- Jamf Nation Community
- Products
- Jamf Pro
- Kerberos authentication for system wide proxy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Kerberos authentication for system wide proxy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2012 07:56 AM
I have a proxy script that will populate the appropriate fields for web proxy and secure web proxy. The only thing that is not populated is username and password as well as a way to check the box that the "proxy server requires a password".
We are on Mountain Lion and our users are on Active Directory. We are not using config profiles/APN as of yet.
Is there any way or anything that can be added to the script that might take the user's kerberos credentials and allow them to access the proxy? I would guess in this manner it would either fill the appropriate fields or just give the user access to use the proxy. I do have pam.d authorization set up in a manner that is passing a Kerberos ticket at login.
Any help or a point in the right direction is greatly appreciated!
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2012 09:26 AM
I would also be interested to see if this is possible...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-23-2013 11:47 AM
I too would be interested in this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-23-2013 12:05 PM
You need to use a proxy PAC file instead
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2013 09:37 AM
Posted 1/23/13 at 2:05 PM by tkimpton You need to use a proxy PAC file instead
Proxy PAC file is no silver bullet, as each proxy product may/not support Mac-friendly Kerberos creds—and certainly depends on whether said features are enabled.
This is a huge PITA in our environment, which is a CIsco IronPort gateway server (v.7.6?), and Macs using mobile AD accounts. Cisco only supports NTLM_v2 and/or NTLM_SSP (or such); no actual mention of "Kerberos support" as it pertains to Macs, at least. Cisco's latest version is supposed to acknowledge Mac's Kerb tgt (via a very kludgey CDA process), but it's not working for us.
As it is, Mac users are prompted for un/pw upon first login (for 80/443), as additional port calls are made and after each AD pw expiry. The all-too-familiar Keychain entry version control ensues (per Mac I've ever connected to).
Anyways, I digress... "Proxy" is a four-letter word for Mac users in my environment :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-17-2013 10:50 AM
IronPort...yep they are a pain. Same here, have been advised that some kind of sso/ pass thru authentication for these that is mac friendly is coming in a couple of software releases time.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-11-2017 11:18 PM
Is there anything special you have to add to the PAC file for macOS to use Kerberos over NTLM?
We are using Microsoft TMG and all devices are prompted for username and password and don't use Kerberos...
