The native Kerberos Single Sign-On(Kerberos SSO) extension can work in conjunction with the Microsoft Entra Platform Single Sign-On(PSSO) extension to obtain user Kerberos certificates without binding the Mac to an on-premises domain controller.
The Kerberos SSO payload can either be deployed as a separate configuration profile or added to an existing configuration profile with a payload to deploy PSSO.
Single Sign On-Extension payload settings
If the Setting is not listed below, the setting should not be included in your payload and left blank.
Payload Type: Kerberos
Realm: The name of your Kerberos realm which must be properly capitalized(e.g.EXAMPLE.COM)
Hosts: Add all of the following hosts. Substitute example.com with the fully qualified Kerberos realm for your directory. Follow all capitalization exactly.
Your Kerberos realm(e.g.
example.com
)
Your Kerberos realm with the preface of .(e.g.
*.example.com
)
windows.net
*.windows.net
KERBEROS.MICROSOFTONLINE.COM
MICROSOFTONLINE.COM
*.MICROSOFTONLINE.COM
Use Platform SSO TGT: Enforce
Platform SSO manual sign-on: Allow
This setting permits users to manually enter an on-premises user name to obtain tickets should a UPN user name used by Entra not match the desired user name on-premises.
Kerberos requests only: Enforce
Password change: Allow
Passwords to meet Active Directory’s definition of complexity: Require
Local password sync: Enable
Preferred KDCs: Modify the following to substitute example.com with your fully qualified Kerberos domain name
Set Scope to devices that also have the Platform Single Sign-On profile deployed.
Verify Kerberos SSO works as expected
Deploy the configuration profile to a non-production test device. Register the device with Platform Single Sign-On when prompted by macOS. Open Terminal and run the command app-sso platform -s and look for the section named User Configuration:. Observe that the kerberosStatus section successfully obtained a ticket as in this example:
Use the klist command to verify a Kerberos ticket was obtained:
Credentials cache: API:CF6E8641-C7B3-4C88-8CD5-C6869AF9FB37 Principal: edith.mackenzie\\@example.com@KERBEROS.MICROSOFTONLINE.COM Issued Expires Principal Aug 21 15:46:39 2024 Aug 22 01:46:39 2024 krbtgt/KERBEROS.MICROSOFTONLINE.COM@KERBEROS.MICROSOFTONLINE.COM
The device still requires a direct line of sight to a domain controller and key distribution server(KDS) to obtain a ticket. If the device is not on-premises, use a VPN solution like Jamf Connect ZTNA to connect to the on-premises network.
Hi, i am getting exchange required value true in Terminal, what may be the mistake?
Also user certificate is removed automatically in keychange after kerberos config pushed with this payload
Hi, i am getting exchange required value true in Terminal, what may be the mistake?
I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.
I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.
I'm afraid I do not understand the question. Could you perhaps screen shot or copy / paste what you are typing in Terminal? Just as an FYI: Jamf support will not be able to help you with Kerberos SSO issues; we're just pushing the payload for your servers to the device. You may need to reach out to AppleCare and Microsoft Support for additional help.
Hi Rabbit, Can you please confirm, how to edit and remove contact info
Hi Rabbit, Can you please confirm, how to edit and remove contact info
Log in. Find the post. Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket. Hit "Edit Reply". Remove any personally identifiable information and hit "Reply" at the bottom to save.
Log in. Find the post. Click the down arrow in the upper right corner of the reply you posted with the Kerb ticket. Hit "Edit Reply". Remove any personally identifiable information and hit "Reply" at the bottom to save.
Sorry I am not getting edit option
Sorry I am not getting edit option
Our friends on the Jamf Nation admin team took care of it for you.
User configuration i am getting like below, but i am getting "exchangeRequired" : true, but you sample result shows "exchangeRequired" : false
I'm afraid this one I don't have an answer for. AppleCare / Microsoft support case will need to tell you the answer to what that key specifically means. I know that in my sampleI did NOT have cloud kerberos tickets enabled in Entra yet which is why you see a kerb ticket with the realm of
KERBEROS.MICROSOFTONLINE.COM
and not the expected realm of JAMFSE.IO. Once we turned on the cloud kerberos feature of Entra, we're getting two tickets as expected. Microsoft has updated their documentation as well to say that you should turn on the cloud kerb feature.
I followed these steps and it appears to be working on my test Mac. I can go to internal company sites and I am automatically logged in. I can see a Kerberos ticket in Ticket Viewer, and when I run "klist" in Terminal, I can see the Kerberos ticket. When I run app-sso platform -s I see a null value. I checked my settings in my profile. They are the same as what was described and shown here. Another thing I noticed is that after a reboot or log off and login, my account is not being signed in. What could be causing these issues?
Hi, if you have cloud kerberos enabled, can you set your REALM to KERBEROS.MICROSOFTONLINE.COM?
Or is it better to use the on-prem AD realm?
It doesn't appear that anyone responds on this thread anymore.
I followed these steps and it appears to be working on my test Mac. I can go to internal company sites and I am automatically logged in. I can see a Kerberos ticket in Ticket Viewer, and when I run "klist" in Terminal, I can see the Kerberos ticket. When I run app-sso platform -s I see a null value. I checked my settings in my profile. They are the same as what was described and shown here. Another thing I noticed is that after a reboot or log off and login, my account is not being signed in. What could be causing these issues?
Your screen shot shows that the PSSO credentials are completely missing and the device is not registered.
Hi, if you have cloud kerberos enabled, can you set your REALM to KERBEROS.MICROSOFTONLINE.COM?
Or is it better to use the on-prem AD realm?
You could, I guess? But most likely you want to enable the cloud kerberos connection with microsoft to get a real on-prem ticket which is what all of your on-prem resources like file shares would use.
It doesn't appear that anyone responds on this thread anymore.
I'm just this guy, ya know? </hhgttg>
Hi rabbitt, we've been engaged with Apple support for a while now without any luck, we have 2 profiles configured for PSSO and kerberos SSO, we do get proper tickets at start-up but after a random amount of time the tickets no longer work and are not refreshed. We went through our config a dozen time, and engaged our network team to eliminate network related issues but we are still encountering the issue. Also when we enable the refresh option for user, manual refresh causes a kerberos extension crash
You could, I guess? But most likely you want to enable the cloud kerberos connection with microsoft to get a real on-prem ticket which is what all of your on-prem resources like file shares would use.
>> But most likely you want to enable the cloud kerberos connection with microsoft to get a real on-prem ticket
Isn't it what we are doing when we are configuring the Kerberos SSO profile in Jamf using the realm
