3 weeks ago - last edited 3 weeks ago
example.com
)*.example.com
)kkdcp://login.microsoftonline.com/example.com/kerberos
User Configuration:
{
"_credential" : "OiMGvp/SXAg1pbiSl+i2MIOa3+CC2mQtTWMR+4UDb10=",
"created" : "2024-08-21T22:49:15Z",
"kerberosStatus" : [
{
"cacheName" : "CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "edith.mackenzie\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
Credentials cache: API:CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37
Principal: edith.mackenzie\@example.com@KERBEROS.MICROSOFTONLINE.COM
Issued Expires Principal
Aug 21 15:46:39 2024 Aug 22 01:46:39 2024 krbtgt/KERBEROS.MICROSOFTONLINE.COM@KERBEROS.MICROSOFTONLINE.COM
User Configuration:
{
"_sepKeyData" : "d1lWYliNCcHGsUGlC4qtWmTqEX54gI9onPWY7j7p90s=",
"created" : "2024-08-29T15:37:51Z",
"kerberosStatus" : [
{
"cacheName" : "234C022D-BA26-4A3C-8003-72D18083C66E",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "EXAMPLE.COM",
"ticketKeyPath" : "tgt_ad",
"upn" : "tjones@EXAMPLE.COM"
},
{
"cacheName" : "DA6418E8-1C24-4391-ACA0-CE6C4FC47E34",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "tjones\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>allowPasswordChange</key>
<true/>
<key>allowPlatformSSOAuthFallback</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/example.com/kerberos</string>
</array>
<key>pwReqComplexity</key>
<true/>
<key>syncLocalPassword</key>
<true/>
<key>usePlatformSSOTGT</key>
<true/>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>example.com</string>
<string>*.example.com</string>
<string>windows.net</string>
<string>*.windows.net</string>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<string>MICROSOFTONLINE.COM</string>
<string>*.MICROSOFTONLINE.COM</string>
</array>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Realm</key>
<string>EXAMPLE.COM</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
<key>URLs</key>
<array/>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Microsoft Platform Single Sign-On (PSSOe) - Kerberos Settings for on-premises resources</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadOrganization</key>
<string>Your Organization Name Here</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
3 weeks ago
Hi, i am getting exchange required value true in Terminal, what may be the mistake?
3 weeks ago
I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.
3 weeks ago - last edited 3 weeks ago by Mitchell_Gordon
User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.WORLDBANK.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.WORLDBANK.ORG"
},
{
"cacheName" : "EF9B1C8B-2F3B-485D-8754-6253CA6ABA36",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "jsampathjeyakuma\\@worldbankgroup.org@KERBEROS.MICROSOFTONLINE.COM"
}
],
"lastLoginDate" : "2024-08-28T12:30:54Z",
"loginType" : "POLoginTypeUserSecureEnclaveKey (2)",
"state" : "POUserStateNormal (0)",
"uniqueIdentifier" : "434FE9F2-EF2B-4E67-86F0-FAFC1F2BC073",
"userLoginConfiguration" : {
"created" : "2024-08-28T16:11:56Z",
"loginUserName" : "j***a@worldbankgroup.org"
},
"version" : 1
}
SSO Tokens:
Received:
2024-08-28T12:30:54Z
Expiration:
2024-09-11T12:30:53Z (Not Expired)
3 weeks ago - last edited 3 weeks ago
That appears to be a valid Kerberos status according to the Microsoft documentation found at https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...
3 weeks ago
3 weeks ago
Log in.
Find the post.
Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket. Hit "Edit Reply".
Remove any personally identifiable information and hit "Reply" at the bottom to save.
3 weeks ago - last edited 3 weeks ago by Mitchell_Gordon
Sorry I am not getting edit option
3 weeks ago
Our friends on the Jamf Nation admin team took care of it for you.
3 weeks ago
I typed app-sso platform -s in terminal
3 weeks ago
Also user certificate is removed automatically in keychange after kerberos config pushed with this payload