Jamf Nation Community

We've tried to use it in our environment - but have run into issues, and aren't really sure how to proceed with getting support from MS to run through a configuration verification.

We're using Centrify for our AD plugin - but login and connection to File Shares seems to work as expected.

As far as testing the Outlook client, we're not really sure what direction to go in...

Works fine for me.

Exchange 2010, Outlook 2011, 10.6.x/10.7.x & native ad plugin.

Nothing special needed to setup. Macs are joined to AD, all servers are a part of the same Kerberos realm & all clients point to the same NTP.

Does Autodiscover work correctly for you guys?

FWIW though, we do not use this as most macs are MacBooks & as such we have a lot of out of office workers. So all use the owa address & can connect off the LAN without VPN.

According to Microsoft AutoDiscover and Kerberos do not work properly together.
When I asked about it I found out that even in their tech support environment, MS does not use kerberos for Mac Outlook.

Kerberos won't work externally to a network but in a closed lab situation I've been able to make it work with Autodiscover. Unfortunately, real world network environments are often far from lab settings and I'm in the camp where we can't use Kerberos either. That's not because of Microsoft issues but rather our own network support staff.

I have no idea whether Microsoft uses Kerberos in its environment but I'd be curious to know where you heard it doesn't work with Autodiscover.

Is there a way to script the selection of the sole Kerberos identity in order to automate adding an exchange account for smart card users?

Only via AppleScript:

tell application "Microsoft Outlook"
    set use kerberos authentication of exchange account 1 to true
    set principal of exchange account 1 to "marty@talkingmoose.pvt"
end tell

Thanks,

Can that be combined with your Office 2011 setup script to read the kerberos identity from the username and kerberos realm so it will work for all AD users?

I've got a Kerberos section in the script already but it pieces together the principal name from different components. A better way, which I'll add to my next script update would be to get it directly from Active Directory itself via dscl:

dscl "/Active Directory/DOMAIN/All Domains" -read /Users/marty dsAttrTypeNative:userPrincipalName | awk '{print $2}'

My suggestion for now is to add this line to the "Begin email address properties" section of the script:

if getEMailAddressUsingDSCL is true and systemVersion < "10.7" then

    set emailAddress to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " EMailAddress | awk '{print $2}'"
    set firstName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " FirstName | awk '{print $2}'"
    set lastName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " LastName | awk '{print $2}'"
    ***set principalName to do shell script "dscl "/Active Directory/All Domains/" -read /Users/" & shortName & " dsAttrTypeNative:userPrincipalName | awk '{print $2}'"***

    -- DSCL lookups for Mac OS X 10.7 and higher

else if getEMailAddressUsingDSCL is true and systemVersion ? "10.7" then

    -- get the domain's primary NetBIOS domain name

    set netbiosDomain to do shell script "dscl "/Active Directory/" -read / SubNodes | awk '{print $2}'"

    set emailAddress to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " EMailAddress | awk '{print $2}'"
    set firstName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " FirstName | awk '{print $2}'"
    set lastName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " LastName | awk '{print $2}'"
    ***set principalName to do shell script "dscl "/Active Directory/" & netbiosDomain & "/All Domains/" -read /Users/" & shortName & " dsAttrTypeNative:userPrincipalName | awk '{print $2}'"***

And then change this part later in the script:

if useKerberos is true then
    set use kerberos authentication of newExchangeAccount to useKerberos
    ***set principal of newExchangeAccount to principalName***
end if

Take that for a spin and see if it works as you expect. Be sure to set the Kerberos property at the top of the script to "true". I tested the additions individually but not in the overall context of the script.

Im having some issues with just selecting the only Kerberos identity available. When it puts the name together using the script, it does not work even though the only difference is lowercase letters. Im prompted for a Kerberos password which doesnt exist due to users logging in with smart cards

Oh and no dscl in my environment

Like others have mentioned, we don't use Kerberos for Exchange or Lync because those services are available externally while Kerberos is not.