Quote:
Originally Posted by hutchingsp
Hmm.. can I just confirm what the SSO extends to?
Right now if I go to File Shares via the BES/MDS I'm prompted for user credentials. That's what we want as our shares are locked down using NTFS permissions so using the besadmin account wouldn't be acceptable, but it would be useful if users weren't prompted for their credentials.
|
access to internal resources , shares or intranet sites are setup using delegated account, DO NOT user BESADMIN for delegation, if you want BB users not to type password then use delegated account in permissions first and then setup MDS to use this delegated account to access the resources
"SINGLE SIGN-ON allows end users and administrators to directly and securely access BlackBerry Web Desktop Manager and BlackBerry Administration Service once they have signed in to the network without the need to re-enter their user ID and password. (This is when they are accessing from their windows machine NOT from smart phone). Smartphone users can be allowed access to the intranet, files and business systems "behind the firewall" directly from their BlackBerry smartphone without the need to enter their network password with the device already authenticated via Active Directory and BlackBerry Enterprise Server. For smart phone users, it is not a direct single sign-on like from your windows machine. It is achieved by configuring the Microsoft Active Directory account to delegate access to an intranet site.
After you configure the BlackBerry MDS Connection Service (which is used to access intranet resources) to support Integrated Windows authentication, the BlackBerry MDS Connection Service uses the Microsoft Active Directory account to verify login information for a user and access the network resources on behalf of the user. The BlackBerry Enterprise Server then sends information from the network resources to the user's device.
Here are most important prerequisites to achieve this
Prerequisites: Configuring the Microsoft Active Directory account to delegate access to an intranet site
Verify that you configured Integrated Windows® authentication for the application server that hosts the intranet site.
Verify that the application server that hosts the intranet site and the web application that runs on the application server support Kerberos™ authentication.
References
BES 5.0.2 MDS Connection Service with Integrated A... - BlackBerry Support Community Forums
Configuring Integrated Windows authentication so that users can access resources on your organization's network - Administration Guide - BlackBerry Enterprise Server for IBM Lotus Domino - 5.0.2
KB22726-Configure the delegation user account to delegate access to network resources