XenMobile, Re-enrolment, SSL Offload and session reuse


#1

We’ve discovered an issue where the MDM profile on iOS devices will fail to install with the following error message

“Profile Installation Failed”

Looking at the Xcode logs you can see the profile will fail to install due to one of the following reasons.

HTTP 401

Desc   : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code   : 23001
Type   : MCFatalError
Params : (
    "https://servername:443/zdm/ios/mdm/checkin",
    401

HTTP 412

	Desc   : A connection to the server could not be established.
US Desc: A connection to the server could not be established.
Domain : MCHTTPTransactionErrorDomain
Code   : 23001
Type   : MCFatalError
Params : (
    "https://servername:443/zdm/ios/mdm/checkin",
    412

Below is an exaple for HTTP 401 in the XMS logs

2017-01-19T14:36:37.261+1300 |   | DEBUG | http-nio-18443-exec-3 | com.citrix.xdm.util.net.UnifiedSslEndpoint | Found NS offloaded certificate in request from NETSCALER_SNIP to /zdm/ios/mdm/checkin; subject=SERIALNUMBER=DEVICE_SERIAL_NUMBER + OU=XenMobile MDM, serial=23256
2017-01-19T14:36:37.264+1300 |   |  INFO | http-nio-18443-exec-3 | com.sparus.nps.ios.push.security.IOsMdmAuthenticator | Rejecting unrecognised identity: SERIALNUMBER=DEVICE_SERIAL_NUMBER + OU=XenMobile MDM, serial=23256
2017-01-19T14:36:37.264+1300 |   | DEBUG | http-nio-18443-exec-3 | com.sparus.nps.ios.push.MdmCheckInServlet | SecurityValve processed: success=FAILURE, reason=Unrecognised identity: SERIALNUMBER=DEVICE_SERIAL_NUMBER + OU=XenMobile MDM, identity=null, enrollment=null
2017-01-19T14:36:37.264+1300 |   |  WARN | http-nio-18443-exec-3 | com.sparus.nps.ios.push.MdmCheckInServlet | Authentication failed check-in request (cause: FAILURE, msg: Unrecognised identity: SERIALNUMBER=DEVICE_SERIAL_NUMBER + OU=XenMobile MDM). Refusing access with 401.

Both of these issues are due to the netscaler presenting a revoked clietn certificate to the XMS node.

Scenario:

  • XenMobile environment is fronted by a netscaler
  • SSL offloading is configured on netscaler for port 443

What happens:

  • XenMobile relies on client certificate authentication for connections coming in on port 443
  • Client certificate authention only happens during the initial SSL/TLS session negotiation
  • There is no mechanism to update client certificate part way through SSL/TLS session

Steps the device follows

  1. Device is already enrolled and has a client certificate
  2. When you un-enrol the device the client certificate gets revoked
  3. When you re-enrol a new client certificate is issued
  4. When the device attempts to reconect due to session reuse the device resumes the previous SSL/TLS session that still has the client certificate from previous enrolment
  5. XenMobile does not recognise this certificate and rejects the profile installation

Resolution:

  • Tweak the session reuse timer for the 443 MDM VIP to a smaller number
  • Disable session reuse
  • Wait for a longer period of time before re-enrolling the device

More information on Netscaler session reuse is available here: https://support.citrix.com/article/CTX121925