I hate to ask what is probably a very novice question, but well... I'm a novice in this realm.
I'm currently attempting to modernize our Mac environment (or at the very least solidify it). We're having an issue hitting a particular internal website that simply throws an error and remains inaccessible if the kerberos ticket is expired (rather than any kind of manual authentication or requesting a renewal). I can correct the issue with a kinit or by simply logging off and logging back in, but I'm looking for better solutions.
Right now, the users accessing this site all have Macs with the fingerprint log in. I'm finding that if a user logs into/unlocks the Mac too quickly, there's no renewal on the ticket. This is leading to a lot of expired certificates among these users.
Currently, we manually join each Mac to AD before distributing. So my first question is, from a top-down perspective, is this currently the best practice? Is there another method that would maybe lead to more consistent kerberos lifetimes?
My second question is, is there a widely used method to keep tickets consistently 'alive'? I've found KerbMinder and SleepWatcher out there that might help, but they're not what leadership here would consider an 'enterprise solution'. Personally, I feel like there must be a better method out there somewhere.
My third question is, how is JAMF at handling this? What exactly is its method of joining? I'm still rooting around for this information, and it may tie into my eventual goal of modernizing our management for our OS X environment. I've heard about some cloud services to bridge the device with AD (JumpCloud comes to mind), but don't have a high understanding of how they work, or if they're really 'best practice'. Most of the info I see on that comes from the vendor itself.
Thanks for any info!
