Configure constrained delegation for the Microsoft Active
Directory account to support single sign-on
Microsoft Active Directoryaccount to support single sign-on
To support single sign-on for
BlackBerry UEM, you must configure constrained delegation for the
Microsoft Active Directoryaccount that
BlackBerry UEMuses for the directory connection. Constrained delegation allows browsers to authenticate with
BlackBerry UEMon behalf of administrators or users when they access the management console or
BlackBerry UEM Self-Service.
- Use theWindows ServerADSI Edit tool or setspn command-line tool to add the following SPNs forBlackBerry UEMto theMicrosoft Active Directoryaccount:
If you configured high availability for the management consoles in aBlackBerry UEMdomain, specify the pool name. Otherwise, specify the FQDN of the computer that hosts the management console.Verify that no other accounts in theMicrosoft Active Directoryforest have the same SPNs.
- HTTP/<host_FQDN_or_pool_name>(for example, HTTP/domain123.example.com)
- BASPLUGIN111/<host_FQDN_or_pool_name>(for example, BASPLUGIN111/domain123.example.com)
- OpenMicrosoft Active Directory Users and Computers.
- In theMicrosoft Active Directoryaccount properties, on theDelegationtab, select the following options:
- Trust this user for delegation to specified services only
- Add the SPNs from step 1 to the list of services.