08-26-2024 08:49 AM - edited 08-29-2024 08:56 AM
example.com
)*.example.com
)kkdcp://login.microsoftonline.com/example.com/kerberos
User Configuration:
{
"_credential" : "OiMGvp/SXAg1pbiSl+i2MIOa3+CC2mQtTWMR+4UDb10=",
"created" : "2024-08-21T22:49:15Z",
"kerberosStatus" : [
{
"cacheName" : "CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "edith.mackenzie\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
Credentials cache: API:CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37
Principal: edith.mackenzie\@example.com@KERBEROS.MICROSOFTONLINE.COM
Issued Expires Principal
Aug 21 15:46:39 2024 Aug 22 01:46:39 2024 krbtgt/KERBEROS.MICROSOFTONLINE.COM@KERBEROS.MICROSOFTONLINE.COM
User Configuration:
{
"_sepKeyData" : "d1lWYliNCcHGsUGlC4qtWmTqEX54gI9onPWY7j7p90s=",
"created" : "2024-08-29T15:37:51Z",
"kerberosStatus" : [
{
"cacheName" : "234C022D-BA26-4A3C-8003-72D18083C66E",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "EXAMPLE.COM",
"ticketKeyPath" : "tgt_ad",
"upn" : "tjones@EXAMPLE.COM"
},
{
"cacheName" : "DA6418E8-1C24-4391-ACA0-CE6C4FC47E34",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "tjones\\@example.com@KERBEROS.MICROSOFTONLINE.COM"
}
],
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>allowPasswordChange</key>
<true/>
<key>allowPlatformSSOAuthFallback</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/example.com/kerberos</string>
</array>
<key>pwReqComplexity</key>
<true/>
<key>syncLocalPassword</key>
<true/>
<key>usePlatformSSOTGT</key>
<true/>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>example.com</string>
<string>*.example.com</string>
<string>windows.net</string>
<string>*.windows.net</string>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<string>MICROSOFTONLINE.COM</string>
<string>*.MICROSOFTONLINE.COM</string>
</array>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadOrganization</key>
<string>JAMF Software</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>6189731E-7372-4403-9E67-77D9C4C41C18</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Realm</key>
<string>EXAMPLE.COM</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
<key>URLs</key>
<array/>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Microsoft Platform Single Sign-On (PSSOe) - Kerberos Settings for on-premises resources</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadOrganization</key>
<string>Your Organization Name Here</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>31D2B4FD-0A8A-433A-9CFA-52ACE618F684</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Posted on 08-28-2024 05:34 AM
Hi, i am getting exchange required value true in Terminal, what may be the mistake?
Posted on 08-28-2024 09:08 AM
I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.
Posted on 08-28-2024 09:18 AM - last edited on 10-07-2024 06:29 AM by talkingmoose
User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"
},
{
"cacheName" : "EF9B1C8B-2F3B-485D-8754-6253CA6ABA36",
"exchangeRequired" : false,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "KERBEROS.MICROSOFTONLINE.COM",
"ticketKeyPath" : "tgt_cloud",
"upn" : "jsampathexample\\@example.org@KERBEROS.MICROSOFTONLINE.COM"
}
],
"lastLoginDate" : "2024-08-28T12:30:54Z",
"loginType" : "POLoginTypeUserSecureEnclaveKey (2)",
"state" : "POUserStateNormal (0)",
"uniqueIdentifier" : "434FE9F2-EF2B-4E67-86F0-FAFC1F2BC073",
"userLoginConfiguration" : {
"created" : "2024-08-28T16:11:56Z",
"loginUserName" : "j***a@example.org"
},
"version" : 1
}
SSO Tokens:
Received:
2024-08-28T12:30:54Z
Expiration:
2024-09-11T12:30:53Z (Not Expired)
08-28-2024 09:22 AM - edited 08-29-2024 12:18 PM
That appears to be a valid Kerberos status according to the Microsoft documentation found at https://learn.microsoft.com/en-us/entra/identity/devices/device-join-macos-platform-single-sign-on-k...
Posted on 08-29-2024 02:50 AM
Posted on 08-29-2024 08:52 AM
Log in.
Find the post.
Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket. Hit "Edit Reply".
Remove any personally identifiable information and hit "Reply" at the bottom to save.
Posted on 08-29-2024 09:03 AM - last edited on 08-29-2024 10:33 AM by Mitchell_Gordon
Sorry I am not getting edit option
Posted on 08-29-2024 12:18 PM
Our friends on the Jamf Nation admin team took care of it for you.
Posted on 08-28-2024 09:19 AM
I typed app-sso platform -s in terminal
Posted on 08-28-2024 05:36 AM
Also user certificate is removed automatically in keychange after kerberos config pushed with this payload
Posted on 10-03-2024 09:44 PM - last edited on 10-07-2024 06:32 AM by talkingmoose
User configuration i am getting like below, but i am getting "exchangeRequired" : true, but you sample result shows "exchangeRequired" : false
User Configuration:
{
"_sepKeyData" : "5JNzOkLWbDRdsaUP+uY7cs7CKGv+gpQodSyQkszfabo=",
"created" : "2024-08-28T16:11:56Z",
"kerberosStatus" : [
{
"cacheName" : "9D98E79A-7AE0-4674-9D6B-D3A68FEAC477",
"exchangeRequired" : true,
"failedToConnect" : false,
"importSuccessful" : true,
"realm" : "WB.AD.EXAMPLE.ORG",
"ticketKeyPath" : "tgt_ad",
"upn" : "wb573798@WB.AD.EXAMPLE.ORG"
a month ago
I'm afraid this one I don't have an answer for. AppleCare / Microsoft support case will need to tell you the answer to what that key specifically means. I know that in my sampleI did NOT have cloud kerberos tickets enabled in Entra yet which is why you see a kerb ticket with the realm of
KERBEROS.MICROSOFTONLINE.COM
and not the expected realm of JAMFSE.IO. Once we turned on the cloud kerberos feature of Entra, we're getting two tickets as expected. Microsoft has updated their documentation as well to say that you should turn on the cloud kerb feature.
Posted on 10-03-2024 09:53 PM
i cannot able to edit my above comment, please remove my contact info from above , by mistake i entered.