Configure constrained delegation for the Microsoft Active
Directory account to support single sign-on
Microsoft Active
Directory
account to support single sign-onTo support single sign-on for
BlackBerry UEM
, you must configure constrained delegation for the Microsoft Active
Directory
account that BlackBerry UEM
uses for the directory connection. Constrained delegation allows browsers to authenticate with BlackBerry UEM
on behalf of administrators or users when they access the management console or BlackBerry UEM Self-Service
.- Use theWindows ServerADSI Edit tool or setspn command-line tool to add the following SPNs forBlackBerry UEMto theMicrosoft Active Directoryaccount:
- HTTP/<host_FQDN_or_pool_name>(for example, HTTP/domain123.example.com)
- BASPLUGIN111/<host_FQDN_or_pool_name>(for example, BASPLUGIN111/domain123.example.com)
If you configured high availability for the management consoles in aBlackBerry UEMdomain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.Verify that no other accounts in theMicrosoft Active Directoryforest have the same SPNs. - OpenMicrosoft Active Directory Users and Computers.
- In theMicrosoft Active Directoryaccount properties, on theDelegationtab, select the following options:
- Trust this user for delegation to specified services only
- UseKerberosonly
- Add the SPNs from step 1 to the list of services.