Skip Navigation

Requirements to support
Kerberos
PKINIT for
BlackBerry Dynamics
apps

BlackBerry UEM
supports
Kerberos
PKINIT for
BlackBerry Dynamics
user authentication using PKI certificates. If you want to use
Kerberos
PKINIT for
BlackBerry Dynamics
apps, your organization must meet the following requirements:
Item
Requirements
KDC
  • You must add the KDC host to the allowed domains list in the assigned
    BlackBerry Dynamics
    connectivity profile. For more information, see Create a BlackBerry Dynamics connectivity profile in the Administration content.
  • The KDC host must be listening on TCP port 88 (the
    Kerberos
    default port).
  • The KDC must have an A record (IPv4) or AAAA record (IPv6) in your DNS.
  • BlackBerry Dynamics
    doesn't support KDC over UDP.
  • BlackBerry Dynamics
    doesn't use
    Kerberos
    configuration files (such as krb5.conf) to locate the correct KDC.
  • The KDC can refer the client to another KDC host.
    BlackBerry Dynamics
    will follow the referral, as long as the KDC host that is referred to is added to the allowed domains list in the
    BlackBerry Dynamics
    connectivity profile.
  • The KDC can obtain the TGT transparently to
    BlackBerry Dynamics
    from another KDC host.
  • Kerberos
    Constrained Delegation must not be enabled.
Server certificates
  • Windows
    KDC server certificates issued via the
    Active Directory
    certificate services must come only from the following
    Windows Server
    versions. No other server versions are supported.
    • Internet Information Server with
      Windows Server
      2008 R2
    • Internet Information Server with
      Windows Server
      2012 R2
  • Valid KDC service certificates must be located either in the
    BlackBerry Dynamics
    certificate store or the device certificate store.
Client certificates
  • The minimum key length for the certificates must be 2048 bytes.
  • The extended key usage property of the certificate must be
    Microsoft
    Smart Card logon (1.3.6.1.4.1.311.20.2.2).
  • Client certificates must include the User Principal Name (for example, user@domain.com) in the Subject Alternative Name of object ID szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3.
  • If the user is issued more than one client certificate, the domain of the User Principal Name must match the domain of the resource that is being accessed to ensure that the correct certificate is used.
  • Certificates must be valid. Validate them against the servers listed above.