Configuring Kerberos constrained delegation for Docs
Docs
Configuring the
Docs
service to use Kerberos constrained delegation (KCD) for accessing resources such as Microsoft
SharePoint
and File Shares removes the requirement for end-users to provide their network credentials to access to network resources using the Docs
service.Before configuring the
Docs
service to use KCD, it is important to understand that configuring KCD for Docs
service is independent of configuring BlackBerry
Dynamics
KCD. This means, for example, that if your mobile app (for example, BlackBerry Work
) requires use of the Docs
service exclusively, you only need to configure KCD for the Docs
service. It is recommended to configure the Docs
service to use resource based Kerberos constrained delegation to access resources and remove the requirement for users to provide their network credentials to access resources within the domain, and between domains and forests. For more information on resource based Kerberos constrained delegation, see Configuring resource based Kerberos constrained delegation for the Docs service.For example, the following diagram charts a sample KCD call flow for
BlackBerry Work
.All KCD transactions are between the
Docs
service account and the key distribution center (KDC) and respective resources. No KCD information is cached on the mobile app. The Docs
service uses Microsoft
’s Service for User (S4U) specifications for KCD. For more information on S4U, visit the MSDN Library to see: https://msdn.microsoft.com/en-us/library/cc246071.aspx.