Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry 2FA
  3. BlackBerry 2FA - Server Configuration Guide
  4. Usernames, passwords, and directories

Usernames, passwords, and directories

BlackBerry 2FA
 authenticates users that are available in a directory. Both the
BlackBerry 2FA
 server and
BlackBerry UEM
 are connected to these directories. Based on how these connections are configured,
BlackBerry 2FA
 supports four user types:
  • Users in a
    Microsoft Active Directory
     domain that is connected to both a
    BlackBerry 2FA
     server and
    BlackBerry UEM
  • Users in a
    Microsoft Active Directory
     domain that is not connected to a
    BlackBerry 2FA
     server but is connected to
    BlackBerry UEM
  • Users in an LDAP directory that is connected to
    BlackBerry UEM
  • Users in a local
    BlackBerry UEM
     directory
When a user logs in, they must supply a username, and optionally, a password.
Username
The username must resolve to a unique user entry in a directory. If the user cannot be uniquely resolved, an authentication request will fail. To specify the directory in which the user resides, the user must be identifed according to following usernanes for each type of user:
  • The following usernames are supported for users in a
    Microsoft Active Directory
     domain that is connected to both a
    BlackBerry 2FA
     server and
    BlackBerry UEM
    . These users can authenticate using PAP, MSCHAPv1, MSCHAPv2 and EAP-MSCHAPv2 and can be configured to use authorization groups for each REST API client and authentication override groups for each VPN gateway.
    <username> (e.g. jsmith)
    <username>@<NetBIOS domain name> (e.g. jsmith@company)
    <NetBIOS domain name>\<username> (e.g. company\jsmith)
    <email address> (e.g. jsmith@company.com)
  • The following usernames are supported for users in a
    Microsoft Active Directory
     domain that is not connected to a
    BlackBerry 2FA
     server but is connected to
    BlackBerry UEM
    . These users can authenticate using only PAP.
    <username> (e.g. jsmith)
    <username>@<NetBIOS domain name> (e.g. jsmith@company)
    <NetBIOS domain name>\<username> (e.g. company\jsmith)
    <email address> (e.g. jsmith@company.com)
  • The following usernames are supported for users in a LDAP directory that is connected to
    BlackBerry UEM
    . These users must authenticate with PAP.
    The
    BlackBerry 2FA
     server cannot connect to this directory.
    <username> (e.g. jsmith)
    <username>@<directory FQDN> (e.g. jsmith@company.ldap.net)
    <directory FQDN>\<username> (e.g. company.ldap.net\jsmith)
    <email address> (e.g. jsmith@company.com)
  • The following usernames are supported for users in a local
    BlackBerry UEM
     directory. These users must authenticate with PAP.
    The
    BlackBerry 2FA
     server cannot connect to this directory.
    <username> (e.g. jsmith)
    <username>@local (e.g. jsmith@local)
    local\<username> (e.g. local\jsmith)
    <email address> (e.g. jsmith@company.com)
Password
When a user logs in, they must supply a directory password depending on the authentication option they are configured to use.
If a user is authenticating using a one-time password (OTP) token, they must supply the OTP and their directory password regardless of the two-factor authentication option they are configured to use.
  • To log in to a VPN, the user must enter both the OTP and the directory password in the password field. The OTP is typed first, then the directory passord, and no spaces or separators may be added.
  • When logging in from a client connected to a REST API, the user must enter the directory password in the password field and then enter the OTP in a dedicated OTP field.