Single Sign-On

Not applicable

Around here, we have been talking about getting rid of ADmitMac when we implement Lion, and switching to the builtin AD plugin. But by now, our users expect SSO functionality in many areas of the OS that ADmitMac provided "for free". We're talking about the possibility of implementing these SSO features, but I don't know where or how to start. Can anyone provide some pointers?

5 REPLIES 5

Matt
Valued Contributor

Where exactly did you want SSO? Some things can we scripted like mounting drives.

Janowski
New Contributor II

We've been casually trying to pass over to a SSO environment as well. I can't tell you what has been working -- but I can say that the biggest obstacle we face currently is our company's proxy filter.

It's requires authentication and we can't get the login credentials for the mac to hand off to it. From what we've researched it sounds like a common problem. We might look at running our own proxy for the mac users (as it's been described in this mailing list before, I believe).

We've been focused on doing it natively as well. What things do you currently employ from AdmitMac that you know you can't live without?

ben janowski
Senior Macintosh Support Technician
Kohl's Mac Support Team
262.703.1396 | benjamin.janowski at kohls.com

bentoms
Release Candidate Programs Tester

We've the same issue re: proxy. Our websense proxy only allows NTLM, but there is an updated version that supports Kerberos. Just gotta give someone a kick to start testing it.

Regards,

Ben.

Not applicable

Fortunately our proxy does not require authentication, however our file servers and print servers do. They work perfectly with ADmitMac's SSO, and I doubt our users would be willing to lose that.

rmanly
Contributor III

Generating TGT's at login has been great here.

I implemented this as both a standalone script with policy and also as part
of my first_boot script for newly imaged machines. This works with our
2008r2 file & print servers as well as the few "kerberized" things I have
running on some xServes.

#!/bin/bash

# allow creation of Kerberos TGT @ login per
http://support.apple.com/kb/HT4100
/usr/libexec/PlistBuddy /etc/authorization -c "Add
rights:system.login.console:mechanisms: string builtin:krb5store,privileged"

Ryan M. Manly
Glenbrook High Schools