Configure download limits for media content types,
312
Configuring Integrated Windows
authentication so that users can access
resources on your organization's network
To permit BlackBerry device users to access resources on your organization's network using BlackBerry devices without
requiring the users to type a user name and password each time they access the network resources, you can configure the
BlackBerry MDS Connection Service to support Integrated Windows authentication. Users can then access network
resources such as intranet sites and network shared folders on their devices using the BlackBerry Browser or Files
application without typing a user name and password.
Before you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, you must
create a Microsoft Active Directory account in each Microsoft Active Directory domain that includes resources that you
want to turn on Integrated Windows authentication for. You must configure constrained delegation for the Microsoft Active
Directory accounts so that they delegate access to each intranet site or network shared folder in the Microsoft Active
Directory domain.
You must also configure two-way trust between the Microsoft Active Directory domain that the BlackBerry MDS Connection
Service is running on and other Microsoft Active Directory domains in other forests that the BlackBerry MDS Connection
Service must connect to. The S4U2proxy extension that the BlackBerry MDS Connection Service uses to retrieve the
Kerberos service tickets for users requires a two-way trust between Microsoft Active Directory domains.
After you turn on Integrated Windows authentication and specify a Microsoft Active Directory account in the BlackBerry
Administration Service, you must specify web address patterns for the network resources that you want to permit users to
access, create a pull rule for the web address patterns, permit access to the web address patterns using the pull rule, and
assign the pull rule to users or a group.
After you configure the BlackBerry MDS Connection Service to support Integrated Windows authentication, the BlackBerry
MDS Connection Service uses the Microsoft Active Directory account to verify login information for a user and access the
network resources on behalf of the user. The BlackBerry Enterprise Server then sends information from the network
resources to the user's device.
Administration Guide
Managing how users access enterprise applications and web content
314