Kerberos authentication support
BlackBerry Accessfully supports
Kerberosauthentication is an integral part of
Microsoft Active Directoryimplementations that has increasingly become a centerpiece of enterprise-level interoperability. It provides secure user authentication through the
Active Directorydomain controller, which maintains the user account and login information necessary to access your organization's network.
Kerberosprotocol governs three system participants:
- A KDC
- The client device
- The server it wants to access
When they log in to your network, users must negotiate access by providing a login name and password that's verified by the AS portion of the KDC within their domain. The KDC has access to the
Active Directoryuser account information. After a user is authenticated, the user is granted a TGT that's valid for the local domain. The TGT is cached on the device, which uses it to request sessions with services throughout the network. You can configure the TGT’s default expiration.
BlackBerry Accessis certified for
KerberosConstrained Delegation, a
BlackBerry Dynamicsplatform feature that lets domain administrators restrict the network resources that a service trusted for delegation can access by limiting the scope where application services can act on a user’s behalf. When configured,
KerberosConstrained Delegation restricts which front-end service accounts can delegate to their back-end services. By supporting constrained delegation across domains, services can be configured to use constrained delegation to authenticate to servers in other domains rather than using unconstrained delegation. This provides authentication support for across-domain service solutions by using an existing
Kerberosinfrastructure without needing to trust front-end services to delegate to any service.