I found that the issue was with how I was handling URLSession:didReceiveChallenge. I was only calling continueWithoutCredentialForAuthenticationChallenge. What I did to get it to work was to call the completionHandler with a credential:

SecTrustRef serverTrust = [[challenge protectionSpace] serverTrust]; ASSERT(nil != serverTrust); NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust]; completionHandler(NSURLSessionAuthChallengeUseCredential, credential);

You need to understand what your ATS settings are allowing your app to do.

NSAllowsArbitraryLoads being set to true allows you connect to any server over HTTP. So feel free to attempt to load data from any URL with the http scheme.

Your exception domain setting (assuming that your "mydomain.net" is a placeholder for the actual value) will allow you to connect to any subdomain (because NSIncludesSubdomains is true) of "mydomain.net" using:

1. HTTP (because you have NSTemporaryExceptionAllowsInsecureHTTPLoads set to true)
   • or -
2. An HTTPS connection that supports all the requirements of ATS except forward secrecy (because you have only set NSThirdPartyExceptionRequiresForwardSecrecy to true)

First, verify you can connect to the URL you are attempting to connect to from Safari on the device in question (in this case, the simulator). Safari does not enforce ATS requirements, so you can see if it is ATS related. If you cannot access the URL, it is related to the connection. This could be server being unreachable, or it could be a problem with the certificate for a secure connection. If this is the problem, you can probably get rid of any ATS exceptions you added trying to resolve the issue.

If you can connect to the resource, try to verify what ATS requirements are not being met so you can add the appropriate exceptions. In the Terminal on your Mac, run the following to get a report on the server's compliance with ATS rules:

nscurl --ats-diagnostics <url>   

This will tell you if the server doesn't support forward secrecy, or if the TLS version is too low. Then you can add the specific ATS exceptions for that domain.

I still believe that there is another problem, as ATS errors in the log are usually very clear. Your error seems like a general connectivity problem. You mention having your Mac connected to a VPN. Does your VPN require you to use an HTTP/HTTPS proxy? If so, I have had problems with the simulator trying to use the mac's proxy when the proxy requires certain types of authentication. If your http proxy requires authentication, you might try standing up something like Charles Proxy as an intermediary. i.e. setup Charles Proxy to authenticate to your company's proxy, then point the Mac / simulator to use the local Charles proxy which should be configured to not need authentication.