BlackBerry Dynamicsuser authentication using PKI certificates.
If you want to use
BlackBerry Dynamicsapps, your organization must meet the following requirements:
- KerberosConstrained Delegation must not be enabled.
- The KDC host must be added to the Allowed Domains list in theBlackBerry DynamicsConnectivity Profile.
- The KDC host must be listening on TCP port 88 (theKerberosdefault port).
- BlackBerry Dynamicsdoesn't support KDC over UDP.
- The KDC must have anArecord (IPv4) orAAAArecord (IPv6) in your DNS.
- BlackBerry Dynamicsdoesn't useKerberosconfiguration files (such askrb5.conf) to locate the correct KDC.
- The KDC can refer the client to another KDC host.BlackBerry Dynamicswill follow the referral, as long as the KDC host that is referred to is added to the Allowed Domains list in theBlackBerry DynamicsConnectivity Profile.
- The KDC can obtain the TGT transparently toBlackBerry Dynamicsfrom another KDC host.
- WindowsKDC server certificates issued via the Active Directory Certificate Services must come only from the followingWindows Serverversions. No other server versions are supported.
- Internet Information Server withWindows Server2008 R2
- Internet Information Server withWindows Server2012 R2
- Valid KDC service certificates must be located either in theBlackBerry DynamicsCertificate Store or the Device Certificate Store.
- The minimum keylength for the certificates must be 2,048 bytes.
- Client certificates must include the User Principal Name (for example, firstname.lastname@example.org) in the Subject Alternative Name of object ID szOID_NT_PRINCIPAL_NAME 126.96.36.199.4.1.3188.8.131.52, as specified by Microsoft at https://support.microsoft.com/en-us/kb/287547.
- The domain of the User Principal Name must match the name of the realm of the Windows KDC service.
- The Extended Key Usage property of the certificate must beMicrosoftSmart Card logon (184.108.40.206.4.1.3220.127.116.11).
- Certificates must be valid. Validate them against the servers listed above.