Skip to main content
Question

Kerberos authentication for system wide proxy

  • October 30, 2012
  • 6 replies
  • 53 views
J
Forum|alt.badge.img+3

I have a proxy script that will populate the appropriate fields for web proxy and secure web proxy. The only thing that is not populated is username and password as well as a way to check the box that the "proxy server requires a password".
We are on Mountain Lion and our users are on Active Directory. We are not using config profiles/APN as of yet.
Is there any way or anything that can be added to the script that might take the user's kerberos credentials and allow them to access the proxy? I would guess in this manner it would either fill the appropriate fields or just give the user access to use the proxy. I do have pam.d authorization set up in a manner that is passing a Kerberos ticket at login.

Any help or a point in the right direction is greatly appreciated!

    6 replies

    M
    Forum|alt.badge.img+9
    • myronjoffe
    • Valued Contributor
    • October 30, 2012

    I would also be interested to see if this is possible...

    S
    Forum|alt.badge.img+16

    I too would be interested in this.

    T
    Forum|alt.badge.img+21
    • tkimpton
    • Honored Contributor
    • January 23, 2013

    You need to use a proxy PAC file instead

    seabash
    Forum|alt.badge.img+7
    • seabash
    • New Contributor
    • February 15, 2013
    Posted 1/23/13 at 2:05 PM by tkimpton You need to use a proxy PAC file instead

    Proxy PAC file is no silver bullet, as each proxy product may/not support Mac-friendly Kerberos creds—and certainly depends on whether said features are enabled.

    This is a huge PITA in our environment, which is a CIsco IronPort gateway server (v.7.6?), and Macs using mobile AD accounts. Cisco only supports NTLM_v2 and/or NTLM_SSP (or such); no actual mention of "Kerberos support" as it pertains to Macs, at least. Cisco's latest version is supposed to acknowledge Mac's Kerb tgt (via a very kludgey CDA process), but it's not working for us.

    As it is, Mac users are prompted for un/pw upon first login (for 80/443), as additional port calls are made and after each AD pw expiry. The all-too-familiar Keychain entry version control ensues (per Mac I've ever connected to).

    Anyways, I digress... "Proxy" is a four-letter word for Mac users in my environment :(

    J
    Forum|alt.badge.img+5

    IronPort...yep they are a pain. Same here, have been advised that some kind of sso/ pass thru authentication for these that is mac friendly is coming in a couple of software releases time.

    J
    Forum|alt.badge.img+4
    • jonohayes
    • Contributor
    • November 12, 2017

    Is there anything special you have to add to the PAC file for macOS to use Kerberos over NTLM?

    We are using Microsoft TMG and all devices are prompted for username and password and don't use Kerberos...

    Terms & ConditionsCookie settingsAccessibility statement