MS Outlook 2016 Kerberos Scripting Issue

cdinges
New Contributor II

In the environment that I work in, Kerberos was just enabled over the weekend on the Exchange servers. I currently have 250+ existing Mac Users with Outlook that currently are set to just use the User Name and Password. I would like to get these existing users flipped to Kerberos.

It is a simple change to make but I am looking to automate just changing that one item. I am not that experienced in scripting but I would like to deploy this change via JAMF / JSS.

Talking Moose's Outlook 2016 script is great for new users that are just logging onto a machine for the first time but when I run this on an existing user, it creates a second mailbox.

I appreciate any guidance anyone can provide.

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

You'd need to get the following script to run on each Mac, but while Outlook is open. Maybe make it into a Self Service policy that can launch Outlook and then run this as the current user.

tell application "Microsoft Outlook"
    tell exchange account 1
        set use kerberos authentication to true
    end tell
end tell

This is an Applescript, not a shell script, so it can't be just pushed as is from the JSS, since it's expecting to be run by the logged in user. It will also launch Outlook if it's not currently running. Also, in my experience, it may pop up a prompt to the user to create a Kerberos identity or use an existing one. I'm not sure how it will actually respond on your Macs, so you definitely will want to run this thru some tests to be sure you understand the user experience.

Anyway, test the above out on your own system while Outlook is open and you'll see it switch from Username/Password authentication to Kerberos as the Method.

View solution in original post

7 REPLIES 7

mm2270
Legendary Contributor III

You'd need to get the following script to run on each Mac, but while Outlook is open. Maybe make it into a Self Service policy that can launch Outlook and then run this as the current user.

tell application "Microsoft Outlook"
    tell exchange account 1
        set use kerberos authentication to true
    end tell
end tell

This is an Applescript, not a shell script, so it can't be just pushed as is from the JSS, since it's expecting to be run by the logged in user. It will also launch Outlook if it's not currently running. Also, in my experience, it may pop up a prompt to the user to create a Kerberos identity or use an existing one. I'm not sure how it will actually respond on your Macs, so you definitely will want to run this thru some tests to be sure you understand the user experience.

Anyway, test the above out on your own system while Outlook is open and you'll see it switch from Username/Password authentication to Kerberos as the Method.

cdinges
New Contributor II

Works like a charm! Thank you for the help! I am copying the script down to a machine then kicking it off via the JSS & Execute command option.

Thanks again!

avail
New Contributor III

That AppleScript does work a treat for selecting Kerberos from the authentication method, thanks!

Is there anyway to script picking the Kerberos ID? At the moment, when the script changes it, the ID is left blank and you need to go in and select the ID.

talkingmoose
Moderator
Moderator

@avail, try using this:

set principalName to do shell script "klist | grep "Principal:" | awk -F ": " '{ print $2 }'"

tell application "Microsoft Outlook"
    set use kerberos authentication of exchange account 1 to true
    set principal of exchange account 1 to principalName
end tell

avail
New Contributor III

Thanks @talkingmoose - that works! Oddly it works fine in Self Service, but won't work as part of a policy.

RemiB
New Contributor

Thanks @talkingmoose

What solution if several accounts using the same ticket kerberos?

Some users with 1 account but others with 2 or 3 accounts, completely random...

what do you suggest?

Kind regards

talkingmoose
Moderator
Moderator

@RemiB, not quite sure what you mean, but I'll take a stab.

Do you mean to say a single user has connected to multiple Exchange accounts with the same credentials? If so, that's when he or she should be connecting as a delegated user under the primary account and not connecting to each mailbox individually.

Add a delegated account in the primary user's Exchange account settings. Authenticating to this one account will automatically connect the delegated accounts.

However, I don't see why multiple accounts couldn't use the same Kerberos authentication.