XenMobile FullVPN on Android may have SSL errors if kerberos policy is enabled

I’ve come across an interesting type of an issue over the last few months.

We have discovered intermittent issues with SSL handshakes when using FullVPN tunnel for wrapped Android applications that attempt to access internal HTTPS resources through the tunnel.

Handshake issues happen within the VPN tunnel between the device and the end resource.

This was observed XenMobile 9 & netscaler

We have narrowed this down to having the following policies bound.

add vpn trafficAction trafficAction_noproxy http -SSO ON -kcdAccount impersonation-account -proxy noproxy
add vpn trafficPolicy trafficpol_sso ns_true trafficAct_SSO

As the SSL conversation happens via the VPN tunnel and is between the device and the end resource netscaler should not be able to inspect the traffic and see the kerberos challenge.

However it seems that somehow this policy gets triggered and is a cause for intermittent SSL handshake issues.

We have found that unbinding this policy or being more specific and making sure this policy does not apply for FullVPN traffic resolves connectivity issues.