Configure the Microsoft Active Directory account to delegate access to a
shared folder
You are required to have only one Microsoft Active Directory account in each Microsoft Active Directory domain that
includes the resources that you want to turn on Integrated Windows authentication for.
For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active Directory,
visit
www.blackberry.com/btsc
to read article KB22726.
1.
In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the
Delegation
tab does not
display, update the default HOST SPN registrations for the Microsoft Active Directory account.
2.
In the Microsoft Active Directory account properties, on the
Delegation
tab, configure the following settings:
• trust this user for delegation to specified services only
• use any authentication protocol
3.
Click
Add
.
4.
Select the the file server that hosts the shared folder.
5.
Select the CIFS service type for the file server that you specified.
6.
Repeat steps 3 to 5 for each shared folder that you want to turn on Integrated Windows authentication for.
After you finish:
• If required, configure BlackBerry MDS Connection Service to use a Microsoft Active Directory account when the
messaging server is in a remote Microsoft Active Directory domain.
• Turn on Integrated Windows authentication when users access resources on your organization's network.
Configuring the BlackBerry MDS Connection Service
when the messaging server is located in a remote
Microsoft Active Directory domain
If the computer that hosts the BlackBerry MDS Connection Service is not located in the same Microsoft Active Directory
domain as the global catalog server or messaging server and you want to configure support for Integrated Windows
authentication, you must create a Microsoft Active Directory account that the BlackBerry MDS Connection Service can use
to connect to the global catalog server.
In a Microsoft Exchange environment, you must create the Microsoft Active Directory account in the Microsoft Active
Directory domain that includes the messaging server.
In an IBM Lotus Domino environment, if the messaging server is located in the same Microsoft Active Directory domain as
the global catalog server, you must create the Microsoft Active Directory account in that domain. If the messaging server is
Administration Guide
Managing how users access enterprise applications and web content
317