Kerberos SSO Extension

user-cCnXnCpGDx
New Contributor

Good morning,

I've been looking into ways to get away from AD binding and have had some mild success in testing the SSO extension with Kerberos. I've found that i'm successfully getting a ticket and the majority of functionality is working as intended.

However, I for the life of me have been unable to get it to prompt me to sync my local password with my AD password. I've created a brand new local account, and signed in via my AD account to the Kerberos app. I've tried this in Catalina and Big Sur to no avail. I've never been able to get that dialog to appear.

Anyone run into this and have any ideas on how to resolve?

1 ACCEPTED SOLUTION

user-cCnXnCpGDx
New Contributor

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

View solution in original post

6 REPLIES 6

mm2270
Legendary Contributor II

You have the Local Password Sync option enabled in the Configuration Profile?

SCCM
New Contributor III

In the Guide it says:
"The Kerberos SSO extension can set the local account password to match a user’s Active Directory password. Enable this feature by setting “syncLocalPassword” to TRUE in the Custom Configuration section of your Kerberos SSO extension configuration profile."

so guessine you need to add a custom plist to profile:

com.apple.AppSSOKerberos.KerberosExtension

mainelysteve
Valued Contributor

@SCCM The payload is available in the JP gui so no custom plist should be needed.

0f7b6c656f794f709dae3a56cd40fe38

user-cCnXnCpGDx
New Contributor

So I after some painstaking, step by step work I was able to get it working. I'm really not sure if it was a conflicting setting or just a bad profile in general. I did indeed have the "Local Password Sync" option checked even in the very beginning.

I basically step by step, rebuilt the profile and tested each feature until it worked. Once I did that, I finally got the prompt to work. This was all using the built in Kerberos payload, not SSO with the identifiers and such. I really don't know what fixed it unfortunately.

View solution in original post

Hi @user-cCnXnCpGDx , I'm trying to configure the SSO Kerberos with a CAC card would you please provide me the steps on how do I configure it? 

Santosh
New Contributor III

HI @user-cCnXnCpGDx iam working on setting up a configuration for kerberos authentication, if possible can you please share your configuration profile ( Screenshots )

thanks