Help

Kerberos SSO Not Syncing Password after Change

thatsadingo
Visitor

yesterday

Hello everyone. We recently setup Kerberos SSO and are having some issues with it syncing passwords after a password change. Upon initial setup it works as intended. User logs in with their AD credentials, it asks for their AD password and their Mac password, it then syncs the password to match the AD password. However, when a user changes their password, they are able to log into SSO with their new password, but it never prompts to sync the mismatched passwords, so their computer still uses their old password. 

Has anyone run into this issue? 

Password sync is enabled and the system currently running into this issue is running 10.15.2

0 Kudos
Reply
5 REPLIES 5

sdagley
Esteemed Contributor II

yesterday

@thatsadingo I'm reading your question as when a user's AD password is changed external to the Mac it's not detecting that the Mac's password needs to be synchronized with their new AD password. If that's correct does having the user change their AD password on the Mac using the Kerberos SSO tool work?

0 Kudos
Reply

thatsadingo
Visitor

yesterday

You are reading it correctly. Unfortunately, the only way for our users to change their account is through our website. So, I wouldn't be able to test through the SSO tool.

0 Kudos
Reply

sdagley
Esteemed Contributor II
In response to thatsadingo

yesterday

@thatsadingo Is the web site for password change the same for your Windows users, or just for your Mac users? You might want to revisit that once you have Kerberos SSO working.

And can you post an image of your Kerberos SSO configuration (obscure your Realm and Hosts settings please)

@AJPinto The Jamf GUI for configuring Kerberos SSO clearly states local password sync doesn't work for mobile accounts so that shouldn't surprise anyone.

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to sdagley

yesterday

@AJPinto The Jamf GUI for configuring Kerberos SSO clearly states local password sync doesn't work for mobile accounts so that shouldn't surprise anyone.

Fair, but I have learned to not assume people actually read. Reddit has killed my faith in humanity :).

0 Kudos
Reply

AJPinto
Esteemed Contributor

yesterday

Is local password sync Enabled? Also just to ask, the user(s) does not have a mobile account, right?

0 Kudos
Reply