Configure Kerberos Constrained Delegation Skip Navigation

Configure
Kerberos
Constrained Delegation

For multi-realm configuration, always start by configuring and testing a single realm first, then proceed to adding the other realms or forests.
  1. Map the
    Kerberos
    service account to a service principal name (SPN). Open an administrator command prompt on the
    Active Directory
    server and type
    setspn –s GCSvc/UEM_Core_host_machine DOMAIN\Kerberos_service_account
    .
    Replace the host server name, domain, and service account variables with values appropriate to your environment. The
    Kerberos
    service account is the service account name under which the KCD service will be configured in
    UEM
    (gc.krb5.principal.name). This account does not need to be the same as the
    UEM
    service account, but can be.
    For example:
    setspn –s GCSvc/uem1.example.com example.com\kcdadmin
  2. Create the
    Kerberos
    keytab file. You must generate a new keytab file and copy it to the
    UEM
    server when you change the
    Kerberos
    account password.
    Creating the
    Kerberos
    keytab file also sets the
    Kerberos
    account password. The password set in this command sets the password for the account that you specify in the command. If you have already been given a password, ensure you use the same one. If you use a different password, it resets the password. This includes the
    UEM
    service account password, if you use the
    UEM
    service account to create the keytab file. To create the keytab file, perform the following actions:
    1. Open a command prompt window on the KDC server.
    2. Use the ktpass command. For more information about the ktpass command, visit docs.microsoft.com.
      ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_ALL_CAPS -princ kerberos_account@REALM_IN_UPPERCASE/ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password
      outfilename
      This is the name of the output file.
      kerberos_account
      This is the name of the
      Kerberos
      account.
      REALM_IN_UPPERCASE
      This is the
      Kerberos
      realm. The name must use only uppercase letters.
      -pass kerberos_account_password
      This is the existing password for the reused
      Kerberos
      account. If the kerberos_account_password contains special characters, such as ^, enclose it in double quotation marks.
      For example:
      ktpass -out outfilename.keytab -mapuser kerberos_account@REALM_IN_UPPERCASE -princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL -pass kerberos_account_password
      or
      ktpass /out outfilename.keytab /mapuser kerberos_account@REALM_IN_UPPERCASE /princ kerberos_account@REALM_IN_UPPERCASE /ptype KRB5_NT_PRINCIPAL /pass kerberos_account_password
    3. Copy the new keytab file (kcdadmin.keytab in the examples) saved in this directory to the
      UEM
      server. If you have multiple
      BlackBerry UEM Core
      servers that are configured to use the same KCD admin account, you must copy the keytab file to every
      UEM
      server.
      You can copy the keytab file to any location on the servers, for example, c:\keytab. You will reference this location later on, so make a note of it.
  3. Enable enumeration of AD user objects group membership. For more information, see Appendix B: Privileged Accounts and Groups in Active Directory.
  4. On the
    UEM
    server, configure permissions for the
    UEM
    service account so it can send user credentials to the
    Kerberos
    system. This is the same account that has the associated service principal name (SPN). To configure permissions, perform the following actions:
    1. Open the
      Local Security Policy
      pane in the Windows console.
    2. Under
      Local Policies
      , select
      User Rights Assignments
      , then right-click
      Act
      as part of the operating system in the right panel and select
      Properties
      .
    3. In the
      Properties
      window, click on
      Add User or Group
      , then type the name of the service account and click
      OK
      .
  5. Configure
    Kerberos
    -related properties in
    UEM
    .
    You can specify only one KDC (domain controller) in the
    UEM
    configuration for each
    BlackBerry UEM Core
    server. This means that all KCD-related calls to the domain controller will always go to that single KCD. This could mean that if that one KDC goes down, all KCD calls will fail.
    • In
      Settings > BlackBerry Dynamics > Global properties
      , the following settings are required to enable KCD in
      UEM
      .
      Property
      Description
      Use explicit UPN
      Enable this property to force
      UEM
      to perform authentication using the explicit UPN stored in
      Active Directory
      instead of the implicit UPN that is generated by combining a user’s alias and domain.”
      Enable KCD (gc.krb5.enabled)
      Select this check box to enable KCD.
    • In
      Settings > BlackBerry Dynamics > Properties
      (click on the server name), the following settings are required to enable KCD in
      UEM
      .
      Property
      Example
      Description
      gc.krb5.kdc=<kdc_host_name>
      UEM1.EXAMPLE.COM
      The fully qualified name for the KDC. It usually corresponds to the FQDN of an
      Active Directory
      domain controller.
      gc.krb5.keytab.file= <keytab_file_location>
      c:/keytab/kcdadmin.keytab
      The location of the keytab file. Use forward slashes in the path name.
      gc.krb5.principal.name= <kcd_service_account>
      kcdadmin@EXAMPLE.COM
      The name of the service account used by the KCD service.
      gc.krb5.realm=<REALM>
      EXAMPLE.COM
      The name of the
      Active Directory
      realm. The value must be in all uppercase letters.
  6. Optionally, create a krb5.conf file if there is a CAPATH trust. Consult your
    Active Directory
    team if you need to create this file.
    The krb5.conf file is required to establish the CAPATH trust relationships of multiple
    Kerberos
    domains. The location of the krb5.conf file on the
    UEM
    server must be specified in the server property gc.krb5.config.file.
    Sample krb5.conf file:
    [libdefaults] default_realm = NA.POD1.COM [realms] NA.POD1.COM = { kdc = pod1-na-ad.na.pod1.com } [ capaths] NA.POD1.COM = { APAC.POD2.COM = POD2.COM POD2.COM = POD1.COM POD1.COM = . } POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = . } APAC.POD2.COM = { NA.POD1.COM = POD1.COM POD1.COM = POD2POD2.COM POD2.COM = .}