Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.19
  3. UEM Configuration Guide
  4. Configuring network communication and properties for BlackBerry Dynamics apps
  5. Configuring Kerberos authentication for BlackBerry Dynamics apps
  6. Configure KCD for BlackBerry Dynamics apps

Configure KCD for
BlackBerry Dynamics
 apps

  1. To map the
    Kerberos
     service account to an SPN, on the
    Active Directory
     server, open the command prompt as an administrator and type the following, specifying the host server name, domain, and
    Kerberos
     service account. The
    Kerberos
     service account is the service account name under which the KCD service will be configured in
    UEM
     (gc.krb5.principal.name). This account does not need to be the same as the
    UEM
     service account, but can be.
    setspn –s GCSvc/<UEM_Core_host_machine> <domain>\<Kerberos_service_account>
    For example: 
    setspn –s GCSvc/uem1.example.com example.com\kcdadmin
  2. Follow these steps to generate a new
    Kerberos
     keytab file and set the
    Kerberos
     account password:
    1. On the KDC server, open a command prompt.
    2. Run the following command and specify the appropriate values:
      ktpass -out <output_filename>.keytab -mapuser <Kerberos_account>@<KERBEROS_REALM_IN_ALL_CAPS> -princ <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> /ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>
    3. Copy the new keytab file to every
      UEM
       server that you want to use the same KCD administrator account.
  3. Enable enumeration of
    Active Directory
     user objects group membership. For more information, see Appendix B: Privileged Accounts and Groups in Active Directory.
  4. On each
    UEM
     server, follow these steps to configure permissions for the
    UEM
     service account so that it can send user credentials to the
    Kerberos
     system (this is the same account that has the associated SPN):
    1. In the
      Microsoft
       Management Console, navigate to
      Local Security Policy > Local Policies > User Rights Assignments
      .
    2. Open the properties of
      Act as part of the operating system
       and click
      Add User or Group
      .
    3. Type the name of the service account and click
      OK
      .
  5. In the
    UEM
     management console, on the menu bar, click
    Settings > BlackBerry Dynamics > Global properties
    .
  6. Select the
    Use explicit UPN
     check box.
  7. Select the
    Enable KCD
     check box.
  8. Click
    Save
    .
  9. On the menu bar, click
    Settings > BlackBerry Dynamics > Properties
     and click the server name.
  10. In the
    Fully qualified name for the KDC (gc.krb5.kdc)
     field, type the fully qualified name for the KDC. It usually corresponds to the FQDN of an
    Active Directory
     domain controller.
  11. In the
    Location of keytab file (gc.krb5.keytab.file)
     field, type the location of the keytab file. Use forward slashes in the path name.
  12. In the
    Service account name under which KCD service is running (gc.krb5.principal.name)
     field, type the name of the service account used by the KCD service.
  13. In the
    Realm - Active Directory (gc.krb5.realm)
     field, type the name of the
    Active Directory
     realm in all uppercase letters.
  14. If your environment requires a CAPATH trust relationship for multiple
    Kerberos
     domains, create a krb5.conf file. In the
    Location of krb5.config file on GC server (gc.krb5.config.file)
     field, type the location of the file.
  15. Click
    Save
    .