How to configure Kerberos SSO Extension to handle challenges in native app

I am trying to configure an MDM policy to enable the new Kerberos SSO Extension to respond to WWW-Authenticate: Negotiate challenges from my protected resource in a native app on iOS. I have a different policy to enable my app to communicate with my company's network over VPN. My app's code is receiving the 401 response as if the extension is not being invoked. However, if I enable Safari to access the protected resource's domain over VPN, I am able to access the resource (it's a simple GET request) in Safari.


Here is my policy:


<key>ExtensionData</key>

<key>allowAutomaticLogin</key>

<true/>

<key>isDefaultRealm</key>

<false/>

<key>pwNotificationDays</key>

<integer>15</integer>

<key>requireUserPresence</key>

<false/>

<key>syncLocalPassword</key>

<true/>

<key>useSiteAutoDiscovery</key>

<true/>

<key>credentialBundleIDACL</key>

<array>

<string>my.native.app.bundle.id</string>

</array>

</dict>

<key>ExtensionIdentifier</key>

<string>com.apple.AppSSOKerberos.KerberosExtension</string>

<key>Hosts</key>

<array>

<string>.mycompany.com</string>

</array>

<key>PayloadDisplayName</key>

<string>Kerberos Single Sign-on Extension</string>

<key>PayloadDescription</key>

<string>Configures Kerberos SSO</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadIdentifier</key>

<string>com.apple.extensiblesso.DA69B286-C1AD-4356-8627-EB11335C3DB3</string>

<key>PayloadType</key>

<string>com.apple.extensiblesso</string>

<key>PayloadUUID</key>

<string>DA69B286-C1AD-4356-8627-EB11335C3DB3</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>Realm</key>

<string>SUBDOMAIN.MYCOMPANY.COM</string>

<key>TeamIdentifier</key>

<string>apple</string>

<key>Type</key>

<string>Credential</string>


Note: I've tried both with and without the credentialBundleIDACL.


The native app is making a GET request to the protected resource using the NSURLSession API. I expect the app or the OS to see the WWW-Authenticate: Negotiate header in the response from the server and send the challenge to be handled by the Kerberos extension. However, it does not appear that this is happening.


Also note that I am able to use code similar to what is demonstrated in https://developer.apple.com/video/play/tech-talks/301/ (around 14:30) and get the native Kerberos login prompt and successfully login. This indicates to me that the extension is successfully able to communicate with the KDC and obtain a TGT. It's just not handling the NSURLSession request.


I am testing with an iPad on iOS 13.4.1.

Replies

I should have mentioned that my app uses Cordova. I have found that my configuration works when I remove the Cordova plugin and configuration to use WKWebView. This may be due to how the plugins instantiate and configure the WKWebView, but note that I am also adding native calls with NSURLSession that also fail when WKWebView is present and succeed when it is not. The video I referenced states that WKWebView is supported, and it's strange that the native calls would fail as well.

Hi VMdominguez,


I'm getting the same error. Are you able to confirm in your console logs of the device:

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSCFConstantString stringByAppendingString:]: nil argument'
*** First throw call stack:
(0x1b81d0164 0x1b7ee4c1c 0x1b848e5b8 0x1e3faef54 0x1e3fac914 0x1023df684 0x1023e2f30 0x1b7e6eec4 0x1b7e7033c 0x1b7e727b4 0x1b7e7f5c0 0x1b7e7fd9c 0x1b7ed76d8 0x1b7edd9c8)


Looks like the KerberosExtension Process crashes, (Note the animation of the new SSOExtension disappears really fast after entering your password and hitting enter)


The crashes should be generating logs and found in:


Edit:

Check out this error too, I think it's related:

Error reading plist file: file:///var/mobile/Containers/Data/PluginKitPlugin/52689A73-26C5-4F59-BD94-8026E037E0CA/Documents/realmSettings.plist, message: Error Domain=NSCocoaErrorDomain Code=260 "The file “realmSettings.plist” couldn’t be opened because there is no such file." UserInfo={NSFilePath=/var/mobile/Containers/Data/PluginKitPlugin/52689A73-26C5-4F59-BD94-8026E037E0CA/Documents/realmSettings.plist, NSUnderlyingError=0x280bb5410 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}


Note that those referenced files are Profiles deployed by the MDM in their Local-UUID formats.

Look for the 'Error Domain=NSCocoaErrorDomain Code=260 "The file “realmSettings.plist” couldn’t be opened because there is no such file.' error. My thoughts are that it cannot find the 'RealmSettings' file that should be generated by iOS or the configuration profile but I'm still performing further investigation on my end.


Please advise if this is the case for you.


Regards,


T

I did not see any errors like that. The logs didn't even indicate that the Kerberos SSO extension was handling the request.

Hello,

That error is not a problem. It means that there is not previously saved data. Be aware that the bundle id ACL is case sensitive and it is used the first time a credential is received until it expires. This could impact your tests depending on the order. I suggest trying without the acl until you get it working.

The CFNetwork stack is supported for SSO. Does your app download the data separately from the WKWebView? or does it load the URL directly in it?

What kind of VPN connection is it? Is it a per App VPN?

Regards
We face the exact same problem with Cordova apps on iOS 13.X trying to use Kerberos authentication. The SSO Extension works as expected for http requests through WKWebView, but NSURLSession requests through a Cordova plugin from the same app gives 401 back to the app. Very strange that in the same app the 401 negotiate returned from server is triggering the SSO Extension only in one of the two cases, although both WKWebView and NSURLSession is supported. Any solution to this? Anyone?