I am in the process of troubleshooting a MobileSSO workflow for iOS, using an on-premise ADCS:

Windows Server 2016 - ADCS

Kerberos Client Certificate Template configured

Workspace ONE UEM Certificate Services configured

Workspace ONE UEM Certificate (User + KDC) deployment + Single-sign On payloads configured

Workspace ONE Access Connector v19.03 installed and Active Directory Account used to complete setup

Workspace ONE Access MobileSSO Authentication Mechanism enabled - REALM matches REALM in Workspace ONE UEM Single ON configuration

Workspace ONE Access policies configured - default access policy for iOS to leverage Mobile SSO and a fallback of Password (cloud deployment)

When enrolling an iOS device through the ABM (DEP) workflow, I get the Intelligent Hub application, when opening the intelligent Hub, I firstly get a message to enter a password, which looks like it is coming from my Access tenant but the password is for my username@vidmpreview.com, at this point no password is accepted and then it fails to the following error message: Access Denied - Kerberos NEGOTIATE failed or was canceled by the user

Any ideas or pointers on how to get this workflow working would be handy.