Jamf Nation Community

NealIV · ‎02-27-2015

Hey everyone I am getting to the point where our CTO wants things such as Citrix Receiver, Outlook, File Shares, Safari etc.. to use single sign on/kerberos and even though some of these are configured to generate a ticket others are not. Someone introduced me to the Admit Mac website and I have been reading up on it. Do you still use it in your environment? Should I just see if the application owners from my job make kerberos available on their application?

Thanks

alexjdale · ‎02-27-2015

I don't know how you could make that work if the applications themselves are not kerberized. I hope your CTO is not pushing an infrastructure problem onto the client team to resolve.

Regarding Outlook, if you make it available over the general Internet, kerberos won't work in those scenarios. We didn't even bother with kerberos on Outlook/Lync for that reason. We do use it for Safari, Chrome, and Firefox (where the app supports kerberos) as well as file shares.

I recommend looking into an SSO solution like Ping. We leverage it for SSO via the kerberos tickets that our Mac users get natively through the OS X AD plugin. It also allows your app owners to support SSO much more easily.

View solution in original post

franton · ‎02-27-2015

I can't vouch for how good it is, but I can vouch for HOW FREAKIN EXPENSIVE it is ...

I mean, even with edu discount it's like ... wow!

alexjdale · ‎02-27-2015

I don't know how you could make that work if the applications themselves are not kerberized. I hope your CTO is not pushing an infrastructure problem onto the client team to resolve.

Regarding Outlook, if you make it available over the general Internet, kerberos won't work in those scenarios. We didn't even bother with kerberos on Outlook/Lync for that reason. We do use it for Safari, Chrome, and Firefox (where the app supports kerberos) as well as file shares.

I recommend looking into an SSO solution like Ping. We leverage it for SSO via the kerberos tickets that our Mac users get natively through the OS X AD plugin. It also allows your app owners to support SSO much more easily.

RobertHammen · ‎02-27-2015

^^Spot on^^ (making an infrastructure issue into a client issue).

I've used products like DAVE and ADmit Mac in the 10.6.8 and earlier days. They worked OK, but the advent of better AD binding, better SMB (i.e. DFS support) and tools like Casper has pretty much precluded it and most orgs that I know that were using these tools no longer are.

Yes, you most definitely want to make sure your applications are Kerberized appropriately (i.e. Outlook over Internet example above). Changing binding or clients isn't going to help this.

bentoms · ‎02-28-2015

@NealIV,I've never used ADmitMac etc always the built in AD bind.

As you mentioned in your post, some services are or offering a Kerberos ticket.. Get that fixed & with the Macs on the same domain & a domain user logged in should work.

I've had a few similar challenges with things like SharePoint or Project Server.. Kerberizing both of them & then connecting to them with a Mac bound to the same domain with a domain user has worked.

However, as @alexjdale mentions, some services which can be kerberized might not work well in some use cases.

joshuasee · ‎03-04-2015

We used it, but it was a major headache, to the point where student workers were refusing to install it on new computers since they knew it likely to produce an "I can't login" call. It was abandoned when I found an obscure firewall setting for the domain controller that allowed the native AD client to work.

Jamf Nation Community

ADmit Mac is this a good product?