Kerberos authentication is a common method of providing Single Sign On with on-premise Microsoft Active Directory. This kind of authentication is also referred to as Integrated Windows Authentication (IWA) or SPNEGO.
Android Enterprise lacks native Kerberos support, but with a 3rd party solution, in this case Hypergate, it’s possible to fill the native gap. This guide will describe how you can configure MobileIron Core to enable Android Enterprise to simulate Smart Card logons and leverage Kerberos Authentication to extend Single Sign On for corporate services to Android Enterprise devices.
Hypergate is not a free solution, however is priced competitively and sold through a network of partners. More information can be found here.
For context, the environment utilised for this guide is as follows:
In MobileIron Core head to Apps > App Catalog > Add+ > Google Play and search for Google Chrome.
Select the correct App, add it to the Category you want then make sure you tick the box Install this app for Android Enterprise.
After ticking the box to enable AE, scroll down to the managed configuration section. The Kerberos relevant configurations are:
Following this, set the Find Accounts On The Device runtime permission to Always Accept:
Head to Apps > App Catalog > Add+ > Google Play and tick Skip this step and manually provide Bundle ID and all app details > Next. You will be prompted with a form in which you need to enter the package name provided by the Hypergate team. This is because Hypergate is not visible publicly on Google Play currently.
Optional: For easier application list management (distinguish apps easier) you can also set the Hypergate logo in the next form by hitting “Replace Icon” and using this logo:
Click Install this app for Android Enterprise.
Scroll down to the managed configuration section. The relevant configurations are:
The tick boxes control the menu displayed in the app, for production usage they should be all unticked (user only sees the ticket status), for troubleshooting/setup they can all be ticked (all menus/logging is shown).
When finished, click Save/Finish.
As a reminder, MobileIron Tunnel should be configured correctly and able to reach internal hosts (Chrome needs to reach intranet sites and Hypergate needs to communicate with the KDC). If using the configurations AllowedAppList and DisallowedAppList please ensure they’re configured correctly to allow Chrome and Hypergate to reach their targets.
If not already assigned to a label, please do so now for Tunnel, Chrome and Hypergate. A test label is highly recommended prior to production rollout!
Hypergate is now ready to be tested.
Assigned devices should now have Chrome, Tunnel and Hypergate installed and configured. To validate if Hypergate works correctly, simply open the app and tap “Login”, this should directly show the UPN/Username of the assigned user and current status.
If the login does not work immediately, please check the logging section of Hypergate so troubleshoot (there are also network troubleshooting tools integrated in the “Ping KDC” menu).
Hypergate is only being opened manually to test the functionality. In future, Chrome will launch Hypergate and attempt to authenticate automatically
Within Chrome simply navigate to a website that requires authentication. Login should initiate automatically, immediately.
The first time Hypergate needs to fetch a Ticket Granting Ticket (TGT) there will be a non-intrusive short Hypergate prompt, every subsequent request will pass through without showing anything to the user.
At this point Hypergate should be set up correctly and Kerberos authentication will in future work correctly with Android Enterprise.
With this setup it’s equally possible to enable Kerberos SSO for all apps that use Custom Chrome Tabs for authentication (e.g. Slack, Evernote,…).
Other Apps like Microsoft Edge Browser or Brave Browser will require configuration similar to that of Chrome.
For any additional information about Hypergate or its capabilities, please contact email@example.com directly.