Configuring Kerberos Extensible Single Sign-On (iOS/ Shared iPad User)

Before you begin

You must have:
  • Manage Profile permissions. See General Permissions.
  • Target devices running iOS 13.0 or later.
    Restriction: This feature is incompatible with Shared iPads.

About this task

Kerberos Extensible Single Sign-On (SSO) enables users to authenticate once and access resources without re-entering their credentials. It uses mutual authentication and encrypted ticket exchanges to improve security and reduce the risk of credential theft.

Procedure

  1. Create or edit a Reactive iOS/ Shared iPad User profile. See Creating a Profile and Editing a Profile.
  2. Add the Kerberos Extensible SSO configuration from the Security & Restrictions configurations list.
    Tip: For Shared iPad users, select Kerberos Extensible Single Sign On.
    Selecting the Kerberos SSO profile configuration in a Reactive iOS profile.
  3. In the Realm field, enter the IP address or hostname of the domain or administrative network partition that shares a standard security policy and authentication database.
  4. In the Add Host Names section, select (Add) and specify host or domain names through which the app extension can authenticate.
  5. Enter the Principal Name, excluding the realm.
  6. In the Site Code field, enter the URL of the Active Directory site used by the Kerberos extension.
  7. From the Certificate list, select the Public Key Cryptography for Initial Authentication (PKINIT) certificate used to renew the Kerberos credential.
  8. Enable Allow Automatic Login for seamless authentication.
    Note: When disabled, passwords cannot be saved to the keychain.
  9. Turn on Is Default Realm if this realm should be used as the default when more than one Kerberos extension is configured.
  10. Enable Require User Presence to require Touch ID, Face ID, or passcode confirmation before accessing keychain items.
  11. Enable Use Site Auto-Discovery to allow automatic discovery of the Active Directory site using LDAP and DNS.
  12. In the Add Preferred KDCs section, select (Add) to specify Key Distribution Centers (KDCs) for handling Kerberos traffic.
    Note: The order in the list determines priority.
  13. In the Add Credential Bundle ID ACL section, select (Add) to list the bundle IDs permitted to access the Ticket Granting Ticket (TGT).
    Tip: To add multiple bundle IDs, select (Import) and upload a CSV file. Each line must follow the format: Application Bundle Identifier, Application Name. Review the list to ensure all applications are present. Missing entries may indicate a formatting issue.
  14. Save the configuration and assign the profile to your target devices. See Assigning a Profile.

Results

You have successfully configured Kerberos Extensible SSO for your devices. The profile configuration is now visible in the Profiles view.