Thank you for your reply

>>>>Is this using hosted AirWatch and hosted VMware Identity Manager?

I am using "Deployment Model Using AirWatch Cloud Connector" ,

like this http://pubs.vmware.com/vidm/index.jsp#com.vmware.vidm-cloud-deployment/GUID-A5047E30-CA8F-4CDE-BB92-...

i don't have the Identity Manager on premises

>>>Does your iOS device have a Kerberos MDM profile deployed to it?

Yes , I follow the guide to create the Kerberos profile and assigned (and see the certificate were deployed to the phone), which show in the attachments

and I also configured the Identity Manager.

Integrating AirWatch With VMware Identity Manager

http://http://pubs.vmware.com/vidm/index.jsp#com.vmware.wsair-administration/GUID-F072888F-FC6F-4A6B...

Configure Mobile SSO for iOS Authentication in the Built-In Identity Provider

http://http://pubs.vmware.com/vidm/index.jsp#com.vmware.wsair-administration/GUID-59D589F7-55A4-4F96...

Configure Apple iOS Profile in AirWatch Using AirWatch Certificate Authority

http://pubs.vmware.com/vidm/index.jsp#com.vmware.wsair-administration/GUID-61B2CB4F-EA72-4D9C-BF1C-5...

>>>>Is port TCP/UDP 88 allowed between your device and VMware Identity Manager?

Since I haven't deploy the Identity Manager connector on-premises , so the port was not opened.

We are trying to accomplish exactly the same thing and we have the same problem.  We also do not use the VMWare Identity Manager Connector, but just the AirWatch component.  Let's continue to troubleshoot, I also have a ticket opened at AirWatch but no response from them yet.

let's troubleshoot together , thanks

I just fixed it.  In fact, everything was working allright but I was testing on our guest wifi in our company which was blocking port 88 toward vmwareidentity.com.  When I try from a LTE network, the Mobile SSO works fine.  To test simply telnet kdc.vmwareidentity.com (or .asia in your case) on port 88 to see if your network is letting kerberos pass.

I also tried to use the LTE network before but got the same error "Kerberos NEGOTIATE failed or was canceled by the user".

do you know any logging we can trace the problem?

and may I know did you configure the directory services at the CUSTOMER level ?

because my configuration in on the child organization group which is not CUSTOMER.

I haven't found logs anywhere except on the client itself (iPad).  I plugged it in my Mac and was able to look at the iOS Console to see what was going on... I could see it was trying to do kerberos on vmwareidentity.com...

And I configured everything on the root Organization Group and I confirm it is CUSTOMER level.  Maybe that's your problem then.

I am seeing the same results with an on-prem identity manager. It works great when OSCP is disabled.  Of course I am curious on the implications of this.  Anybody have any ideas?

hi

do you add the app in the SSO profile?

the workspace one app is com.air-watch.appcenter

Yea, that is what I missed.  It was not listed anywhere in the quick configuration guide.  Makes sense now.  I suggested to VMware that they add it to the documentation . Thank you!