Configuring Kerberos for BlackBerry Dynamics apps Skip Navigation

Configuring 
Kerberos
 for 
BlackBerry Dynamics
 apps

BlackBerry Dynamics
 apps support both 
Kerberos
 Constrained Delegation and 
Kerberos
 PKINIT. 
Kerberos
 Constrained Delegation (KCD) and 
Kerberos
 PKINIT are distinct implementations of 
Kerberos
. You can support one or the other for 
BlackBerry Dynamics
 apps, but not both.
Kerberos
 Constrained Delegation (KCD) allows users to access enterprise resources without having to enter their network credentials. KCD uses service tickets that are encrypted and decrypted by keys that do not contain the user’s credentials.
When 
delegation
 is configured, the 
BlackBerry Dynamics
 app delegates authentication to 
BlackBerry UEM
 to act on its behalf to request access to a work resource. KCD 
constrains
 the accessed resources: administrators can limit the network resources that are accessible. This is accomplished by configuring the account under which the delegate (
BlackBerry UEM
) runs as trusted only for specific services.
For example, if KCD is not configured and an app requests a resource like mypage.mydomain.com, the app prompts the user for credentials. When KCD is configured, the 
BlackBerry Dynamics
 infrastructure handles authentication and the user is not prompted for credentials for the resource.  
Kerberos
 is a part of 
Microsoft Active Directory
. Before configuring 
Kerberos
 Constrained Delegation in 
BlackBerry UEM
, ensure your 
Kerberos
 environment is functioning properly and that you understand the implications involved in configuring Constrained Delegation for internal resources. Consult the appropriate 
Microsoft
 documentation if you require information on 
Kerberos
 in general or Constrained Delegation. 
Kerberos
 PKINIT authentication establishes trust directly between the 
BlackBerry Dynamics
 app and the 
Windows
 KDC. User authentication is based on certificates issued by Microsoft Active Directory Certificate Services. To use PKINIT, 
Kerberos
 Constrained Delegation must not be enabled in the app settings in 
BlackBerry UEM
.
The information in this section is a guideline. If you require more information about 
Kerberos
 and 
BlackBerry UEM
, contact BlackBerry Technical Support