Configure KCD for BlackBerry
Dynamics apps
BlackBerry
Dynamics
apps- If you are configuring KCD forBlackBerry Docs, see Configuring Kerberos constrained delegation for the Docs service in theBlackBerry Enterprise Mobility Servercontent.
- To map theKerberosservice account to an SPN, on theActive Directoryserver, open the command prompt as an administrator and type the following, specifying the host server name, domain, andKerberosservice account. TheKerberosservice account is the service account name under which the KCD service will be configured inUEM(gc.krb5.principal.name). This account does not need to be the same as theUEMservice account, but can be.setspn –s GCSvc/<UEM_Core_host_machine> <domain>\<Kerberos_service_account>For example:setspn –s GCSvc/uem1.example.com example.com\kcdadmin
- Follow these steps to generate a newKerberoskeytab file and set theKerberosaccount password:
- On the KDC server, open a command prompt.
- Run the following command and specify the appropriate values:ktpass -out <output_filename>.keytab -mapuser <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> -princ <Kerberos_account>@<KERBEROS_REALM_IN_UPPERCASE> -ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>If your organization uses a multi-realmKerberosenvironment, use the following command instead:ktpass -out <output_filename>.keytab -mapuser <Kerberos_service_account>@<KERBEROS_REALM_IN_UPPERCASE> -princ GCSvc/<UEM_Core_host_machine> -princ GCSvc/<UEM_Core_host_machine>@<KERBEROS_REALM_IN_UPPERCASE> -ptype KRB5_NT_PRINCIPAL -pass <Kerberos_account_password>
- Copy the new keytab file to everyUEMserver that you want to use the same KCD administrator account.
- Enable enumeration ofActive Directoryuser objects group membership. For more information, see Appendix B: Privileged Accounts and Groups in Active Directory.
- On eachUEMserver, follow these steps to configure permissions for theUEMservice account so that it can send user credentials to theKerberossystem (this is the same account that has the associated SPN):
- In theMicrosoftManagement Console, navigate toLocal Security Policy > Local Policies > User Rights Assignments.
- Open the properties ofAct as part of the operating systemand clickAdd User or Group.
- Type the name of the service account and clickOK.
- In theUEMmanagement console, on the menu bar, clickSettings > BlackBerry Dynamics > Global properties.
- Select theUse explicit UPNcheck box.
- Select theEnable KCDcheck box.
- ClickSave.
- On the menu bar, clickSettings > BlackBerry Dynamics > Propertiesand click the server name.
- In theFully qualified name for the KDC (gc.krb5.kdc)field, type the fully qualified name for the KDC. It usually corresponds to the FQDN of anActive Directorydomain controller.
- In theLocation of keytab file (gc.krb5.keytab.file)field, type the location of the keytab file. Use forward slashes in the path name.
- In theService account name under which KCD service is running (gc.krb5.principal.name)field, type the name of the service account used by the KCD service.In a multi-realmKerberosenvironment, instead, specify the following:GCSvc/<UEM_Core_host_machine>
- In theRealm - Active Directory (gc.krb5.realm)field, type the name of theActive Directoryrealm in all uppercase letters.
- In theLocation of krb5.config file on GC server (gc.krb5.config.file)field, type the location of the krb5.conf file.For more information about the requirements for the krb5.conf file, see Prerequisites for configuring KCD for BlackBerry Dynamics apps.
- ClickSave.