Skip Navigation

Configure KCD for
BlackBerry Dynamics

  1. To map the
    service account to an SPN, on the
    Active Directory
    server, open the command prompt as an administrator and type the following, specifying the host server name, domain, and
    service account. The
    service account is the service account name under which the KCD service will be configured in
    ( This account does not need to be the same as the
    service account, but can be.
    setspn –s GCSvc/<UEM_Core_host_machine> <domain>\<Kerberos_service_account>
    For example:
    setspn –s GCSvc/\kcdadmin
  2. Follow these steps to generate a new
    keytab file and set the
    account password:
    1. On the KDC server, open a command prompt.
    2. Run the following command and specify the appropriate values:
      ktpass -out <output_filename>.keytab -mapuser <Kerberos_account>@<KERBEROS_REALM_IN_ALL_CAPS> -princ <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> /ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>
    3. Copy the new keytab file to every
      server that you want to use the same KCD administrator account.
  3. Enable enumeration of
    Active Directory
    user objects group membership. For more information, see Appendix B: Privileged Accounts and Groups in Active Directory.
  4. On each
    server, follow these steps to configure permissions for the
    service account so that it can send user credentials to the
    system (this is the same account that has the associated SPN):
    1. In the
      Management Console, navigate to
      Local Security Policy > Local Policies > User Rights Assignments
    2. Open the properties of
      Act as part of the operating system
      and click
      Add User or Group
    3. Type the name of the service account and click
  5. In the
    management console, on the menu bar, click
    Settings > BlackBerry Dynamics > Global properties
  6. Select the
    Use explicit UPN
    check box.
  7. Select the
    Enable KCD
    check box.
  8. Click
  9. On the menu bar, click
    Settings > BlackBerry Dynamics > Properties
    and click the server name.
  10. In the
    Fully qualified name for the KDC (gc.krb5.kdc)
    field, type the fully qualified name for the KDC. It usually corresponds to the FQDN of an
    Active Directory
    domain controller.
  11. In the
    Location of keytab file (gc.krb5.keytab.file)
    field, type the location of the keytab file. Use forward slashes in the path name.
  12. In the
    Service account name under which KCD service is running (
    field, type the name of the service account used by the KCD service.
  13. In the
    Realm - Active Directory (gc.krb5.realm)
    field, type the name of the
    Active Directory
    realm in all uppercase letters.
  14. If your environment requires a CAPATH trust relationship for multiple
    domains, create a krb5.conf file. In the
    Location of krb5.config file on GC server (gc.krb5.config.file)
    field, type the location of the file.
  15. Click