If you create separate pools of BlackBerry Administration Service instances and BlackBerry Web Desktop Manager instances in the BlackBerry Administration Service pool, add the HTTP/<BAS_pool_FQDN> SPN for each pool to the Microsoft Active Directory account.
  3. Configure the Microsoft Active Directory account for constrained delegation using the following settings:
    • trust this user for delegation to specific services only
    • use Kerberos™ only
  4. In the Microsoft Active Directory account properties, on the Delegation tab, add BASPLUGIN111/<BAS_pool_FQDN> to the list of services.
After you finish: For more information about configuring constrained delegation for the Microsoft Active Directory account so you can access the BlackBerry Administration Service, visit www.blackberry.com/btsc to read article KB22717.

Turn on single sign-on authentication for the BlackBerry Administration Service

  1. In the BlackBerry® Administration Service, on the Servers and components menu, expand BlackBerry Solution Topology > BlackBerry Domain > Component view.
  2. Click BlackBerry Administration Service.
  3. On the Microsoft® Active Directory® authentication tab, click Edit component.
  4. In the Login Domain section, in the Single sign-on authentication for BlackBerry Administration Service turned on drop-down list, click Yes.
  5. To configure the Microsoft® Active Directory® account for each forest, in the Account forest name section, type the user domain name, user name, and password for the Microsoft Active Directory account.
  6. Click Save all.
  7. In the Windows® Services, restart all of the BlackBerry® Enterprise Server Express services.
  8. Instruct all administrators and device users to add the web addresses for the BlackBerry Administration Service and BlackBerry® Web Desktop Manager to the list of web sites in the local intranet zone and install the certificate for the BlackBerry Administration Service or BlackBerry Web Desktop Manager in the certificate store of their computers.

BlackBerry Administration Service web addresses and BlackBerry Web Desktop Manager web addresses that support BlackBerry Administration Service single sign-on

If you configure BlackBerry® Administration Service single sign-on, you must instruct administrators and BlackBerry® Web Desktop Manager users to access the BlackBerry Administration Service console and BlackBerry Web Desktop Manager using the following web addresses:
  • https://<BAS_pool_FQDN>/webconsole/login
  • https://<BAS_pool_FQDN>/webdesktop/login
Single-sign authentication takes precedence over other authentication methods that permit administrators and users to log in to the BlackBerry Administration Service console or BlackBerry Web Desktop Manager. If the security policies in your organization require that administrators or users use another authentication method, you must instruct administrators or users to access the BlackBerry Administration Service console or BlackBerry Web Desktop Manager using the following web addresses:
  • https://<BAS_pool_FQDN>/webconsole/app
  • https://<BAS_pool_FQDN>/webdesktop/app

Was this information helpful? Send us your comments.