Manualshelf

User guide

ManualsBrandsBlackberry ManualsComputer equipmentENTERPRISE SOLUTION SECURITY - SECURITY FOR DEVICES WITH BLUETOOTH WIRELESS TECHNOLOGY - TECHNICAL
919293949596979899100
Component Description
BlackBerry Administration Service The BlackBerry Administration Service permits you to manage the BlackBerry
Domain, which includes BlackBerry Enterprise Server components, user
accounts, and features for BlackBerry device administration.
domain controller A domain controller is a server that authenticates and authorizes Windows users
and Windows servers with a Windows domain.
Microsoft Active Directory Microsoft Active Directory is an LDAP directory that stores user information.
How BlackBerry Administration Service single sign-on
uses Kerberos to help protect your organization’s
resources
BlackBerry Administration Service single sign-on implements Kerberos authentication which permits the BlackBerry
Administration Service to authenticate administrators and BlackBerry Web Desktop Manager users in your organization’s
network in a highly secure manner.
The BlackBerry Administration Service includes two Kerberos services that it uses to authenticate with browsers. The
BlackBerry Administration Service application server and BlackBerry Administration Service web server host the Kerberos
services. The BlackBerry Administration Service requires two Kerberos services so that it can authenticate the web layer
and application layer. The Kerberos service that the BlackBerry Administration Service web server hosts verifies requests
from browsers to access the web layer. The Kerberos service that the BlackBerry Administration Service application server
hosts verifies requests from the BlackBerry Administration Service web server to access the application layer.
The Kerberos services are identified using SPNs that you create and assign to a Microsoft Active Directory account. You
must create the Microsoft Active Directory account as a Kerberos service account in the Microsoft Active Directory domain
that includes the
BlackBerry Administration Service and configure constrained delegation for the Microsoft Active
Directory account. You must configure the Microsoft Active Directory account to trust only the Kerberos service that the
BlackBerry Administration Service application server hosts for constrained delegation and only when the BlackBerry
Administration Service application service is using Kerberos.
If your organization’s environment includes multiple Microsoft Active Directory account forests, you must configure a
Microsoft Active Directory account for each account forest. However, you do not need to configure constrained delegation
for the
Microsoft Active Directory accounts that you configure in the account forests.
How the BlackBerry Administration Service completes
Kerberos authentication
When the BlackBerry Administration Service starts, it authenticates with the Microsoft Active Directory domain using the
Microsoft Active Directory account. The domain controller issues the Kerberos keys and Kerberos service ticket for the two
Security Technical Overview Protecting communications in your organization's environment
99