Configure Kerberos SSO for Microsoft Entra Platform Single Sign-On

rabbitt
Contributor II
Contributor II

Configure Kerberos SSO for Microsoft Entra Platform Single Sign-On

 
The native Kerberos Single Sign-On (Kerberos SSO) extension can work in conjunction with the Microsoft Entra Platform Single Sign-On (PSSO) extension to obtain user Kerberos certificates without binding the Mac to  an on-premises domain controller.
 
The Kerberos SSO payload can either be deployed as a separate configuration profile or added to an existing configuration profile with a payload to deploy PSSO.

Single Sign On-Extension payload settings

If the Setting is not listed below, the setting should not be included in your payload and left blank.
 
  • Payload Type: Kerberos
  • Realm: The name of your Kerberos realm which must be properly capitalized (e.g. EXAMPLE.COM)
  • Hosts:  Add all of the following hosts.  Substitute example.com with the fully qualified Kerberos realm for your directory.  Follow all capitalization exactly.
    • Your Kerberos realm (e.g.
      example.com
      )
    • Your Kerberos realm with the preface of . (e.g.
      *.example.com
      )
    • windows.net
    • *.windows.net
    • KERBEROS.MICROSOFTONLINE.COM
    • MICROSOFTONLINE.COM
    • *.MICROSOFTONLINE.COM
  • Use Platform SSO TGT: Enforce
  • Platform SSO manual sign-on: Allow
    • This setting permits users to manually enter an on-premises user name to obtain tickets should a UPN user name used by Entra not match the desired user name on-premises.
  • Kerberos requests only: Enforce
  • Password change: Allow
  • Passwords to meet Active Directory’s definition of complexity: Require
  • Local password sync: Enable
  • Preferred KDCs: Modify the following to substitute example.com with your fully qualified Kerberos domain name
    • kkdcp://login.microsoftonline.com/example.com/kerberos
 
Set Scope to devices that also have the Platform Single Sign-On profile deployed.

Verify Kerberos SSO works as expected

Deploy the configuration profile to a non-production test device.  Register the device with Platform Single Sign-On when prompted by macOS.  Open Terminal and run the command app-sso platform -s and look for the section named User Configuration:.  Observe that the kerberosStatus section successfully obtained a ticket as in this example:
 
User Configuration:
{
"_credential" : "OiMGvp/SXAg1pbiSl+i2MIOa3+CC2mQtTWMR+4UDb10=",
"created" : "2024-08-21T22:49:15Z",
"kerberosStatus" : [
{
"cacheName" : "CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "edith.mackenzie\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
 
Use the klist command to verify a Kerberos ticket was obtained:
Credentials cache: API:CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37
        Principal: edith.mackenzie\@example.com@KERBEROS.MICROSOFTONLINE.COM
  Issued                Expires               Principal
Aug 21 15:46:39 2024  Aug 22 01:46:39 2024  krbtgt/KERBEROS.MICROSOFTONLINE.COM@KERBEROS.MICROSOFTONLINE.COM
 
The device still requires a direct line of sight to a domain controller and key distribution server (KDS) to obtain a ticket.  If the device is not on-premises, use a VPN solution like Jamf Connect ZTNA to connect to the on-premises network.
 
If you have enabled cloud Kerberos trust (Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hyb... ), you may see two Kerberos tickets in the status:
User Configuration:
{
"_sepKeyData" : "d1lWYliNCcHGsUGlC4qtWmTqEX54gI9onPWY7j7p90s=",
"created" : "2024-08-29T15:37:51Z",
"kerberosStatus" : [
{
"cacheName" : "234C022D-BA26-4A3C-8003-72D18083C66E",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "EXAMPLE.COM",
"ticketKeyPath" : "tgt_ad",
"upn" : "tjones@EXAMPLE.COM"
},
{
"cacheName" : "DA6418E8-1C24-4391-ACA0-CE6C4FC47E34",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "tjones\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
The results with klist will vary slightly as well with the principal appearing like the format `EXAMPLE.COM@EXAMPLE.COM`
 

Example screen shot of payload:

Screenshot 2024-08-22 at 8.56.06 AM.png
 

Example .mobileconfig of payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>allowPasswordChange</key>
<true/>
<key>allowPlatformSSOAuthFallback</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/example.com/kerberos</string>
</array>
<key>pwReqComplexity</key>
<true/>
<key>syncLocalPassword</key>
<true/>
<key>usePlatformSSOTGT</key>
<true/>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>example.com</string>
<string>*.example.com</string>
<string>windows.net</string>
<string>*.windows.net</string>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<string>MICROSOFTONLINE.COM</string>
<string>*.MICROSOFTONLINE.COM</string>
</array>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Realm</key>
<string>EXAMPLE.COM</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
<key>URLs</key>
<array/>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Microsoft Platform Single Sign-On (PSSOe) - Kerberos Settings for on-premises resources</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadOrganization</key>
<string>Your Organization Name Here</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

 

13 REPLIES 13

user-zwVXoRajVX
New Contributor II

Hi, i am getting exchange required value true in Terminal, what may be the mistake?

I'm afraid I do not understand the question.  Could you perhaps screen shot or copy / paste what you are typing in Terminal?  Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device.  You may need to reach out to AppleCare and Microsoft Support for additional help.

User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"
},
{
"cacheName" : "EF9B1C8B-2F3B-485D-8754-6253CA6ABA36",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "jsampathexample\\@example.org@KERBEROS.MICROSOFTONLINE.COM"
}
],
"lastLoginDate" : "2024-08-28T12:30:54Z",
"loginType" : "POLoginTypeUserSecureEnclaveKey (2)",
"state" : "POUserStateNormal (0)",
"uniqueIdentifier" : "434FE9F2-EF2B-4E67-86F0-FAFC1F2BC073",
"userLoginConfiguration" : {
"created" : "2024-08-28T16:11:56Z",
"loginUserName" : "j***a@example.org"
},
"version" : 1
}

SSO Tokens:
Received:
2024-08-28T12:30:54Z
Expiration:
2024-09-11T12:30:53Z (Not Expired)

That appears to be a valid Kerberos status according to the Microsoft documentation found at https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...

Hi Rabbit,
Can you please confirm, how to edit and remove contact info

Log in.
Find the post.
Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket.  Hit "Edit Reply".
Remove any personally identifiable information and hit "Reply" at the bottom to save.

Sorry I am not getting edit option

Our friends on the Jamf Nation admin team took care of it for you.

I typed app-sso platform -s in terminal

user-zwVXoRajVX
New Contributor II

Also user certificate is removed automatically in keychange after kerberos config pushed with this payload 

user-zwVXoRajVX
New Contributor II

User configuration i am getting like below, but i am getting  "exchangeRequired" : true, but you sample result shows "exchangeRequired" : false

 

 

 

User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"

I'm afraid this one I don't have an answer for.  AppleCare / Microsoft support case will need to tell you the answer to what that key specifically means.  I know that in my sampleI did NOT have cloud kerberos tickets enabled in Entra yet which is why you see a kerb ticket with the realm of 

KERBEROS.MICROSOFTONLINE.COM

and not the expected realm of JAMFSE.IO.  Once we turned on the cloud kerberos feature of Entra, we're getting two tickets as expected.  Microsoft has updated their documentation as well to say that you should turn on the cloud kerb feature.

user-zwVXoRajVX
New Contributor II

@rabbitt 

i cannot able to edit my above comment, please remove my contact info from above , by mistake i entered.