Hi everybody,
I have follow VMware Workspace ONE Quick Configuration Guide to configure the Airwatch with workspace for single sign on.
but not success , when i open the workspace one app , it loading and later said "Kerberos NEGOTIATE failed or was canceled by the user"
I am using the Airwatch Certificate Authority with Active Directory.
I have no any idea , can any one can advice?
Thanks
Is this using hosted AirWatch and hosted VMware Identity Manager?
Does your iOS device have a Kerberos MDM profile deployed to it?
Is port TCP/UDP 88 allowed between your device and VMware Identity Manager?
Can you upload pictures of your three iOS Kerberos MDM profile settings?
Thank you for your reply
>>>>Is this using hosted AirWatch and hosted VMware Identity Manager?
I am using "Deployment Model Using AirWatch Cloud Connector" ,
i don't have the Identity Manager on premises
>>>Does your iOS device have a Kerberos MDM profile deployed to it?
Yes , I follow the guide to create the Kerberos profile and assigned (and see the certificate were deployed to the phone), which show in the attachments
and I also configured the Identity Manager.
Integrating AirWatch With VMware Identity Manager
Configure Mobile SSO for iOS Authentication in the Built-In Identity Provider
Configure Apple iOS Profile in AirWatch Using AirWatch Certificate Authority
>>>>Is port TCP/UDP 88 allowed between your device and VMware Identity Manager?
Since I haven't deploy the Identity Manager connector on-premises , so the port was not opened.
We are trying to accomplish exactly the same thing and we have the same problem. We also do not use the VMWare Identity Manager Connector, but just the AirWatch component. Let's continue to troubleshoot, I also have a ticket opened at AirWatch but no response from them yet.
let's troubleshoot together , thanks
I just fixed it. In fact, everything was working allright but I was testing on our guest wifi in our company which was blocking port 88 toward vmwareidentity.com. When I try from a LTE network, the Mobile SSO works fine. To test simply telnet kdc.vmwareidentity.com (or .asia in your case) on port 88 to see if your network is letting kerberos pass.
I also tried to use the LTE network before but got the same error "Kerberos NEGOTIATE failed or was canceled by the user".
do you know any logging we can trace the problem?
and may I know did you configure the directory services at the CUSTOMER level ?
because my configuration in on the child organization group which is not CUSTOMER.
I haven't found logs anywhere except on the client itself (iPad). I plugged it in my Mac and was able to look at the iOS Console to see what was going on... I could see it was trying to do kerberos on vmwareidentity.com...
And I configured everything on the root Organization Group and I confirm it is CUSTOMER level. Maybe that's your problem then.
I am seeing the same results with an on-prem identity manager. It works great when OSCP is disabled. Of course I am curious on the implications of this. Anybody have any ideas?
Bringing this one back from the dead. I have another environment now, AirWatch SAAS with Cloud Hosted identity manager and am running into the same issue.
I followed the steps in the latest Workspace One Quick Configuration guide for AW 9.1 to no avail. I did confirm that OSCP is turned off and that I can communicate to port 88 on my identity manager tenant.
Yea, that is what I missed. It was not listed anywhere in the quick configuration guide. Makes sense now. I suggested to VMware that they add it to the documentation . Thank you!