2.
In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the
Delegation
tab does not
display, update the default HOST SPN registrations for the Microsoft Active Directory account.
3.
In the Microsoft Active Directory account properties, on the
Delegation
tab, configure the following settings:
• trust this user for delegation to specified services only
• use any authentication protocol
4.
Click
Add
.
5.
Perform one of the following tasks:
• If a pool of application servers hosts the intranet site and the pool is running on Microsoft IIS and is located behind
a load-balancer, select the user account that runs the application pools in the Microsoft IIS servers.
• If the intranet site is hosted by one application server, select the application server that hosts the intranet site.
6.
Select the HTTP service type for the user account or application server that you specified.
7.
Repeat steps 1 to 6 for each intranet site that you want to turn on integrated Windows authentication for.
After you finish:
• If required, configure BlackBerry MDS Connection Service to use a Microsoft Active Directory account when the
messaging server is in a remote Microsoft Active Directory domain.
• Turn on Integrated Windows authentication when users access resources on your organization's network.
Prerequisites: Configuring the Microsoft Active Directory account to
delegate access to a shared folder
• Verify that you configured Integrated Windows authentication for the file server that hosts the shared folders.
• Verify that you have permission to update the Microsoft Active Directory account in Microsoft Active Directory.
• Verify that you have access to the Windows Server setspn tool that is included with the Windows Server Support Tools.
For more information about the setspn tool, visit
http://technet.microsoft.com
to read
Setspn Overview
.
• If you did not configure a Microsoft Active Directory account to delegate access to an intranet site or shared folder, in
Microsoft Active Directory, you must create a Microsoft Active Directory account that should have the following
conditions:
• the password meets the security requirements of your organization
• the user is not required to change their password the next time that the user logs in
• the user's password never expires
Administration Guide
Managing how users access enterprise applications and web content
316