Using 
Kerberos

BlackBerry Dynamics
 apps support both 
Kerberos
 PKINIT with PKI certificates and 
Kerberos
 Constrained Delegation. Kerberos PKINIT and 
Kerberos
 Constrained Delegation are distinct implementations of 
Kerberos
. You can support one or the other for 
BlackBerry Dynamics
 apps, but not both.
With 
Kerberos
 PKINIT, authentication occurs directly between the 
BlackBerry Dynamics
 app and the 
Windows
 Key Distribution Center (KDC). User authentication is based on certificates that are issued by 
Microsoft Active Directory
 Certificate Services. No additional programming is required by the app developer to use 
Kerberos
 PKINIT.
With 
Kerberos
 Constrained Delegation, authentication is based on a trust relationship between the management server (
BlackBerry UEM
 or standalone 
Good Control
) and a KDC. The management server communicates with the service on behalf of the app.
For more information about how to configure the desired 
Kerberos
 implementation in 
UEM
, including requirements and prerequisites, see Configuring Kerberos for BlackBerry Dynamics apps in the 
UEM Administration Guide
.
For more information about configuring the desired 
Kerberos
 implementation in 
Good Control
, see the Good Control and Good Proxy Admin Help and Kerberos Constrained Delegation with Good Control