Blackberry SWD-20120924140022907 Configure the Microsoft Active Directory account to delegate access to a shared folder

You are required to have only one Microsoft Active Directory account in each Microsoft Active Directory domain that

includes the resources that you want to turn on Integrated Windows authentication for.

For more information about configuring the Microsoft Active Directory account using setspn and Microsoft Active Directory,

visit www.blackberry.com/btsc to read article KB22726.

1. In Microsoft Active Directory, in the Microsoft Active Directory account properties, if the Delegation tab does not

display, update the default HOST SPN registrations for the Microsoft Active Directory account.

2. In the Microsoft Active Directory account properties, on the Delegation tab, configure the following settings:

• trust this user for delegation to specified services only

• use any authentication protocol

3. Click Add.

4. Select the the file server that hosts the shared folder.

5. Select the CIFS service type for the file server that you specified.

6. Repeat steps 3 to 5 for each shared folder that you want to turn on Integrated Windows authentication for.

After you finish:

• If required, configure BlackBerry MDS Connection Service to use a Microsoft Active Directory account when the

messaging server is in a remote Microsoft Active Directory domain.

• Turn on Integrated Windows authentication when users access resources on your organization's network.

Configuring the BlackBerry MDS Connection Servicewhen the messaging server is located in a remoteMicrosoft Active Directory domain

If the computer that hosts the BlackBerry MDS Connection Service is not located in the same Microsoft Active Directory

domain as the global catalog server or messaging server and you want to configure support for Integrated Windows

authentication, you must create a Microsoft Active Directory account that the BlackBerry MDS Connection Service can use

to connect to the global catalog server.

In a Microsoft Exchange environment, you must create the Microsoft Active Directory account in the Microsoft Active

Directory domain that includes the messaging server.

In an IBM Lotus Domino environment, if the messaging server is located in the same Microsoft Active Directory domain as

the global catalog server, you must create the Microsoft Active Directory account in that domain. If the messaging server is

Administration Guide Managing how users access enterprise applications and web content

317