Skip to main content
Question

Password Synchronization & ADFS Single Sign-On Issues (Platform SSO + Kerberos SSO Extension)

  • November 5, 2025
  • 3 replies
  • 187 views
J
Forum|alt.badge.img+5

Hi everyone,

 

we’re currently testing Platform SSO (Secure Enclave) in combination with the Kerberos Single Sign-On Extensionon our Macs (managed via Jamf Pro).

Since enabling Platform SSO, we’ve encountered issues with password synchronization as well as Single Sign-On authentication for ADFS-based web applications.

 

As soon as Platform SSO is enabled, users receive the following prompt either after some time or following a reboot:

Password Synchronization
Verify your Active Directory and Mac passwords. If they do not match, your Mac password will be synced.

 

The passwords are identical (local macOS login = AD password). However, this prompt appears repeatedly — and only when Platform SSO is active.

 

Additionally, our ADFS-based web applications (intranet portals, internal sites) no longer perform automatic Single Sign-On once Platform SSO is active.

I’ve tested this behavior in multiple browsers (Safari, Chrome, Edge, and Firefox), and in all cases, users are prompted to sign in manually.

When Platform SSO is disabled, Kerberos/ADFS Single Sign-On works perfectly again.

 

Has anyone else experienced the same behavior or found a working solution

to run Platform SSO and the Kerberos Single Sign-On Extension together

without:

  • macOS repeatedly triggering the password synchronization prompt, and

  • ADFS WebApps losing Kerberos/Single Sign-On functionality?

Any insights, configuration tips, or best practices would be greatly appreciated!

 

Thank you 🙏

    3 replies

    gmihailo
    Forum|alt.badge.img+4
    • gmihailo
    • Contributor
    • February 13, 2026

    Safari for me works seamlessly. 

    Edge is not working with any of our ADFS based apps.

    I’ve triple checked the AuthServerAllowlist, and AuthNegotiateDelegateAllowlist in our edge profile. and they should cover everything (before platform sso it just worked).

     

    I’ve explored various combinations of keys suggested as below

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>browser_sso_interaction_enabled</key>
      <integer>1</integer>
      <key>AppPrefixAllowList</key>
      <string>com.microsoft.edge,com.microsoft.</string>
    <key>Enable_SSO_On_All_ManagedApps</key>
    <string>1</string>
    <key>disable_explicit_app_prompt</key>
    <string>1</string>
    </dict>
    </plist>


    All this to say, Edge is still not working with adfs based apps.

    I was wondering if you got any further or have any new insights? If anyone has been able to resolve ADFS related issues with platform sso and edge please helpppppppppppp :) 

    J
    Forum|alt.badge.img+5
    • jjouyan
    • Author
    • New Contributor
    • February 13, 2026

    Safari for me works seamlessly. 

    Edge is not working with any of our ADFS based apps.

    I’ve triple checked the AuthServerAllowlist, and AuthNegotiateDelegateAllowlist in our edge profile. and they should cover everything (before platform sso it just worked).

     

    I’ve explored various combinations of keys suggested as below

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>browser_sso_interaction_enabled</key>
      <integer>1</integer>
      <key>AppPrefixAllowList</key>
      <string>com.microsoft.edge,com.microsoft.</string>
    <key>Enable_SSO_On_All_ManagedApps</key>
    <string>1</string>
    <key>disable_explicit_app_prompt</key>
    <string>1</string>
    </dict>
    </plist>


    All this to say, Edge is still not working with adfs based apps.

    I was wondering if you got any further or have any new insights? If anyone has been able to resolve ADFS related issues with platform sso and edge please helpppppppppppp :) 

     

    Try using the key custom_tgt_setting with the value 3. It should work afterward:

    • Keycustom_tgt_setting 
    • TypeInteger
    • Value: 3

    https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-kerberos-configuration

     

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
     "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
      <key>browser_sso_interaction_enabled</key>
      <integer>1</integer>
      <key>AppPrefixAllowList</key>
      <string>com.microsoft.edge,com.microsoft.</string>
    <key>Enable_SSO_On_All_ManagedApps</key>
    <string>1</string>
    <key>disable_explicit_app_prompt</key>
    <string>1</string>
    <key>custom_tgt_setting</key>
    <integer>3</integer>
    </dict>
    </plist>

     

    gmihailo
    Forum|alt.badge.img+4
    • gmihailo
    • Contributor
    • February 15, 2026

     

    Try using the key custom_tgt_setting with the value 3. It should work afterward:

    • Keycustom_tgt_setting 
    • TypeInteger
    • Value: 3

    https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-kerberos-configuration

     

     

     

    If you disable TGT mapping though that means you still must have some on prem kerberos tickets generating right? So that would mean you are still reliant on passwords to get a TGT on prem? 

    For us unfortunately this will not be a suitable path as the goal we have is a passwordless future and with some luck cloud kerberos.

     

    I am glad this has worked for your scenario however :) 

     

    Terms & ConditionsCookie settingsAccessibility statement