Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
919293949596979899100
How the BlackBerry MDS Connection Service uses
Kerberos to help protect your organization's resources
BlackBerry MDS Connection Service integrated authentication is designed to use the Kerberos protocol and constrained
delegation to authenticate BlackBerry device users in your organization’s network in a highly secure manner. BlackBerry
MDS Connection Service authenticates with Microsoft Active Directory on behalf of users, verify the users' identities, and
retrieve the resource on behalf of the users.
The BlackBerry MDS Connection Service hosts a Kerberos service that permits it to verify users. To support BlackBerry
MDS Connection Service integrated authentication, you must configure Microsoft Active Directory accounts in the
Microsoft Active Directory domains that include the resources and configure constrained delegation for the Microsoft
Active Directory
accounts. To configure constrained delegation, you must configure the Microsoft Active Directory
accounts to trust only the Kerberos service that is hosted by the BlackBerry MDS Connection Service.
When the BlackBerry MDS Connection Service starts, it authenticates with the Microsoft Active Directory domain using the
Microsoft Active Directory account. The domain controller issues the Kerberos keys and Kerberos service ticket to the
Kerberos service. The Kerberos keys permit the BlackBerry MDS Connection Service to verify the Kerberos service tickets
for users.
Identifying the resources that users can access using
BlackBerry MDS Connection Service integrated
authentication
If you configure the BlackBerry MDS Connection Service to support the Kerberos protocol and constrained delegation, you
must use the BlackBerry Administration Service to specify the pull rules that identify the shared files or intranet resources
that you want to permit Integrated Windows authentication for. You must assign the pull rules to groups or user accounts so
that the BlackBerry MDS Connection Service can determine which user accounts to apply the pull rules to. Pull rules
permit you to specify the shared files or intranet resources in your organization’s network that you want users to access
from
BlackBerry devices and the authentication method that you want users to use to access the shared files or Intranet
resources.
For information about configuring pull rules, see the BlackBerry Enterprise Server Administration Guide.
Data flow: Retrieving a resource when using
BlackBerry MDS Connection Service integrated
authentication
Security Technical Overview Protecting communications in your organization's environment
96