Mapping domains to Kerberos realms
Kerberos
realmsWhen a client attempts to access a service running on a particular server, it knows the name of the service (host) and the name of the server (for example, server01.example.com), but because more than one
Kerberos
realm may be deployed on your network, it must guess the name of the realm in which the service resides.By default, the name of the realm is taken to be the DNS domain name of the server in uppercase letters.
Example Domain Name | EXAMPLE Kerberos REALM NAME |
---|---|
server01.example.org | EXAMPLE.ORG |
server01.example.com | EXAMPLE.COM |
server01.hq.example.com | HQ.EXAMPLE.COM |
In many configurations, this is sufficient, but in others, the derived realm name might not be the name of a valid realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified, as shown below.
For
BlackBerry Access
domain-to-realm mapping, you can record a list of comma-separated equivalencies in which the first mapping in the list is treated as the default domain mapping. It will be used if the user has left the domain field empty, as well as when the server requires NTLM or Kerberos
authentication.Another frequent use of this mapping is to equate a NetBiOS name that users might be familiar with to a
Kerberos
realm name that becomes more recognizable.Do not hard code URLs that use IP addresses. If users can manually enter a URL, instruct users to avoid URLs that use an IP address. Otherwise, when the app tries to access a web page using an IP address, after the user enters their credentials, the web page does not load as expected and the user is prompted for their credentials again in a loop.