Configuring Kerberos PKINIT Skip Navigation

Configuring
Kerberos
PKINIT

BlackBerry UEM
supports
Kerberos
PKINIT for
BlackBerry Dynamics
user authentication using PKI certificates.
If you want to use
Kerberos
PKINIT for
BlackBerry Dynamics
apps, your organization must meet the following requirements:

Key points

  • Kerberos
    Constrained Delegation must not be enabled.
  • The KDC host must be added to the Allowed Domains list in the
    BlackBerry Dynamics
    Connectivity Profile.
  • The KDC host must be listening on TCP port 88 (the
    Kerberos
    default port).
  • BlackBerry Dynamics
    doesn't support KDC over UDP.
  • The KDC must have an
    A
    record (IPv4) or
    AAAA
    record (IPv6) in your DNS.
  • BlackBerry Dynamics
    doesn't use
    Kerberos
    configuration files (such as
    krb5.conf
    ) to locate the correct KDC.
  • The KDC can refer the client to another KDC host.
    BlackBerry Dynamics
    will follow the referral, as long as the KDC host that is referred to is added to the Allowed Domains list in the
    BlackBerry Dynamics
    Connectivity Profile.
  • The KDC can obtain the TGT transparently to
    BlackBerry Dynamics
    from another KDC host.

Server certificates

  • Windows
    KDC server certificates issued via the Active Directory Certificate Services must come only from the following
    Windows Server
    versions. No other server versions are supported.
    • Internet Information Server with
      Windows Server
      2008 R2
    • Internet Information Server with
      Windows Server
      2012 R2
  • Valid KDC service certificates must be located either in the
    BlackBerry Dynamics
    Certificate Store or the Device Certificate Store.

Client certificates

  • The minimum keylength for the certificates must be 2,048 bytes.
  • The Extended Key Usage property of the certificate must be
    Microsoft
    Smart Card logon (1.3.6.1.4.1.311.20.2.2).
  • Client certificates must include the User Principal Name (for example, user@domain.com) in the Subject Alternative Name of object ID szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
  • If the user is issued more than one client certificate, the domain of the User Principal Name must match the domain of the resource that is being accessed to ensure that the correct certificate is used.
  • Certificates must be valid. Validate them against the servers listed above.