Troubleshooting Kerberos Constrained Delegation (KCD) Issues
Question
An administrator has enabled Kerberos Constrained Delegation (KCD) on the SEG v2
If the administrator publishes a profile without a certificate payload and the user enters the password, everything works fine.
When the user publishes the same profile with a certificate payload, the system is unable to connect and synchronize emails.
Which two troubleshooting steps need to be taken? (Choose two.)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.CD.
Reference - https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1907/WS1_KCD_SEGV2_Doc.pdf.
The issue described in the scenario is that when the user publishes a profile with a certificate payload, the system is unable to connect and synchronize emails. To troubleshoot this issue, there are a few steps that can be taken.
Step 1: Verify KCD configuration on SEG v2 Kerberos Constrained Delegation (KCD) is a feature in Workspace ONE UEM that enables secure authentication between the Workspace ONE UEM console and Exchange servers. In this scenario, the administrator has enabled KCD on the SEG v2. However, it is possible that KCD is not configured correctly or is not supported on the SEG v2. Therefore, the first troubleshooting step would be to verify the KCD configuration on the SEG v2.
Answer A suggests that KCD is not supported on SEG v2, which could be the reason why the system is unable to connect and synchronize emails. Therefore, this answer could be a possible troubleshooting step.
Step 2: Verify certificate chain and service account The second step is to verify that the certificate chain and service account are correctly configured.
Answer C suggests that the Workspace UEM Console certificate is uploaded as a client certificate chain. This means that the certificate chain is used to establish a secure connection between the Workspace ONE UEM console and the Exchange servers. Therefore, if the certificate chain is not correctly configured, it could be the reason why the system is unable to connect and synchronize emails.
Answer E suggests verifying that the service account is set to the service type OW. This means that the service account is configured to use the correct service type for Workspace ONE UEM. If the service account is not configured correctly, it could also be the reason why the system is unable to connect and synchronize emails.
Step 3: Verify IIS user group and port 88 The third step is to verify the IIS user group and port 88.
Answer B suggests verifying if the service account is a member of the IIS user group on each CAS Exchange server. This means that the service account needs to be added to the IIS user group to enable it to access Exchange resources.
Answer D suggests verifying that port 88 is not blocked between the SEG and the Active Directory domain controller(s). This means that if port 88 is blocked, it could prevent the system from establishing a secure connection between the SEG and the Active Directory domain controller(s), which could prevent the system from connecting and synchronizing emails.
In conclusion, the two most relevant troubleshooting steps in this scenario are A (verify KCD support on SEG v2) and C (verify certificate chain and service account). However, it may be useful to verify the IIS user group and port 88 if the first two steps do not resolve the issue.
