Jamf Connect 2.14 Kerberos Issues

rbahena
New Contributor II

Hello,

We are seeing an issue where if the network on the mac changes Kerberos tickets disappear. I have to go to Jamf Connect and hit 'Connect'. I know this is a known issue but we are seeing it WAAAAAAY more now.

This is the PI: [PI009997] When integrated with a Kerberos realm, Jamf Connect does not consistently obtain Kerberos tickets when a network change occurs.

All my users are noticing it now even though we always keep Jamf Connect up to date with the latest version.

If my mac goes to sleep and I wake it up the Kerberos tickets get flushed. If I connect to a docking station with ethernet it gets flushed. If I connect to VPN it gets flushed. If I switch Wifi networks it gets flushed.

Anyone else seeing this?

9 REPLIES 9

DBrowning
Valued Contributor II

Maybe take a look at this preference key

dvasquez
Valued Contributor

Thank you for that info.

Our realm is set correctly.

But does the renew ticket preference need to be set (false) and is the default function to renew? 

 

dvasquez
Valued Contributor

@DBrowning apologies the question did not relate to the one being asked and the preference key being targeted. 

DBrowning
Valued Contributor II

Cache Tickets On Network Change

Determines whether a user's Kerberos tickets are cached or destroyed when a network status changes on computers. When enabled (set to true), computers will cache Kerberos tickets when a network change occurs. By default, this setting is disabled (set to false) and Kerberos tickets are destroyed during a network change.

<key>CacheTicketsOnNetworkChange</key>
<false/> 

rbahena
New Contributor II

@DBrowning This looks exactly like what I need! I am going to give this a try. It is interesting that this issue came up with Jamf Connect 2.14 though.

rbahena
New Contributor II

@DBrowning So far this seems to have resolved my issues except in 1 scenario. If I reboot my mac and try to go to a website that needs Kerberos i get the HTTP 401 error. I have to go to Jamf Connect Menu Bar and hit 'Connect' and then I can go to the site. Do you know if this is normal or not?

Thanks so much!

JoergR
New Contributor II

same issue here, all clients with 2.14 do not get a Kerberos ticket until "Connect" is manually triggered, then the behavior is normal. have been writing to support about this for over two weeks, so far no solution.
clients with 2.13 behave normally, we have stopped the distribution of the update.

rbahena
New Contributor II

Are you seeing this after a reboot only? The clients with 2.13 when you run command 'klist' in terminal do you see kerberos tickets? How about after a reboot?

dvasquez
Valued Contributor

The one thing I am seeing, in relation, is the timer out of sync for password changes. Some see a negative and some see a timer of 2 to 3 days till expiration after successfully changing the password. I have verified my Realm and all looks good. In prod, we are using 2.12 and in test dev, I am using 2.14 and I am ready to deploy soon and upgrade our env. Thoughts on going to 2.14?