Kerberos authentication support
Kerberos
authentication supportBlackBerry Access
fully
supports Kerberos
authentication. Kerberos
authentication is an integral part of Microsoft Active
Directory
implementations that has increasingly become a centerpiece of enterprise-level
interoperability. It provides secure user authentication through the Active
Directory
domain controller, which maintains the user account and login information necessary to access
your organization's network.The
Kerberos
protocol governs three system participants:- A KDC
- The client device
- The server it wants to access
When they log in to your network, users must negotiate access by providing a
login name and password that's verified by the AS portion of the KDC within their domain. The KDC
has access to the
Active
Directory
user account information. After a user is authenticated, the user is granted
a TGT that's valid for the local domain. The TGT is cached on the device, which uses it to
request sessions with services throughout the network. You can configure the TGT’s default
expiration.In addition,
BlackBerry Access
is certified for Kerberos
Constrained Delegation, a BlackBerry
Dynamics
platform feature that lets domain administrators restrict the network resources that a service
trusted for delegation can access by limiting the scope where application services can act on a
user’s behalf. When configured, Kerberos
Constrained Delegation restricts which front-end service accounts can delegate to their back-end
services. By supporting constrained delegation across domains, services can be configured to use
constrained delegation to authenticate to servers in other domains rather than using
unconstrained delegation. This provides authentication support for across-domain service
solutions by using an existing Kerberos
infrastructure without needing to trust front-end services to delegate to any service.