Configure Kerberos Constrained Delegation Skip Navigation

 Constrained Delegation

For multi-realm configuration, always start by configuring and testing a single realm first, then proceed to adding the other realms or forests.
If you are configuring KCD for 
BlackBerry Docs
, see Configuring Kerberos constrained delegation for the Docs service.
For additional information about the keytab file, visit to read article 42712.
  1. Map the 
     service account to a service principal name (SPN). Open an administrator command prompt on the 
    Active Directory
     server and type 
    setspn –s GCSvc/UEM_Core_host_machine DOMAIN\Kerberos_service_account
    Replace the host server name, domain, and service account variables with values appropriate to your environment.
    For example:
    setspn –s GCSvc/\kcdadmin
     service account is the service account name under which the KCD service will be configured in 
    BlackBerry UEM
     ( This account does not need to be the same as the 
    BlackBerry UEM
     service account, but can be.
  2. Create the 
     keytab file. You must generate a new keytab file and copy it to the 
    BlackBerry UEM
     server when you change the 
     account password.
    Creating the 
     keytab file also sets the 
     account password. The password set in this command sets the password for the account that you specify in the command. If you have already been given a password, ensure you use the same one. If you use a different password, it resets the password. This includes the 
    BlackBerry UEM
     service account password, if you use the UEM service account to create the keytab file. To create the keytab file, perform the following actions:
    1. Open a command prompt window on the KDC server.
    2. Use the ktpass command. For more information about the ktpass command, visit
      ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_ALL_CAPS -princ kerberos_account@REALM_IN_UPPERCASE/ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password
      This is the name of the output file.
      This is the name of the 
      This is the 
       realm. The name must use only uppercase letters.
      -pass kerberos_account_password
      This is the existing password for the reused 
       account. If the kerberos_account_password contains special characters, such as ^, enclose it in double quotation marks. 
       For example:
      ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_UPPERCASE -princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password
      ktpass /out outfilename.keytab /mapuser kerberos_account@REALM_IN_UPPERCASE /princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL /pass kerberos_account_password
    3. Copy the new keytab file (kcdadmin.keytab in the examples) saved in this directory to the 
      BlackBerry UEM
       server. Important: If you have multiple 
      BlackBerry UEM Core
       servers that are configured to use the same KCD admin account, you must copy the keytab file to every 
      BlackBerry UEM
      You can copy the keytab file to any location on the servers, for example, c:\keytab. You will reference this location later on, so make a note of it.
  3. Enable enumeration of AD user objects group membership. For more information, visit to read "Privileged Accounts and Groups in Active Directory".
  4. On the 
    BlackBerry UEM
     server, configure permissions for the 
    BlackBerry UEM
     service account so it can send user credentials to the 
     system. This is the same account that has the associated service principal name (SPN). To configure permissions, perform the following actions:
    1. Open the 
      Local Security Policy
       pane in the Windows console. 
    2. Under 
      Local Policies
      , select 
      User Rights Assignments
      , then right-click 
       as part of the operating system in the right panel and select 
    3. In the 
       window, click on 
      Add User or Group
      , then type the name of the service account and click 
  5. Configure 
    -related properties in 
    BlackBerry UEM
    You can specify only one KDC (domain controller) in the 
    BlackBerry UEM
     configuration for each 
    BlackBerry UEM Core
     server. This means that all KCD-related calls to the domain controller will always go to that single KCD. This could mean that if that one KDC goes down, all KCD calls will fail. 
    • In Settings > BlackBerry Dynamics > Global properties  the following settings are required to enable KCD in UEM.
      Use explicit UPN
      Enable this property to force BlackBerry UEM to perform authentication using the explicit UPN stored in Active Directory instead of the implicit UPN that is generated by combining a user’s alias and domain.” 
      Enable KCD (gc.krb5.enabled)
      Select this check box to enable KCD.
    • In Settings > BlackBerry Dynamics > Properties (click on the server name), the following settings are required to enable KCD in UEM.
      The fully qualified name for the KDC. It usually corresponds to the FQDN of an 
      Active Directory
       domain controller.
      gc.krb5.keytab.file= <keytab_file_location>
      The location of the keytab file. Use forward slashes, not backslashes, in the pathname. <kcd_service_account>
      The name of the service account used by the KCD service.
      The name of the 
      Active Directory
       realm. The value must be in all uppercase letters.
  6. (Optional) Create a krb5.conf file. This is required only if there is a CAPATH trust. Consult your 
    Active Directory
     team if you need to create this file.
    The krb5.conf file is required to establish the CAPATH trust relationships of multiple 
     domains. The location of the krb5.conf file on the 
    BlackBerry UEM
     server must be specified in the server property gc.krb5.config.file.
    Sample krb5.conf file:
    [libdefaults] default_realm = NA.POD1.COM [realms] NA.POD1.COM = { kdc = } [ capaths] NA.POD1.COM = { APAC.POD2.COM = POD2.COM POD2.COM = POD1.COM POD1.COM = . } POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = . } APAC.POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = POD2POD2.COM POD2.COM = .}