- Jamf Nation Community
- Products
- Jamf Pro
- Re: Kerberos SSO Extension
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 07:09 AM
Good morning,
I've been looking into ways to get away from AD binding and have had some mild success in testing the SSO extension with Kerberos. I've found that i'm successfully getting a ticket and the majority of functionality is working as intended.
However, I for the life of me have been unable to get it to prompt me to sync my local password with my AD password. I've created a brand new local account, and signed in via my AD account to the Kerberos app. I've tried this in Catalina and Big Sur to no avail. I've never been able to get that dialog to appear.
Anyone run into this and have any ideas on how to resolve?
Solved! Go to Solution.
Labels:
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 10:18 AM
So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.
I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.
Reply
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 07:53 AM
You have the Local Password Sync option enabled in the Configuration Profile?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 09:49 AM
In the Guide it says:
"The Kerberos SSO extension can set the local account password to match a user’s Active Directory
password. Enable this feature by setting “syncLocalPassword” to TRUE in the Custom Configuration
section of your Kerberos SSO extension configuration profile."
so guessine you need to add a custom plist to profile:
com.apple.AppSSOKerberos.KerberosExtension
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 10:14 AM
@SCCM The payload is available in the JP gui so no custom plist should be needed.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-26-2021 10:18 AM
So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.
I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-20-2021 07:11 PM
Hi @user-cCnXnCpGDx , I'm trying to configure the SSO Kerberos with a CAC card would you please provide me the steps on how do I configure it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-20-2021 09:27 AM
Hi @user-cCnXnCpGDx, I am having the Extension Identifier error can you tell me what did you type here?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-20-2021 12:31 PM
I used the Kerberos function, i did not set up an extension identifier. I've since moved to Jamf Connect though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-10-2023 01:58 PM
Curious how you like Jamf Connect? We are getting ready to trial it and i'm going back and forth on Jamf Connect vs the Kerberos SSO extension.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2023 05:45 AM
It all depends on your needs, but both really don't serve the same purpose. Kerberos SSO is mainly used for AD or LDAP on premises directory services and can only service already created local accounts. Jamf Connect is meant for those with an idP like Okta, Azure, Google, etc. and can create a local account using that modern auth pluss some other features.
If your workforce is mobile or WFH then Jamf Connect may be a good idea. if not then like above use your own judgement if both types of services are available to you and pick what meets your needs the best.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-21-2021 07:31 AM
HI @user-cCnXnCpGDx iam working on setting up a configuration for kerberos authentication, if possible can you please share your configuration profile ( Screenshots )
thanks
