iPhones stop authenticating with TLS 1.1/1.2 enabled

We have a publishing rule on our TMG's for managing mobile devices. We have a mixture of iPhone's and Android phones that are connecting to Airwatch.

We recently enabled TLS 1.1 and 1.2 on our TMG servers. After we enabled these new protocols, all of our iPhones could no longer connect to our Airwatch server. Our Android phones continued working. 

After some troubleshooting through the TMG, we see that with TLS 1.1/1.2 enabled, the iPhones no longer authenticate. The 'client username' shows anonymous. When we disable TLS 1.1/1.2, it authenticates with its AD credentials.

I have pasted the log entry showing an iPhone that could not connected. I sanitized the IP's, TMG name and Rule name.

Has anyone else seen anything similar?

Our TMG's are 2010, Service Pack 2 Rollup 3

The OS is Win2008 R2, sp1 Datacenter

Client Agent,Authenticated Client,Service,Referring Server,Destination Host Name,Transport,HTTP Method,Filter Information,MIME Type,Object Source,Cache Information,Error Information,Source Port,Session Type,Bidirectional,Network Interface,Raw IP Header,Raw Payload,Processing Time,Bytes Sent,Bytes Received,Original Client IP,GMT Log Time,Authentication Server,UAG Array Id,UAG Version,UAG Module Id,UAG Id,UAG Severity,UAG Type,UAG Event Name,UAG Session Id,UAG Trunk Name,UAG Service Name,UAG Error Code,Internal Service Info Log Field,Client Application SHA1 Hash,Client Application Trust State,Client Application Internal Name,Client Application Product Name,Client Application Product Version,Client Application File Version,Client Application Original File Name,Client FQDN,URL Categorization Reason,Forefront TMG Client Version,URL Destination Host Name,Log Time,Client IP,Destination IP,Destination Port,Protocol,Action,Overridden Rule,Server Name,NIS Scan Result,NIS Signature,NIS Application Protocol,Rule,Result Code,HTTP Status Code,Client Username,Source Network,Destination Network,URL,URL Category,Log Record Type,Malware Inspection Action,Malware Inspection Result,Threat Name,Threat Level,Content Delivery Method,Malware Inspection Duration (msec),NAT Address,Client Application Path
Apple-iPhone6C1/1201.405,Yes,Reverse Proxy,,,TCP,POST,Req ID: 0c7096ea ,,,0x0,0x203,23391,Web Proxy,,-,-,-,0,0,375,-,10/15/2014 19:27,,,0,,0,,,,,,,0,0,-,,-,-,-,-,-,-,,-,,10/15/2014 15:27,11.22.33.44,55.66.77.88,443,,Failed Connection Attempt,,TMG-server1,Inspected,,,RuleforAirwatch,,0x80090326 ,anonymous,,,,-,Web Proxy Filter,,,,,,0,-,-



  • Edited by BrianinNC Wednesday, October 15, 2014 9:14 PM
October 15th, 2014 9:13pm

Hi,

Since the Android phones work fine, I assume the configuration on TMG server would be correct. You can check if the IOS version of iphone supports TLS 1.1/1.2.

In addition, the error code 0x80090326 is due to the message received was unexpected or badly formatted. To better analyze the issue, you can also use Network monitor to capture packets.

Best regards,

Susie


Free Windows Admin Tool Kit Click here and download it now
October 17th, 2014 4:23am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics