Configure single sign-on for BlackBerry Access in BlackBerry UEM
BlackBerry Access
in BlackBerry UEMYou can enable single sign-on for
BlackBerry Access
in an
environment that's already set up for Microsoft Office
365
with Microsoft Active
Directory
Federation Services and single sign-on.- Configure single sign-on inOffice 365withActive DirectoryFederation Services version 2.0 or 3.0, relying onWindowsAuthentication andKerberos.
- ConfigureBlackBerry UEMforKerberosconstrained delegation.
- Verify that the "IdentifyBlackBerry Accessin User Agent" app setting is selected inBlackBerry UEM.
- Verify the SPN forActive DirectoryFederation Services. ForActive DirectoryFederation Services to useKerberos, theActive DirectoryFederation Services service must have registered an SPN. This SPN should already be registered by the prerequisiteActive DirectoryFederation Services configuration inOffice 365.
- Open a command prompt on a computer withActive DirectoryRSAT tools installed.
- Enter the command:setspn -q HOST/fqdn.of.adfs.serverwherefqdn.of.adfs.serveris the FQDN of yourActive DirectoryFederation Services server.
This command exposes the name service account that servesActive DirectoryFederation Services. For a safer form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP SPN of theActive DirectoryFederation Services service account with the following command:setspn -S HTTP/fqdn.of.adfs.serverADFS_service_account, whereADFS_service_accountis the name of theActive DirectoryFederation Services service account shown in the previous command. - Enable the User Agent inActive DirectoryFederation Services. By default,Active DirectoryFederation Services allows only known user agents to useWindowsAuthentication. All other user agents are considered external and are served with Forms Based Authentication (FBA) or certificate authentication.
- To enable single sign-on inBlackBerry Accessyou need to add theBlackBerry Accessuser agent string toActive DirectoryFederation Services to allowWindowsAuthentication forBlackBerry AccessandKerberosconstrained delegation. For all platforms, theBlackBerry Accessuser agent string begins withMozilla/5.0..
- To verify theActive DirectoryFederation Services user agents, enter the following command:Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
- Edit and run the following script to add the new user agent toActive DirectoryFederation Services.$NewUserAgentmust be edited to the value that you will add.$NewUserAgent = "Mozilla/5.0" $CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents $UserAgentAddArray = $CurrentUserAgents + $NewUserAgent Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
- To verify that theActive DirectoryFederation Services user agent has been added, run theGet-ADFSPropertiescommand again:Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
- Restart theActive DirectoryFederation Services service.
- Set delegation on theKerberosaccount.
- Log in toBlackBerry UEM.
- ClickSettings>BlackBerry Dynamics>Properties.
- Scroll to find the value of thegc.krb5.principal.nameproperty. Set this object name inMicrosoft Active Directory.
- On yourMicrosoft Active Directoryserver, click theDelegationtab.
- ClickADDand enter theActive DirectoryFederation Services service account name that you discovered in step 1.
- Add the HTTP SPN.
- ClickOK.