- Jamf Nation Community
- Products
- Jamf Pro
- MS Outlook 2016 Kerberos Scripting Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2017 12:31 PM
In the environment that I work in, Kerberos was just enabled over the weekend on the Exchange servers. I currently have 250+ existing Mac Users with Outlook that currently are set to just use the User Name and Password. I would like to get these existing users flipped to Kerberos.
It is a simple change to make but I am looking to automate just changing that one item. I am not that experienced in scripting but I would like to deploy this change via JAMF / JSS.
Talking Moose's Outlook 2016 script is great for new users that are just logging onto a machine for the first time but when I run this on an existing user, it creates a second mailbox.
I appreciate any guidance anyone can provide.
Solved! Go to Solution.
Labels:
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2017 01:01 PM
You'd need to get the following script to run on each Mac, but while Outlook is open. Maybe make it into a Self Service policy that can launch Outlook and then run this as the current user.
tell application "Microsoft Outlook"
tell exchange account 1
set use kerberos authentication to true
end tell
end tellThis is an Applescript, not a shell script, so it can't be just pushed as is from the JSS, since it's expecting to be run by the logged in user. It will also launch Outlook if it's not currently running. Also, in my experience, it may pop up a prompt to the user to create a Kerberos identity or use an existing one. I'm not sure how it will actually respond on your Macs, so you definitely will want to run this thru some tests to be sure you understand the user experience.
Anyway, test the above out on your own system while Outlook is open and you'll see it switch from Username/Password authentication to Kerberos as the Method.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-21-2017 01:01 PM
You'd need to get the following script to run on each Mac, but while Outlook is open. Maybe make it into a Self Service policy that can launch Outlook and then run this as the current user.
tell application "Microsoft Outlook"
tell exchange account 1
set use kerberos authentication to true
end tell
end tellThis is an Applescript, not a shell script, so it can't be just pushed as is from the JSS, since it's expecting to be run by the logged in user. It will also launch Outlook if it's not currently running. Also, in my experience, it may pop up a prompt to the user to create a Kerberos identity or use an existing one. I'm not sure how it will actually respond on your Macs, so you definitely will want to run this thru some tests to be sure you understand the user experience.
Anyway, test the above out on your own system while Outlook is open and you'll see it switch from Username/Password authentication to Kerberos as the Method.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-22-2017 07:19 AM
Works like a charm! Thank you for the help! I am copying the script down to a machine then kicking it off via the JSS & Execute command option.
Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-03-2017 08:36 AM
That AppleScript does work a treat for selecting Kerberos from the authentication method, thanks!
Is there anyway to script picking the Kerberos ID? At the moment, when the script changes it, the ID is left blank and you need to go in and select the ID.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-03-2017 05:56 PM
@avail, try using this:
set principalName to do shell script "klist | grep "Principal:" | awk -F ": " '{ print $2 }'"
tell application "Microsoft Outlook"
set use kerberos authentication of exchange account 1 to true
set principal of exchange account 1 to principalName
end tellOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2017 08:29 AM
Thanks @talkingmoose - that works! Oddly it works fine in Self Service, but won't work as part of a policy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2018 03:10 PM
Thanks @talkingmoose
What solution if several accounts using the same ticket kerberos?
Some users with 1 account but others with 2 or 3 accounts, completely random...
what do you suggest?
Kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-13-2018 04:24 PM
@RemiB, not quite sure what you mean, but I'll take a stab.
Do you mean to say a single user has connected to multiple Exchange accounts with the same credentials? If so, that's when he or she should be connecting as a delegated user under the primary account and not connecting to each mailbox individually.
Add a delegated account in the primary user's Exchange account settings. Authenticating to this one account will automatically connect the delegated accounts.
However, I don't see why multiple accounts couldn't use the same Kerberos authentication.
