Skip Navigation

Configure constrained delegation for the 
Microsoft Active Directory
 account to support single sign-on

To support single sign-on for 
BlackBerry UEM
, you must configure constrained delegation for the 
Microsoft Active Directory
 account that 
BlackBerry UEM
 uses for the directory connection. Constrained delegation allows browsers to authenticate with 
BlackBerry UEM
 on behalf of administrators or users when they access the management console or 
BlackBerry UEM Self-Service
.
  1. Use the 
    Windows Server
     ADSI Edit tool or setspn command-line tool to add the following SPNs for 
    BlackBerry UEM
     to the 
    Microsoft Active Directory
     account:
    • HTTP/
      <host_FQDN_or_pool_name>
       (for example, HTTP/domain123.example.com)
    • BASPLUGIN111/
      <host_FQDN_or_pool_name>
       (for example, BASPLUGIN111/domain123.example.com)
    If you configured high availability for the management consoles in a 
    BlackBerry UEM
     domain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.
    Verify that no other accounts in the 
    Microsoft Active Directory
     forest have the same SPNs.
  2. Open 
    Microsoft Active Directory Users and Computers
    .
  3. In the 
    Microsoft Active Directory
     account properties, on the 
    Delegation
     tab, select the following options:
    • Trust this user for delegation to specified services only
    • Use 
      Kerberos
       only
  4. Add the SPNs from step 1 to the list of services.