Jamf Nation Community

rabbitt · ‎08-26-2024

Configure Kerberos SSO for Microsoft Entra Platform Single Sign-On

Reference: https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...

The native Kerberos Single Sign-On (Kerberos SSO) extension can work in conjunction with the Microsoft Entra Platform Single Sign-On (PSSO) extension to obtain user Kerberos certificates without binding the Mac to an on-premises domain controller.

The Kerberos SSO payload can either be deployed as a separate configuration profile or added to an existing configuration profile with a payload to deploy PSSO.

Single Sign On-Extension payload settings

If the Setting is not listed below, the setting should not be included in your payload and left blank.

Payload Type: Kerberos
Realm: The name of your Kerberos realm which must be properly capitalized (e.g. EXAMPLE.COM)
Hosts: Add all of the following hosts. Substitute example.com with the fully qualified Kerberos realm for your directory. Follow all capitalization exactly.

Your Kerberos realm (e.g.
```
example.com
```
)
Your Kerberos realm with the preface of . (e.g.
```
*.example.com
```
)
windows.net
*.windows.net
KERBEROS.MICROSOFTONLINE.COM
MICROSOFTONLINE.COM
*.MICROSOFTONLINE.COM

Use Platform SSO TGT: Enforce
Platform SSO manual sign-on: Allow

This setting permits users to manually enter an on-premises user name to obtain tickets should a UPN user name used by Entra not match the desired user name on-premises.

Kerberos requests only: Enforce
Password change: Allow
Passwords to meet Active Directory’s definition of complexity: Require
Local password sync: Enable
Preferred KDCs: Modify the following to substitute example.com with your fully qualified Kerberos domain name

kkdcp://login.microsoftonline.com/example.com/kerberos

Set Scope to devices that also have the Platform Single Sign-On profile deployed.

Verify Kerberos SSO works as expected

Deploy the configuration profile to a non-production test device. Register the device with Platform Single Sign-On when prompted by macOS. Open Terminal and run the command app-sso platform -s and look for the section named User Configuration:. Observe that the kerberosStatus section successfully obtained a ticket as in this example:

User Configuration:
{
"_credential" : "OiMGvp/SXAg1pbiSl+i2MIOa3+CC2mQtTWMR+4UDb10=",
"created" : "2024-08-21T22:49:15Z",
"kerberosStatus" : [
{
"cacheName" : "CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "edith.mackenzie\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],

Use the klist command to verify a Kerberos ticket was obtained:

Credentials cache: API:CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37
        Principal: edith.mackenzie\@example.com@KERBEROS.MICROSOFTONLINE.COM
  Issued                Expires               Principal
Aug 21 15:46:39 2024  Aug 22 01:46:39 2024  krbtgt/KERBEROS.MICROSOFTONLINE.COM@KERBEROS.MICROSOFTONLINE.COM

The device still requires a direct line of sight to a domain controller and key distribution server (KDS) to obtain a ticket. If the device is not on-premises, use a VPN solution like Jamf Connect ZTNA to connect to the on-premises network.

If you have enabled cloud Kerberos trust (Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hyb... ), you may see two Kerberos tickets in the status:

User Configuration:
{
"_sepKeyData" : "d1lWYliNCcHGsUGlC4qtWmTqEX54gI9onPWY7j7p90s=",
"created" : "2024-08-29T15:37:51Z",
"kerberosStatus" : [
{
"cacheName" : "234C022D-BA26-4A3C-8003-72D18083C66E",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "EXAMPLE.COM",
"ticketKeyPath" : "tgt_ad",
"upn" : "tjones@EXAMPLE.COM"
},
{
"cacheName" : "DA6418E8-1C24-4391-ACA0-CE6C4FC47E34",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "tjones\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],

The results with klist will vary slightly as well with the principal appearing like the format `EXAMPLE.COM@EXAMPLE.COM`

Example screen shot of payload:

Example .mobileconfig of payload:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>allowPasswordChange</key>
<true/>
<key>allowPlatformSSOAuthFallback</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/example.com/kerberos</string>
</array>
<key>pwReqComplexity</key>
<true/>
<key>syncLocalPassword</key>
<true/>
<key>usePlatformSSOTGT</key>
<true/>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>example.com</string>
<string>*.example.com</string>
<string>windows.net</string>
<string>*.windows.net</string>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<string>MICROSOFTONLINE.COM</string>
<string>*.MICROSOFTONLINE.COM</string>
</array>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Realm</key>
<string>EXAMPLE.COM</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
<key>URLs</key>
<array/>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Microsoft Platform Single Sign-On (PSSOe) - Kerberos Settings for on-premises resources</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadOrganization</key>
<string>Your Organization Name Here</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

user-zwVXoRajVX · ‎08-28-2024

Hi, i am getting exchange required value true in Terminal, what may be the mistake?

rabbitt · ‎08-28-2024

I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.

user-zwVXoRajVX · ‎08-28-2024

User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"
},
{
"cacheName" : "EF9B1C8B-2F3B-485D-8754-6253CA6ABA36",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "jsampathexample\\@example.org@KERBEROS.MICROSOFTONLINE.COM"
}
],
"lastLoginDate" : "2024-08-28T12:30:54Z",
"loginType" : "POLoginTypeUserSecureEnclaveKey (2)",
"state" : "POUserStateNormal (0)",
"uniqueIdentifier" : "434FE9F2-EF2B-4E67-86F0-FAFC1F2BC073",
"userLoginConfiguration" : {
"created" : "2024-08-28T16:11:56Z",
"loginUserName" : "j***a@example.org"
},
"version" : 1
}

SSO Tokens:
Received:
2024-08-28T12:30:54Z
Expiration:
2024-09-11T12:30:53Z (Not Expired)

rabbitt · ‎08-28-2024

That appears to be a valid Kerberos status according to the Microsoft documentation found at https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...

user-zwVXoRajVX · ‎08-29-2024

Hi Rabbit,
Can you please confirm, how to edit and remove contact info

rabbitt · ‎08-29-2024

Log in.
Find the post.
Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket. Hit "Edit Reply".
Remove any personally identifiable information and hit "Reply" at the bottom to save.

user-zwVXoRajVX · ‎08-29-2024

Sorry I am not getting edit option

rabbitt · ‎08-29-2024

Our friends on the Jamf Nation admin team took care of it for you.

user-zwVXoRajVX · ‎08-28-2024

I typed app-sso platform -s in terminal

user-zwVXoRajVX · ‎08-28-2024

Also user certificate is removed automatically in keychange after kerberos config pushed with this payload

user-zwVXoRajVX · ‎10-03-2024

User configuration i am getting like below, but i am getting "exchangeRequired" : true, but you sample result shows "exchangeRequired" : false

User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"

rabbitt · ‎10-08-2024

I'm afraid this one I don't have an answer for. AppleCare / Microsoft support case will need to tell you the answer to what that key specifically means. I know that in my sampleI did NOT have cloud kerberos tickets enabled in Entra yet which is why you see a kerb ticket with the realm of

KERBEROS.MICROSOFTONLINE.COM

and not the expected realm of JAMFSE.IO. Once we turned on the cloud kerberos feature of Entra, we're getting two tickets as expected. Microsoft has updated their documentation as well to say that you should turn on the cloud kerb feature.

user-zwVXoRajVX · ‎10-03-2024

@rabbitt

i cannot able to edit my above comment, please remove my contact info from above , by mistake i entered.