3 Replies
      Latest reply on Jun 1, 2020 12:03 PM by vmdominguez
      vmdominguez Level 1 Level 1 (0 points)

        I am trying to configure an MDM policy to enable the new Kerberos SSO Extension to respond to WWW-Authenticate: Negotiate challenges from my protected resource in a native app on iOS. I have a different policy to enable my app to communicate with my company's network over VPN. My app's code is receiving the 401 response as if the extension is not being invoked. However, if I enable Safari to access the protected resource's domain over VPN, I am able to access the resource (it's a simple GET request) in Safari.

         

        Here is my policy:

         

        <key>ExtensionData</key>
        
        <dict>

          <key>allowAutomaticLogin</key>

          <true/>

          <key>isDefaultRealm</key>

          <false/>

          <key>pwNotificationDays</key>

          <integer>15</integer>

          <key>requireUserPresence</key>

          <false/>

          <key>syncLocalPassword</key>

          <true/>

          <key>useSiteAutoDiscovery</key>

          <true/>

          <key>credentialBundleIDACL</key>

          <array>

            <string>my.native.app.bundle.id</string>

          </array>

        </dict>

        <key>ExtensionIdentifier</key>

        <string>com.apple.AppSSOKerberos.KerberosExtension</string>

        <key>Hosts</key>

        <array>

        <string>.mycompany.com</string>

        </array>

        <key>PayloadDisplayName</key>

        <string>Kerberos Single Sign-on Extension</string>

        <key>PayloadDescription</key>

        <string>Configures Kerberos SSO</string>

        <key>PayloadEnabled</key>

        <true/>

        <key>PayloadIdentifier</key>

        <string>com.apple.extensiblesso.DA69B286-C1AD-4356-8627-EB11335C3DB3</string>

        <key>PayloadType</key>

        <string>com.apple.extensiblesso</string>

        <key>PayloadUUID</key>

        <string>DA69B286-C1AD-4356-8627-EB11335C3DB3</string>

        <key>PayloadVersion</key>

        <integer>1</integer>

        <key>Realm</key>

        <string>SUBDOMAIN.MYCOMPANY.COM</string>

        <key>TeamIdentifier</key>

        <string>apple</string>

        <key>Type</key>

        <string>Credential</string>

         

        Note: I've tried both with and without the credentialBundleIDACL.

         

        The native app is making a GET request to the protected resource using the NSURLSession API. I expect the app or the OS to see the WWW-Authenticate: Negotiate header in the response from the server and send the challenge to be handled by the Kerberos extension. However, it does not appear that this is happening.

         

        Also note that I am able to use code similar to what is demonstrated in https://developer.apple.com/video/play/tech-talks/301/ (around 14:30) and get the native Kerberos login prompt and successfully login. This indicates to me that the extension is successfully able to communicate with the KDC and obtain a TGT. It's just not handling the NSURLSession request.

         

        I am testing with an iPad on iOS 13.4.1.

        • Re: How to configure Kerberos SSO Extension to handle challenges in native app
          vmdominguez Level 1 Level 1 (0 points)

          I should have mentioned that my app uses Cordova. I have found that my configuration works when I remove the Cordova plugin and configuration to use WKWebView. This may be due to how the plugins instantiate and configure the WKWebView, but note that I am also adding native calls with NSURLSession that also fail when WKWebView is present and succeed when it is not. The video I referenced states that WKWebView is supported, and it's strange that the native calls would fail as well.

            • Re: How to configure Kerberos SSO Extension to handle challenges in native app
              tduongtelstra Level 1 Level 1 (0 points)

              Hi VMdominguez,

               

              I'm getting the same error. Are you able to confirm in your console logs of the device:

              *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSCFConstantString stringByAppendingString:]: nil argument'
              *** First throw call stack:
              (0x1b81d0164 0x1b7ee4c1c 0x1b848e5b8 0x1e3faef54 0x1e3fac914 0x1023df684 0x1023e2f30 0x1b7e6eec4 0x1b7e7033c 0x1b7e727b4 0x1b7e7f5c0 0x1b7e7fd9c 0x1b7ed76d8 0x1b7edd9c8)

               

              Looks like the KerberosExtension Process crashes, (Note the animation of the new SSOExtension disappears really fast after entering your password and hitting enter)

               

              The crashes should be generating logs and found in:

               

              Edit:

              Check out this error too, I think it's related:

              Error reading plist file: file:///var/mobile/Containers/Data/PluginKitPlugin/52689A73-26C5-4F59-BD94-8026E037E0CA/Documents/realmSettings.plist, message: Error Domain=NSCocoaErrorDomain Code=260 "The file “realmSettings.plist” couldn’t be opened because there is no such file." UserInfo={NSFilePath=/var/mobile/Containers/Data/PluginKitPlugin/52689A73-26C5-4F59-BD94-8026E037E0CA/Documents/realmSettings.plist, NSUnderlyingError=0x280bb5410 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
              

               

              Note that those referenced files are Profiles deployed by the MDM in their Local-UUID formats.

              Look for the 'Error Domain=NSCocoaErrorDomain Code=260 "The file “realmSettings.plist” couldn’t be opened because there is no such file.' error. My thoughts are that it cannot find the 'RealmSettings' file that should be generated by iOS or the configuration profile but I'm still performing further investigation on my end.

               

              Please advise if this is the case for you.

               

              Regards,

               

              T