Your certificate authority template must be properly configured for Kerberos certificate distribution. In the Active Directory Certificate Services (AD CS), you can duplicate the existing Kerberos Authentication template to configure a new certificate authority template for the iOS Kerberos authentication.
When you duplicate the Kerberos Authentication template from AD CS, you must configure the following information in the Properties of New Template dialog box.
General tab. Enter the Template display name and the Template name. For example iOSKerberos. This is the display name that is shown in the Certificate Templates snap-in, Certificates snap-in, and Certification Authority snap-in.
Subject Name tab. Select Supply in the request radio button. The subject name is supplied by AirWatch when AirWatch requests the certificate.
Extensions tab. Define the application policies.
Select Applications Policies and click Edit to add a new application policy. Name this policy Kerberos Client Authentication.
Add the object identifier (OID) as follows: 18.104.22.168.22.214.171.124. Do not change.
In the Description of Application Policies list delete all policies listed except for the Kerberos Client Authentication policy and the Smart Card Authentication policy.
Security tab. Add the AirWatch account to the list of users that can use the certificate. Set the permissions for the account. Set Full Control to allow the security principal to modify all attributes of a certificate template, including the permissions for the certificate template. Otherwise, set the permissions according to your organization's requirements.
Save the changes. Add the template to the list of templates used by the Active Directory Certificate Authority.
In AirWatch configure the Certificate Authority and add the Certificate Template.