• Enrollment and authentication works with LDAP policy however unable to enroll devices using CBA (client certification authentication).
• Authentication is denied at NetScaler Gateway. While disabling authentication on NetScaler Gateway, client certificate can be pushed to the device using a device credentials policy from XenMobile Server.

SSLLOG SSL_HANDSHAKE_FAILURE 9998 0 :  SPCBId 7109 - ClientIP <Device IP> - ClientPort 63163 - VserverServiceIP 10.x.x.x - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "DES-CBC3-SHA SSLv2 Non-Export 168-bit" - CLIENT_AUTHENTICATION_FAILED - SerialNumber "160000000ED1FD5FCA6CECC91400000000000E" - Reason "Intermediate CA or Root CA Certficate Signature Verification Failed"
SSLLOG SSL_HANDSHAKE_FAILURE 10001 0 :  SPCBId 7109 - ClientIP 185.25.64.249 - ClientPort 63163 - VserverServiceIP 10.x.x.x - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "DES-CBC3-SHA SSLv2 Non-Export 168-bit" - Reason "Handshake failure-Internal Error"

Error in Secure Hub logs while trying to enroll a device:
"2015-12-11T16:14:06.534+0000","Secure Hub","WARNING   ( 3)","Cert:Failed to load AG client cert chain. /data/data/com.zenprise/ag.p12: open failed: ENOENT (No such file or directory)",8381,9938,Secure Hub,  ,  ,0

Root CA certificate is using RSASSA-PSS signature algorithm, though the client certificate issued were using sha256.

Renewing the root CA certificate with sha256 signature algorithm fixes the issue.
Note: According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.

Problem Cause

• Root CA certificate was using the RSASSA-PSS signature algorithm, though the client certificate issued were using sha256.
• SSL handshake was failing with NetScaler because of the signature algorithm.