Kerberos Authentication for SSO (Alternatives?)

New Contributor

I hate to ask what is probably a very novice question, but well... I'm a novice in this realm.

I'm currently attempting to modernize our Mac environment (or at the very least solidify it). We're having an issue hitting a particular internal website that simply throws an error and remains inaccessible if the kerberos ticket is expired (rather than any kind of manual authentication or requesting a renewal). I can correct the issue with a kinit or by simply logging off and logging back in, but I'm looking for better solutions.

Right now, the users accessing this site all have Macs with the fingerprint log in. I'm finding that if a user logs into/unlocks the Mac too quickly, there's no renewal on the ticket. This is leading to a lot of expired certificates among these users.

Currently, we manually join each Mac to AD before distributing. So my first question is, from a top-down perspective, is this currently the best practice? Is there another method that would maybe lead to more consistent kerberos lifetimes?

My second question is, is there a widely used method to keep tickets consistently 'alive'? I've found KerbMinder and SleepWatcher out there that might help, but they're not what leadership here would consider an 'enterprise solution'. Personally, I feel like there must be a better method out there somewhere.

My third question is, how is JAMF at handling this? What exactly is its method of joining? I'm still rooting around for this information, and it may tie into my eventual goal of modernizing our management for our OS X environment. I've heard about some cloud services to bridge the device with AD (JumpCloud comes to mind), but don't have a high understanding of how they work, or if they're really 'best practice'. Most of the info I see on that comes from the vendor itself.

Thanks for any info!


New Contributor III

There are a few ways you can keep Kerb tickets valid. I have written a script and agent to keep my ticket valid on my Mac using the Network State Change trigger. It is basically what Enterprise Connect does, which leads me to the more "Enterprise" solution. Apple Professional Services has developed a utility called Apple Enterprise Connect. This is something that requires and Apple Professional Services engagement ( a few days onsite to assess your environment and assist with configuration/deployment of the utility) which is roughly $5k. The utility has the ability to keep your keychain password and kerberos tickets in sync amongst other features. I have not gone down this route yet, as our kerberos ticket issue isn't a huge deal. If you can get away with scripting the herb renewal then I would go with that but thats just me. Hope this helps.

Hello Heath, any change you can share the script you mentioned here?

New Contributor

Thanks! I've looked into scripting a solution, but I'm having trouble finding a secure way to do so without prompting for password (which has been put forth as a requirement by the architects here.) This may be a case where leadership is going to need to pay up if they want their ideal solution put in place.

Contributor II

NoMAD might be the solution you’re looking for. Open source, but they offer support plans. Does everything Enterprise Connect does and much more.