Skip to main content
Solved

Kerberos SSO Extension

  • April 26, 2021
  • 10 replies
  • 75 views
U
Forum|alt.badge.img+5

Good morning,

I've been looking into ways to get away from AD binding and have had some mild success in testing the SSO extension with Kerberos. I've found that i'm successfully getting a ticket and the majority of functionality is working as intended.

However, I for the life of me have been unable to get it to prompt me to sync my local password with my AD password. I've created a brand new local account, and signed in via my AD account to the Kerberos app. I've tried this in Catalina and Big Sur to no avail. I've never been able to get that dialog to appear.

Anyone run into this and have any ideas on how to resolve?

Best answer by user-cCnXnCpGDx

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

10 replies

mm2270
Forum|alt.badge.img+24
  • mm2270
  • Legendary Contributor
  • 7886 replies
  • April 26, 2021

You have the Local Password Sync option enabled in the Configuration Profile?

S
Forum|alt.badge.img+8
  • SCCM
  • Valued Contributor
  • 148 replies
  • April 26, 2021

In the Guide it says:
"The Kerberos SSO extension can set the local account password to match a user’s Active Directory password. Enable this feature by setting “syncLocalPassword” to TRUE in the Custom Configuration section of your Kerberos SSO extension configuration profile."

so guessine you need to add a custom plist to profile:

com.apple.AppSSOKerberos.KerberosExtension

M
Forum|alt.badge.img+16
  • mainelysteve
  • Contributor
  • 636 replies
  • April 26, 2021

@SCCM The payload is available in the JP gui so no custom plist should be needed.

U
Forum|alt.badge.img+5
  • user-cCnXnCpGDx
  • Author
  • New Contributor
  • 2 replies
  • Answer
  • April 26, 2021

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

S
Forum|alt.badge.img+4
  • Santosh
  • Contributor
  • 15 replies
  • June 21, 2021

HI @user-cCnXnCpGDx iam working on setting up a configuration for kerberos authentication, if possible can you please share your configuration profile ( Screenshots )

thanks

N
Forum|alt.badge.img+4
  • NisarFawad
  • Contributor
  • 14 replies
  • September 21, 2021

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.


Hi @user-cCnXnCpGDx , I'm trying to configure the SSO Kerberos with a CAC card would you please provide me the steps on how do I configure it? 

N
Forum|alt.badge.img+4
  • NisarFawad
  • Contributor
  • 14 replies
  • October 20, 2021

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.


Hi @user-cCnXnCpGDx, I am having the Extension Identifier error can you tell me what did you type here? 

 

 

U
Forum|alt.badge.img+5
  • user-cCnXnCpGDx
  • Author
  • New Contributor
  • 2 replies
  • October 20, 2021

Hi @user-cCnXnCpGDx, I am having the Extension Identifier error can you tell me what did you type here? 

 

 


I used the Kerberos function, i did not set up an extension identifier. I've since moved to Jamf Connect though.

B
Forum|alt.badge.img+9
  • bmack99
  • Valued Contributor
  • 114 replies
  • February 10, 2023

I used the Kerberos function, i did not set up an extension identifier. I've since moved to Jamf Connect though.


Curious how you like Jamf Connect? We are getting ready to trial it and i'm going back and forth on Jamf Connect vs the Kerberos SSO extension.

M
Forum|alt.badge.img+16
  • mainelysteve
  • Contributor
  • 636 replies
  • February 13, 2023

Curious how you like Jamf Connect? We are getting ready to trial it and i'm going back and forth on Jamf Connect vs the Kerberos SSO extension.


It all depends on your needs, but both really don't serve the same purpose. Kerberos SSO is mainly used for AD or LDAP on premises directory services and can only service already created local accounts. Jamf Connect is meant for those with an idP like Okta, Azure, Google, etc. and can create a local account using that modern auth pluss some other features.

If your workforce is mobile or WFH then Jamf Connect may be a good idea. if not then like above use your own judgement if both types of services are available to you and pick what meets your needs the best.


Terms & ConditionsCookie settingsAccessibility statement