Main tasks for configuring single sign-on with Kerberos (Ivanti EPMM or Ivanti Neurons for MDM)

Following are the main steps for configuring single sign-on with Kerberos:

  1. Configuring SRV ( Ivanti EPMM or Ivanti Neurons for MDM)
  2. Configuring single sign-on (Ivanti EPMM)
    OR
    Configuring single sign-on (Ivanti Neurons for MDM)

Before you begin 

  • Set up per-app VPN with Tunnel as described in Setting up Ivanti Tunnel. Apply the Tunnel VPN setting to the managed apps that will use single sign-on with Kerberos authentication. The managed app must support Kerberos.
  • If you want an app to use a certificate to authenticate the device user to a backend resource when the Kerberos ticket has expired, create a certificate enrollment setting. You will reference the certificate in the single sign-on setting.
  • If you do not provide an identity certificate, the device user is prompted to enter a user ID and password when the Kerberos ticket has expired.
  • Ensure that devices have access to a Kerberos Domain Controller (KDC) and the backend resources that you specify in the single sign-on setting.

Configuring SRV ( Ivanti EPMM or Ivanti Neurons for MDM)

Configuring SRV is not required if you configure packet tunnel provider type in the Ivanti Tunnel VPN configuration.

The SRV feature resolves Kerberos DNS requests from devices in environments with different internal and public Kerberos domain controller (KDC) DNS domains. In order to resolve the SRV query and determine the KDC that handles the authentication requests for the backend server, you configure key-value pairs in the Tunnel VPN configuration for iOS. This feature replaces the need to create an SRV record in your DNS.

If you are configuring split tunneling in Access, ensure that domain name in the split tunneling configuration matches exactly the SRV record in the Tunnel for iOS configuration.

Procedure

  1. In your Unified Endpoint Management (UEM) platform, select the Ivanti Tunnel configuration for iOS to edit.
    • In the Ivanti EPMM Admin Portal, go to Policies & Configs > Configurations.
    • In Ivanti Neurons for MDM, go to Configurations.
  2. In Custom Data, add the following key-value pair:
    • Key: SRV_kerberos._tcp.DnsDomainName
    • Value: SRV Priority Weight Port Target

    To configure multiple values for the same domain name, add a new row. Enter the same key with a trailing #n, where n is an integer, to the key. Add a trailing #n to the first record as well. Ensure that there are no spaces between the key and #n. If there are multiple entries, a KDC is contacted based on priority and weight.

    Example  

    Key

    Value

    SRV_kerberos._tcp.example.com#1

    SRV 0 100 88 kdc.example.com

    SRV_kerberos._tcp.example.com#2

    SRV 0 100 88 kdc2.example.com

  3. In Safari Domains, add the root domain.

    Configuring the root domain allows all traffic, including Kerberos traffic, to go through Tunnel.

    Example : example.com

    Alternately, if you do not want to configure the root domain, add the following to Safari Domains:

    • the backend resource being accessed.
    • _kerberos._tcp.DnsDomainName: configured in Custom Data.
      The realm name in the Kerberos DNS query is case sensitive. Therefore, the DnsDomainName must be in upper case.
    • Target: configured in Custom Data.

    Configuring the domains ensures that traffic required to resolve the Kerberos DNS request goes through Tunnel.

    Example  

    • sharepoint.example.com
    • _kerberos._tcp.EXAMPLE.COM
    • kdc.example.com
  4. Click Save.

Next steps 

Configuring single sign-on (Ivanti EPMM)

Specify the URLs or resources that the device user can access using single sign-on (SSO).

  • For Realm, enter $REALM$.
  • Create a separate Single sign-on configuration for each realm.

Procedure

  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. From the Add New drop-down menu, go to iOS and OS X > Single Sign-On Account.
    The New Single Sign-On (SSO) Configuration screen displays.
  3. Complete the form.
  4. Click Save.
  5. In the Configurations page, select the configuration.
  6. Click More Actions > Apply To Label.
  7. Select a label to apply, and click Apply.

Configuring single sign-on (Ivanti Neurons for MDM)

Specify the URLs or resources that the device user can access using SSO.

Create a separate Single sign-on configuration for each realm.

Procedure 

  1. In Ivanti Neurons for MDM, go to Configurations > +Add.
  2. Search for single sign-on.
  3. Click the Single Sign-On Account configuration
    The Create Single Sign-On Account Configuration page displays.
  4. Add the necessary configurations and click Next.
  5. Choose a distribution option for the configuration and click Done.
    The configuration is distributed to the devices in distribution option. Select the same distribution option that you selected for the Ivanti Tunnel for iOS app.