SSOs Kerberos Apple/Microsoft

GabeShack
Valued Contributor III

Hi all,

Im starting to play with the SSO for Microsoft and the Kerberos Apple pieces.  Since we are trying to move away from binding, I'm love to find a solution that allows the user to login using their AD credentials (or office 365 credentials which then just adds our domain name to the end of their login) and then keeps them signed into to anything that can use those credentials.  We cant afford Jamf Connect, so thats out...but noMad or something else that isnt expensive would work.  

Since we use federated and managed Apple IDs, I found I could tie into the Microsoft SSO during the user sign into to their iCloud accounts on the computer, which then gets them pre-logged into our Zoom accounts and the microsoft office online logins.  The Microsoft apps are still currently requesting that they type their user name(email address) into the app, and then it lists their account to click on and doesnt require their password, but I'd love to get it to already be pre-logged into the office apps as well and bypass the need to even type the user name.

 

I originally misunderstood the Appel Kerberos plug in to assume it could work in place of a bind, but seems like I do need something more like a NoMad to make it work properly.  I don't have much experience with NoMAD so hoping its still supported and easy to figure out (but nothing with active directory seems to be easy).

 

Anyone have any hints to share if they are doing similar setups?

 

Gabe Shackney
Princeton Public Schools
3 ACCEPTED SOLUTIONS

merps
Contributor III

you should be able to do it with the "single sign-on extensions" payload.

First, make a krb5.conf file as shown here: krb5.conf 

"You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled."

here's a screenshot of our SSO config

Screen Shot 2021-07-22 at 10.12.36 AM.png

View solution in original post

vinu_thankachan
Contributor

Configuring SSO won't update krb5.conf

You need o to create a package to update the realm on /etc/krb5.com

[libdefaults]
default_realm = "DomainName"
kpasswd_server = tcp/DomainName: kpasswd

View solution in original post

GabeShack
Valued Contributor III

Thanks all, 

Looks like I just need to do some more testing in our environment.  I am working on the microsoft sso and looks like i can leverage it for some things mixed with the Apple SSO.

 

Gabe Shackney
Princeton Public Schools

View solution in original post

5 REPLIES 5

merps
Contributor III

you should be able to do it with the "single sign-on extensions" payload.

First, make a krb5.conf file as shown here: krb5.conf 

"You have to create a file called krb5.conf and place it in /etc. The content of the file should look like this:
[libdefaults]
default_realm=YOUR.REALM.NAME

Package that up in Composer and deploy to your machines that have the kerberos extension enabled."

here's a screenshot of our SSO config

Screen Shot 2021-07-22 at 10.12.36 AM.png

GabeShack
Valued Contributor III

@merps I the sso extension profile but didn't do the krb5.conf piece.  Is this just the tie in to the login window allowing the extension to work for first login?

I just tested NoMAD Login and once I intstalled that with an profile , it allowed me to have the local user created and then it looks like the password syncing is through the apple kerberos piece, but would rather the apple extension does both the login and password management if possible.

Gabe Shackney
Princeton Public Schools

The Apple Kerberos extension is just for the logged in user to get a Kerberos ticket. It doesn't play a part in creating the user account.

The local username/password is technically independent, but you can set the extension to keep the passwords in sync.

vinu_thankachan
Contributor

Configuring SSO won't update krb5.conf

You need o to create a package to update the realm on /etc/krb5.com

[libdefaults]
default_realm = "DomainName"
kpasswd_server = tcp/DomainName: kpasswd

GabeShack
Valued Contributor III

Thanks all, 

Looks like I just need to do some more testing in our environment.  I am working on the microsoft sso and looks like i can leverage it for some things mixed with the Apple SSO.

 

Gabe Shackney
Princeton Public Schools