EducationSoftwareStrategy.com
StrategyCommunity

Knowledge Base

Product

Community

Knowledge Base

TopicsBrowse ArticlesDeveloper Zone

Product

Download SoftwareProduct DocumentationSecurity Hub

Education

Tutorial VideosSolution GalleryEducation courses

Community

GuidelinesGrandmastersEvents
x_social-icon_white.svglinkedin_social-icon_white.svg
Strategy logoCommunity

© Strategy Inc. All Rights Reserved.

LegalTerms of UsePrivacy Policy
  1. Home
  3. Topics

KB319268: How to configure iOS device for Kerberos authentication using MicroStrategy Mobile 10.x

Community Admin

• Strategy

This document discusses about the steps to configure iOS device for Kerberos authentication.

SUMMARY
With iOS 7.x, Apple introduced Single Sign On Kerberos Integrated authentication support using iPad / iPhone devices. In order to allow devices to authenticate against a Kerberos Integrated authentication enabled Strategy Mobile server environment, the following steps outlined in this technical note required.
 
Note: This technical note requires a correctly configured Kerberos enabled Strategy Mobile and Intelligence Server environment. Refer to Strategy System Administration guide for steps on how to enable Strategy for Kerberos Integrated authentication.
Note: Starting with iOS 10, Apple only allows Kerberos Constraint Delegation. Ensure that Strategy Mobile and Intelligence Server have been configured for Kerberos Constrained Delegation as per KB440503: New in MicroStrategy 10.11: Kerberos Constrained Delegation . Strategy 10.11 or above is required to enable Kerberos Constraint Delegation.
1) The device must be configured using a mobile configuration (.mobileconfig) file which allows iOS to perform Kerberos authentication for the indicated URLs. The file (any_name.mobileconfig) should look like the following example:
 
 


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.sso</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.Strategy.sso</string>
<key>PayloadUUID</key>
<string>8E9B011B-D2E9-48A9-8984-8264C20F840E</string>
<key>PayloadDisplayName</key>
<string>SSO profile for Strategy</string>
<key>PayloadDescription</key>
<string>Configures Kerberos Single Sign On.</string>
<key>PayloadOrganization</key>
<string>Strategy</string>
<key>Name</key>
<string>MSTR Kerberos Config</string>
<key>Kerberos</key>
<dict>
<key>Realm</key>
<string>YOUR_REALM</string>
<key>URLPrefixMatches</key>
<array>
<string>http://YOUR_MOBILE_SERVER.DOMAIN.COM:PORT/StrategyMobile/</string> 
</array>
<key>AppIdentifierMatches</key>
<array>
<string>com.apple.mobilesafari</string>
<string>com.Strategy.*</string>
</array>
</dict> 
</dict>
</array>
<key>PayloadDescription</key>
<string>Sets up Safari to use Kerberos SSO for certain URLs</string>
<key>PayloadDisplayName</key>
<string>KerberosConfigProfile</string>
<key>PayloadIdentifier</key>
<string>com.Strategy.ssoconfig</string>
<key>PayloadOrganization</key>
<string>Strategy</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C2F9AEF2-3F73-4A4B-9D02-12AAF158D914</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

 
To install the .mobileconfig file, send it by e-mail to the device and open to install.
 
2) Create a mobile configuration that uses Integrated Authentication as the Strategy Mobile login mode and load it to the device. Make sure the URL contains the name used in the SPN for both the Intelligence Server and the Mobile server. 
 

319268 KB319268

Comment

0 comments

Details

Knowledge Article

Published:

April 25, 2017

Last Updated:

December 29, 2018