When admins try to provision the Mobile SSO profile with the AirWatch Provisioning app, they receive an error that the PrincipalName contains an invalid value.


You see the following error codes.


The Workspace ONE UEM account might be configured to use an email address as the User Name attribute value.

When the Mobile SSO certificate payload is created, the payload uses the user name attribute value as the principal name on the certificate. You cannot use the @ character in the principle name.

Two ways to resolve this issue are described.


  1. In the User Provisioning page of the AirWatch Provisioning app, select another attribute that does not include the @ sign to represent the user name. You might need to edit the value that is imported into . Make sure that the user name and the prefix of the UPN remain the same.
  2. Configure a custom lookup field in the Workspace ONE UEM console to parse the prefix of the email address. Use that custom setting in the certificate payload.
    1. In the Workspace ONE UEM console, go to Group & Settings > All Settings > Devices & Users > General > Lookup Fields.
    2. Select Add Custom Field.
    3. Create a name. For example, EmailNickName and create a regex such as ".+?(?=@)".
  3. You can then use the name you created in the Certificate Payload.