Your certificate authority template must be properly configured for Kerberos certificate distribution. You can duplicate the existing Kerberos Authentication template in the Active Directory Certificate Services (AD CS) to configure a new certificate authority template for iOS Kerberos authentication, .

Figure 1. Active Directory Certificate Services Properties of New Template Dialog Box

When you duplicate the Kerberos Authentication template from AD CS, you must configure the following information in the Properties of New Template dialog box.

  • General tab. Enter the Template display name and the Template name. For example, iOSKerberos. This name is the display name that is shown in the Certificate Templates snap-in, Certificates snap-in, and Certification Authority snap-in.
  • Request Handling tab. Enable Allow private key to be exported.
  • Subject Name tab. Select Supply in the request radio button. Workspace ONE UEM supplies the subject name when the certificate is requested.
  • Extensions tab. Define the application policies.
    • Select Applications Policies and click Edit to add a new application policy. Name this policy Kerberos Client Authentication.
    • Add the object identifier (OID) as follows: 1.3.6.1.5.2.3.4. Do not change.
    • In the Description of Application Policies list delete all policies listed except for the Kerberos Client Authentication policy and the Smart Card Authentication policy.
  • Security tab. Add the Workspace ONE UEM account to the list of users that can use the certificate. Set the permissions for the account. Set Full Control to allow the security principal to modify all attributes of a certificate template, including the permissions for the certificate template. Otherwise, set the permissions according to your organization's requirements.

Save the changes. Add the template to the list of templates used by the Active Directory Certificate Authority.

In Workspace ONE UEM configure the Certificate Authority and add the Certificate Template.