Windows Authentication in Blackberry Enterprise Server (BES) 12

Update to previous post on older BES version. For BES12 create a krb5.conf file and upload to the “Single-sign on” profile (obv. switch to your own FQDN. And specify the FQDNs for one or more domain controllers. This has been case sensitive in the past.)

 default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 des3-cbc-sha rc4-hmac
 default_realm = MYCOMPANY.COM
 kdc = tcp/DC1.MYCOMPANY.COM:88
 kdc = tcp/DC2.MYCOMPANY.COM:88

Do not set any “trusted domains” – this is used for NTLM authentication and will take precedence over the Kerberos configuration.

On IIS enable windows authentication and configure “Negotiate” (this is Kerberos) higher priority than NTLM.

Then your new Blackberries can authenticate to Intranet sites. (But currently have to enter Windows password at least once). Haven’t got the previous Kerberos delegation working yet…

All credit to TC for this one.

Find more IT Infrastructure tips at

Leave a Reply