Posted on 06-30-2016 09:23 AM
Hi there- I'm reaching a roadblock in my project and I am not really sure how to proceed. The macs in my organization are all AD-Bound and require the users to use their AD accounts only, no local accounts. We are using ActiveDirectory 2008R2 right now.
I'm wondering how do you out in the "real world" handle single sign-on or pass through authentication? Mainly for the usage of authenticating against intranet sites, wireless authentication, using Microsoft Lync, and mounting to samba shares. I'm all for saying just type your password in, but I'd like to avoid any unnecessary bucking from our more vocal types.
Any ideas would be greatly appreciated.
Posted on 06-30-2016 10:05 AM
The problem is often that there are several AD SSO methods, some of which work better than others... Some of our legacy sites use NTLMv1/2 which is a real pain to get working (often just doesn't work). We have had better luck with ADFS authenticated resources in combination with Apple Enterprise Connect.
Posted on 06-30-2016 10:06 AM
We have the same issue with our Intranet and Wireless Auth.
Keberos ticket can be pass off to Samba share and it works fine in our environment. Nothing really to configure. The only problem we have is if the user logs into the computer before the wired network establishes, it doesn't get the latest Kerberos tickets from the domain controller. But We use ADPassMon which allow users to quickly and easily retrieve the most up to date Kerberos ticket from the domain controller.
Posted on 06-30-2016 08:18 PM
Hi @rbingham917
I can't help with the SSO as it is not something I am using, however with regards to the Wi-Fi you can deploy a config profile with a network payload that utilises the option "Use Directory Authentication,
Authenticate with the target computer's directory credentials". This will use the AD computer account to connect to the Wi-Fi. Has been working great so far.
Cheers,
Pat
Posted on 07-01-2016 10:01 AM
Thanks Patrick- very helpful information!
Posted on 07-05-2016 07:35 AM
FWIW, we had additional requirements, but went with Centrify here. Not 100% satisfied with it for policy/management, although I think that's more due to infrastructure issues on our end, but for SSO, it has been pretty solid.
Now just waiting for JSS (and admin apps!) to support SSO... getting closer...