Kerberos SSO Extension

user-cCnXnCpGDx
New Contributor II

Good morning,

I've been looking into ways to get away from AD binding and have had some mild success in testing the SSO extension with Kerberos. I've found that i'm successfully getting a ticket and the majority of functionality is working as intended.

However, I for the life of me have been unable to get it to prompt me to sync my local password with my AD password. I've created a brand new local account, and signed in via my AD account to the Kerberos app. I've tried this in Catalina and Big Sur to no avail. I've never been able to get that dialog to appear.

Anyone run into this and have any ideas on how to resolve?

1 ACCEPTED SOLUTION

user-cCnXnCpGDx
New Contributor II

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

View solution in original post

10 REPLIES 10

mm2270
Legendary Contributor III

You have the Local Password Sync option enabled in the Configuration Profile?

SCCM
Contributor III

In the Guide it says:
"The Kerberos SSO extension can set the local account password to match a user’s Active Directory password. Enable this feature by setting “syncLocalPassword” to TRUE in the Custom Configuration section of your Kerberos SSO extension configuration profile."

so guessine you need to add a custom plist to profile:

com.apple.AppSSOKerberos.KerberosExtension

mainelysteve
Valued Contributor II

@SCCM The payload is available in the JP gui so no custom plist should be needed.

0f7b6c656f794f709dae3a56cd40fe38

user-cCnXnCpGDx
New Contributor II

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

Hi @user-cCnXnCpGDx , I'm trying to configure the SSO Kerberos with a CAC card would you please provide me the steps on how do I configure it? 

Hi @user-cCnXnCpGDx, I am having the Extension Identifier error can you tell me what did you type here? 

 

 

I used the Kerberos function, i did not set up an extension identifier. I've since moved to Jamf Connect though.

Curious how you like Jamf Connect? We are getting ready to trial it and i'm going back and forth on Jamf Connect vs the Kerberos SSO extension.

mainelysteve
Valued Contributor II

It all depends on your needs, but both really don't serve the same purpose. Kerberos SSO is mainly used for AD or LDAP on premises directory services and can only service already created local accounts. Jamf Connect is meant for those with an idP like Okta, Azure, Google, etc. and can create a local account using that modern auth pluss some other features.

If your workforce is mobile or WFH then Jamf Connect may be a good idea. if not then like above use your own judgement if both types of services are available to you and pick what meets your needs the best.

Santosh
New Contributor III

HI @user-cCnXnCpGDx iam working on setting up a configuration for kerberos authentication, if possible can you please share your configuration profile ( Screenshots )

thanks