Help

Jamf Connect 2.14 Kerberos Issues

rbahena
New Contributor II

Posted on ‎08-17-2022 08:17 PM

Hello,

We are seeing an issue where if the network on the mac changes Kerberos tickets disappear. I have to go to Jamf Connect and hit 'Connect'. I know this is a known issue but we are seeing it WAAAAAAY more now.

This is the PI: [PI009997] When integrated with a Kerberos realm, Jamf Connect does not consistently obtain Kerberos tickets when a network change occurs.

All my users are noticing it now even though we always keep Jamf Connect up to date with the latest version.

If my mac goes to sleep and I wake it up the Kerberos tickets get flushed. If I connect to a docking station with ethernet it gets flushed. If I connect to VPN it gets flushed. If I switch Wifi networks it gets flushed.

Anyone else seeing this?

0 Kudos
Reply
9 REPLIES 9

DBrowning
Valued Contributor II

Posted on ‎08-18-2022 05:15 AM

Maybe take a look at this preference key

Reply

dvasquez
Valued Contributor
In response to DBrowning

Posted on ‎08-18-2022 09:01 AM

Thank you for that info.

Our realm is set correctly.

But does the renew ticket preference need to be set (false) and is the default function to renew? 

 

0 Kudos
Reply

dvasquez
Valued Contributor
In response to dvasquez

Posted on ‎08-18-2022 09:13 AM

@DBrowning apologies the question did not relate to the one being asked and the preference key being targeted. 

0 Kudos
Reply

DBrowning
Valued Contributor II
In response to dvasquez

Posted on ‎08-18-2022 09:13 AM

Cache Tickets On Network Change

Determines whether a user's Kerberos tickets are cached or destroyed when a network status changes on computers. When enabled (set to true), computers will cache Kerberos tickets when a network change occurs. By default, this setting is disabled (set to false) and Kerberos tickets are destroyed during a network change.

<key>CacheTicketsOnNetworkChange</key>
<false/> 
Reply

rbahena
New Contributor II
In response to DBrowning

Posted on ‎08-18-2022 11:13 AM

@DBrowning This looks exactly like what I need! I am going to give this a try. It is interesting that this issue came up with Jamf Connect 2.14 though.

0 Kudos
Reply

rbahena
New Contributor II
In response to DBrowning

Posted on ‎08-18-2022 11:22 AM

@DBrowning So far this seems to have resolved my issues except in 1 scenario. If I reboot my mac and try to go to a website that needs Kerberos i get the HTTP 401 error. I have to go to Jamf Connect Menu Bar and hit 'Connect' and then I can go to the site. Do you know if this is normal or not?

Thanks so much!

0 Kudos
Reply

JoergR
New Contributor II
In response to rbahena

Posted on ‎08-22-2022 09:26 AM

same issue here, all clients with 2.14 do not get a Kerberos ticket until "Connect" is manually triggered, then the behavior is normal. have been writing to support about this for over two weeks, so far no solution.
clients with 2.13 behave normally, we have stopped the distribution of the update.

Reply

rbahena
New Contributor II
In response to JoergR

Posted on ‎08-22-2022 10:19 AM

Are you seeing this after a reboot only? The clients with 2.13 when you run command 'klist' in terminal do you see kerberos tickets? How about after a reboot?

0 Kudos
Reply

dvasquez
Valued Contributor

Posted on ‎08-18-2022 08:59 AM

The one thing I am seeing, in relation, is the timer out of sync for password changes. Some see a negative and some see a timer of 2 to 3 days till expiration after successfully changing the password. I have verified my Realm and all looks good. In prod, we are using 2.12 and in test dev, I am using 2.14 and I am ready to deploy soon and upgrade our env. Thoughts on going to 2.14?

0 Kudos
Reply