Skip Navigation

Multi-realm Kerberos environment, single-forest configuration

Multi-realm Kerberos Contstrained Delegation environment
In a multi-realm KCD environment, the 
BlackBerry Dynamics
 client selects a 
BlackBerry UEM Core
 to process the KCD request based upon the DNS domain of the target server. Once the target is determined to be a KCD target, the 
BlackBerry Dynamics
 client determines the list of 
BlackBerry UEM Core
 servers that are within the same DNS domain as the target, then randomly selects from this list (based on priorities) a 
BlackBerry UEM Core
 to process the request.
If there is no such DNS match (no 
BlackBerry UEM Core
 servers are within the same DNS domain as the target), the client randomly selects from the list of all 
BlackBerry UEM Core
When a resource (for example, 
Microsoft Exchange
) has an FQDN name that doesn’t accurately reflect the 
 realm the resource is in, then 
BlackBerry UEM
 may not be able to properly authenticate the resource. For example, if the resource has a DNS pool name of but the actual servers behind that DNS pool name are and, then the SDK will not be able to find a 
BlackBerry UEM Core
 server within the correct realm.
The SDK compares the target host DNS domain to the DNS domain of all the 
BlackBerry UEM Core
 servers so that the comparison can be done offline on the device as soon as the Kerberos request occurs, with no additional fetches. If the list of Core servers in the same DNS domain as the target is empty, the SDK returns the full list of servers. Otherwise, it uses the previously generated list. The list is then randomised and further sorted to ensure this also meets the priority as well (the primaries first). The SDK selects the top two entries and initiates the KCD request to the top-listed Core server. If that request fails, the SDK sends the request to the second Core server. 
For more information, visit to read article 49304.