I am trying to configure an MDM policy to enable the new Kerberos SSO Extension to respond to WWW-Authenticate: Negotiate challenges from my protected resource in a native app on iOS. I have a different policy to enable my app to communicate with my company's network over VPN. My app's code is receiving the 401 response as if the extension is not being invoked. However, if I enable Safari to access the protected resource's domain over VPN, I am able to access the resource (it's a simple GET request) in Safari.
Here is my policy:
<string>Kerberos Single Sign-on Extension</string>
<string>Configures Kerberos SSO</string>
Note: I've tried both with and without the credentialBundleIDACL.
The native app is making a GET request to the protected resource using the NSURLSession API. I expect the app or the OS to see the WWW-Authenticate: Negotiate header in the response from the server and send the challenge to be handled by the Kerberos extension. However, it does not appear that this is happening.
Also note that I am able to use code similar to what is demonstrated in https://developer.apple.com/video/play/tech-talks/301/ (around 14:30) and get the native Kerberos login prompt and successfully login. This indicates to me that the extension is successfully able to communicate with the KDC and obtain a TGT. It's just not handling the NSURLSession request.
I am testing with an iPad on iOS 13.4.1.