Skip Navigation

Configure KCD for
BlackBerry Dynamics
apps

  1. To map the
    Kerberos
    service account to an SPN, on the
    Active Directory
    server, open the command prompt as an administrator and type the following, specifying the host server name, domain, and
    Kerberos
    service account. The
    Kerberos
    service account is the service account name under which the KCD service will be configured in
    UEM
    (gc.krb5.principal.name). This account does not need to be the same as the
    UEM
    service account, but can be.
    setspn –s GCSvc/<UEM_Core_host_machine> <domain>\<Kerberos_service_account>
    For example:
    setspn –s GCSvc/uem1.example.com example.com\kcdadmin
  2. Follow these steps to generate a new
    Kerberos
    keytab file and set the
    Kerberos
    account password:
    1. On the KDC server, open a command prompt.
    2. Run the following command and specify the appropriate values:
      ktpass -out <output_filename>.keytab -mapuser <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> -princ <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> -ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>
      If your organization uses a multi-realm
      Kerberos
      environment, use the following command instead:
      ktpass -out <output_filename>.keytab -mapuser <Kerberos_service_account>@<KERBEROS_REALM_IN_UPPERCASE> -princ GCSvc/<UEM_Core_host_machine> -princ GCSvc/<UEM_Core_host_machine>@<KERBEROS_REALM_IN_UPPERCASE> -ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>
    3. Copy the new keytab file to every
      UEM
      server that you want to use the same KCD administrator account.
  3. Enable enumeration of
    Active Directory
    user objects group membership. For more information, see Appendix B: Privileged Accounts and Groups in Active Directory.
  4. On each
    UEM
    server, follow these steps to configure permissions for the
    UEM
    service account so that it can send user credentials to the
    Kerberos
    system (this is the same account that has the associated SPN):
    1. In the
      Microsoft
      Management Console, navigate to
      Local Security Policy > Local Policies > User Rights Assignments
      .
    2. Open the properties of
      Act as part of the operating system
      and click
      Add User or Group
      .
    3. Type the name of the service account and click
      OK
      .
  5. In the
    UEM
    management console, on the menu bar, click
    Settings > BlackBerry Dynamics > Global properties
    .
  6. Select the
    Use explicit UPN
    check box.
  7. Select the
    Enable KCD
    check box.
  8. Click
    Save
    .
  9. On the menu bar, click
    Settings > BlackBerry Dynamics > Properties
    and click the server name.
  10. In the
    Fully qualified name for the KDC (gc.krb5.kdc)
    field, type the fully qualified name for the KDC. It usually corresponds to the FQDN of an
    Active Directory
    domain controller.
  11. In the
    Location of keytab file (gc.krb5.keytab.file)
    field, type the location of the keytab file. Use forward slashes in the path name.
  12. In the
    Service account name under which KCD service is running (gc.krb5.principal.name)
    field, type the name of the service account used by the KCD service.
    In a multi-realm
    Kerberos
    environment, instead, specify the following:
    GCSvc/<UEM_Core_host_machine>
  13. In the
    Realm - Active Directory (gc.krb5.realm)
    field, type the name of the
    Active Directory
    realm in all uppercase letters.
  14. In the
    Location of krb5.config file on GC server (gc.krb5.config.file)
    field, type the location of the krb5.conf file.
    For more information about the requirements for the krb5.conf file, see Prerequisites for configuring KCD for BlackBerry Dynamics apps.
  15. Click
    Save
    .