Skip Navigation

Single-realm Kerberos environment

Single-realm Kerberos Constrained Delegation environment
  1. A  
    BlackBerry Dynamics
     app makes a request to an internal server or service (the 
    target)
    .
    The target can be either a host name (server name) or an account that is to be protected by 
    Kerberos
     and 
    BlackBerry Dynamics
    . For example, if IIS is running on a server as the Network service, the target is the server running IIS as Network. On the other hand, if IIS is running as a user (for example, IISSrvUser), then the target is that user name, IISSrvUser.
  2. The target replies with an authentication challenge that 
    BlackBerry Dynamics
     intercepts.
  3. The 
    BlackBerry Dynamics
     SDK sends a request to 
    BlackBerry UEM
     for a service ticket to access the target.
  4. BlackBerry UEM
     authenticates the user or app (through internal 
    BlackBerry Dynamics
     protocols) and asks for a service ticket on behalf of the user (delegation) for the service on the target.
  5. Active Directory
     checks its local policy. If the user has permission to access the resource on the target and if the resource on the target is allowed (constrained), 
    Active Directory
     returns to 
    BlackBerry UEM
     a service ticket for the resource.
  6. BlackBerry UEM
     sends the necessary information from the returned service ticket to the 
    BlackBerry Dynamics
     SDK.
  7. The 
    BlackBerry Dynamics
     app uses the information from 
    BlackBerry UEM
     to complete the authentication to the target.