Jamf Nation Community

thatsadingo · 2 weeks ago

Hello everyone. We recently setup Kerberos SSO and are having some issues with it syncing passwords after a password change. Upon initial setup it works as intended. User logs in with their AD credentials, it asks for their AD password and their Mac password, it then syncs the password to match the AD password. However, when a user changes their password, they are able to log into SSO with their new password, but it never prompts to sync the mismatched passwords, so their computer still uses their old password.

Has anyone run into this issue?

Password sync is enabled and the system currently running into this issue is running 10.15.2

sdagley · 2 weeks ago

@thatsadingo I'm reading your question as when a user's AD password is changed external to the Mac it's not detecting that the Mac's password needs to be synchronized with their new AD password. If that's correct does having the user change their AD password on the Mac using the Kerberos SSO tool work?

thatsadingo · 2 weeks ago

You are reading it correctly. Unfortunately, the only way for our users to change their account is through our website. So, I wouldn't be able to test through the SSO tool.

sdagley · 2 weeks ago

@thatsadingo Is the web site for password change the same for your Windows users, or just for your Mac users? You might want to revisit that once you have Kerberos SSO working.

And can you post an image of your Kerberos SSO configuration (obscure your Realm and Hosts settings please)

@AJPinto The Jamf GUI for configuring Kerberos SSO clearly states local password sync doesn't work for mobile accounts so that shouldn't surprise anyone.

AJPinto · 2 weeks ago

@AJPinto The Jamf GUI for configuring Kerberos SSO clearly states local password sync doesn't work for mobile accounts so that shouldn't surprise anyone.

Fair, but I have learned to not assume people actually read. Reddit has killed my faith in humanity :).

thatsadingo · 2 weeks ago

Here are our settings. The website is the same for everyone.

sdagley · 2 weeks ago

Try setting the following:

"Request credential on the next matching Kerberos challenge or network state change" - Enforced

"Automatically use LDAP and DNS to determine the Kerberos extension's AD site name." - Enforce

"Passwords to meet Active Directory's definition of complexity" - Required (Since you have the Password change option set to Allowed)

thatsadingo · a week ago

Thanks for the suggestions. I've enabled those settings and will see what happens. I initially had Passwords to meet AD complexity to enabled, but since clicking change password just takes the user to our site, I turned it off to see if it would potentially do anything.

AJPinto · 2 weeks ago

Is local password sync Enabled? Also just to ask, the user(s) does not have a mobile account, right?

thatsadingo · 2 weeks ago

Local password sync is enabled, and they are local accounts not mobile.

Jamf Nation Community

Kerberos SSO Not Syncing Password after Change