Skip Navigation

Configure single sign-on for
BlackBerry Access
in BlackBerry UEM

You can enable single sign-on for
BlackBerry Access
in an environment that's already set up for
Microsoft Office 365
with
Microsoft Active Directory
Federation Services and single sign-on.
  • Configure single sign-on in
    Office 365
    with
    Active Directory
    Federation Services version 2.0 or 3.0, relying on
    Windows
    Authentication and
    Kerberos
    .
  • Configure
    BlackBerry UEM
    for
    Kerberos
    constrained delegation.
  • Verify that the "Identify
    BlackBerry Access
    in User Agent" app setting is selected in
    BlackBerry UEM
    .
  1. Verify the SPN for
    Active Directory
    Federation Services. For
    Active Directory
    Federation Services to use
    Kerberos
    , the
    Active Directory
    Federation Services service must have registered an SPN. This SPN should already be registered by the prerequisite
    Active Directory
    Federation Services configuration in
    Office 365
    .
    1. Open a command prompt on a computer with
      Active Directory
      RSAT tools installed.
    2. Enter the command:
      setspn -q HOST/
      fqdn.of.adfs.server
      where
      fqdn.of.adfs.server
      is the FQDN of your
      Active Directory
      Federation Services server.
    This command exposes the name service account that serves
    Active Directory
    Federation Services. For a safer form of delegation (HOST allows any protocol, only HTTP is needed) you might want to register the HTTP SPN of the
    Active Directory
    Federation Services service account with the following command:
    setspn -S HTTP/fqdn.of.adfs.server
    ADFS_service_account
    , where
    ADFS_service_account
    is the name of the
    Active Directory
    Federation Services service account shown in the previous command.
  2. Enable the User Agent in
    Active Directory
    Federation Services. By default,
    Active Directory
    Federation Services allows only known user agents to use
    Windows
    Authentication. All other user agents are considered external and are served with Forms Based Authentication (FBA) or certificate authentication.
    1. To enable single sign-on in
      BlackBerry Access
      you need to add the
      BlackBerry Access
      user agent string to
      Active Directory
      Federation Services to allow
      Windows
      Authentication for
      BlackBerry Access
      and
      Kerberos
      constrained delegation. For all platforms, the
      BlackBerry Access
      user agent string begins with
      Mozilla/5.0.
      .
    2. To verify the
      Active Directory
      Federation Services user agents, enter the following command:
      Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
    3. Edit and run the following script to add the new user agent to
      Active Directory
      Federation Services.
      $NewUserAgent
      must be edited to the value that you will add.
      $NewUserAgent = "Mozilla/5.0" $CurrentUserAgents = Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents $UserAgentAddArray = $CurrentUserAgents + $NewUserAgent Set-ADFSProperties -WIASupportedUserAgents $UserAgentAddArray
    4. To verify that the
      Active Directory
      Federation Services user agent has been added, run the
      Get-ADFSProperties
      command again:
      Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
    5. Restart the
      Active Directory
      Federation Services service.
  3. Set delegation on the
    Kerberos
    account.
    1. Log in to
      BlackBerry UEM
      .
    2. Click
      Settings
      >
      BlackBerry Dynamics
      >
      Properties
      .
    3. Scroll to find the value of the
      gc.krb5.principal.name
      property. Set this object name in
      Microsoft Active Directory
      .
    4. On your
      Microsoft Active Directory
      server, click the
      Delegation
      tab.
    5. Click
      ADD
      and enter the
      Active Directory
      Federation Services service account name that you discovered in step 1.
    6. Add the HTTP SPN.
    7. Click
      OK
      .