Skip Navigation

Kerberos
authentication support

BlackBerry Access
fully supports
Kerberos
authentication.
Kerberos
authentication is an integral part of
Microsoft Active Directory
implementations that has increasingly become a centerpiece of enterprise-level interoperability. It provides secure user authentication through the
Active Directory
domain controller, which maintains the user account and login information necessary to access your organization's network.
The
Kerberos
protocol governs three system participants:
  1. A KDC
  2. The client device
  3. The server it wants to access
The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service and the TGS.
When they log in to your network, users must negotiate access by providing a login name and password that's verified by the AS portion of the KDC within their domain. The KDC has access to the
Active Directory
user account information. After a user is authenticated, the user is granted a TGT that's valid for the local domain. The TGT is cached on the device, which uses it to request sessions with services throughout the network. You can configure the TGT’s default expiration.
In addition,
BlackBerry Access
is certified for
Kerberos
Constrained Delegation, a
BlackBerry Dynamics
platform feature that lets domain administrators restrict the network resources that a service trusted for delegation can access by limiting the scope where application services can act on a user’s behalf. When configured,
Kerberos
Constrained Delegation restricts which front-end service accounts can delegate to their back-end services. By supporting constrained delegation across domains, services can be configured to use constrained delegation to authenticate to servers in other domains rather than using unconstrained delegation. This provides authentication support for across-domain service solutions by using an existing
Kerberos
infrastructure without needing to trust front-end services to delegate to any service.