Jamf Connect 2.0.1 password expires count issue

shrisivakumaran
Contributor

we have tested Jamf Connect with Okta for password sync in Mac with network password. its goes well except password expires count. its not refresh immediately after changed password. it took some time(nearly 45 minutes) or we need to logout from Mac then login back (if in company network) or reconnect VPN (if outside of company network).

any command to for update count after password change. we are using Kerberos here.

Shri Sivakumaran
7 REPLIES 7

kyle_wickert
New Contributor II

I have the same issue, did you find a command that works?

shrisivakumaran
Contributor

not yet, i believe it designed in that way. to update it we need to reconnect VPN or wait till kerberos ticket update

Shri Sivakumaran

DBrowning
Valued Contributor II

@kyle.wickert @shrisivakumaran By design the countdown comes from Kerberos. So after a password change, you'll need to connect on-prem or VPN to get a new kerberos ticket. But what should work and I've seen issues with is after getting an initial Kerberos ticket, and then not connecting to VPN or on-prem, the countdown should still work. But I've seen where it will only update if you do one of the following: 1) Kill the Jamf Connect Process and relaunch the App
2) Open the Preferences window and close it
3) Reboot your computer (works sometimes)

kyle_wickert
New Contributor II

@DBrowning Thanks for your response. I have tried all those steps and I am aware of the need to be connected to the VPN. What seems to be the issue with the growing amount of systems in my environment is that even if I am connected to the VPN and execute the password change it will not default to Kerberos because it will not acquire the tickets. Which also means when they change the password using okta connector it will not update the counter. I have tried to use the command "open jamfconnect://gettickets" and that also does not help to get the ticket either or update the counter. I've killed the process, rebooted and reconnected to the VPN with no luck. At this point the kerberos ticket is not working at all and it is random for whats system it does work for.

DBrowning
Valued Contributor II

@kyle.wickert take a look at your com.apple.Kerberos file as well. We were having an issue where that file was pointing to a DC that no longer existed. You can read the file using defaults read com.apple.Kerberos

kyle_wickert
New Contributor II

@DBrowning I finally found out what was blocking the connection. When running the cmd you provide there were no realms defined. However in the Jamf Connect config I was defining it. I also deployed a fix for that a while ago which was to deploy a script with the code like:

!/bin/sh

sudo cat > /etc/krb5.conf <<- "EOF"
[libdefaults]
default_realm=DOMAIN
EOF

This fixed the file to have the domain but it still wouldn't get tickets. I then just figured out that there were a bunch of stale ticket blocking new request. To fix that I Opened Finder -> go -> go to folder and navigated to /System/Library/CoreServices/ and open the application Ticket Viewer. I removed a bunch of stale identities and made a new ticket request. Once I did that I was able to see the password expiration count and even retrieve certs.

Thanks - Kyle

rpuente
New Contributor

For Ventura, the path to "Ticket Viewer" changed to the following...

/System/Library/CoreServices/Applications/Ticket Viewer.app