Help

iOS Single Sign-on (Kerberos)

jandrewartha
New Contributor II

Posted on ‎01-05-2017 12:11 AM

Has anyone got Single Sign-on (Kerberos) working in iOS 10? I swear I had it working previously (in iOS 9 perhaps), but I deleted the configuration profile and I can't recreate it. The biggest problem is setting the Principal name - if I try to set it to user@AD.EXAMPLE.COM, the profile fails to install with the error "The field “PrincipalName” contains an invalid value." If I just have the username in there, it doesn't work.

Labels:
0 Kudos
Reply
3 REPLIES 3

jandrewartha
New Contributor II

Posted on ‎01-12-2017 08:34 PM

Worked it out - I had firewalled the AD server from the iPad network. Putting $USERNAME in the Principal Name field is correct.

0 Kudos
Reply

dstranathan
Valued Contributor II

Posted on ‎02-01-2017 09:53 AM

On a related note...

1) What variable are you using in the "Account Name" ("Display Name") field?

2) What type of certificate payload are you using in the "Renewal Certificate" section? I assumed it would be my Root CA certificate (in .cer format) but my SSO profile isnt acknowledging that particular type of payload for some reason (the drop-down menu still shows "None")

55ebf75b26504ae1a04bd2c6d8def199

0 Kudos
Reply

jandrewartha
New Contributor II

Posted on ‎02-01-2017 10:01 PM

Account name is purely decorative I think, it appears as the title of the item in the MDM profile, I just put "$USERNAME kerberos"

I don't have anything for the renewal certificate, as we don't have an internal CA, so users would be prompted for a password. I imagine it would be a user certificate that can authenticate them to to the Kerberos server, so perhaps you'd need to configure SSO in the same profile as an SCEP payload?

I say would be as I haven't deployed it to any actual users; it's not quite useful enough yet and I haven't exposed Kerberos to the internet either.

0 Kudos
Reply