Configuring Kerberos constrained delegation for Docs
Docsservice to use Kerberos constrained delegation (KCD) for accessing resources such as
Microsoft SharePointand File Shares removes the requirement for end-users to provide their network credentials to access to network resources using the
Before configuring the
Docsservice to use KCD, it is important to understand that configuring KCD for
Docsservice is independent of configuring
BlackBerry DynamicsKCD. This means, for example, that if your mobile app (for example,
BlackBerry Work) requires use of the
Docsservice exclusively, you only need to configure KCD for the
Docsservice. It is recommended to configure the
Docsservice to use resource based Kerberos constrained delegation to access resources and remove the requirement for users to provide their network credentials to access resources within the domain, and between domains and forests. For more information on resource based Kerberos constrained delegation, see Configuring resource based Kerberos constrained delegation for the Docs service.
For example, the following diagram charts a sample KCD call flow for
All KCD transactions are between the
Docsservice account and the key distribution center (KDC) and respective resources. No KCD information is cached on the mobile app. The
Microsoft’s Service for User (S4U) specifications for KCD. For more information on S4U, visit the MSDN Library to see: https://msdn.microsoft.com/en-us/library/cc246071.aspx.