Integrating Kerberos with Jamf Connect Sync

Jamf Connect can get Kerberos tickets for authentication to an Active Directory domain, if the user's Okta password matches their Active Directory password. To determine the username, Jamf Connect uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.

You can can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication.

Configuring Kerberos

You must complete the following steps before enabling Kerberos in Jamf Connect:

  1. Ensure the user stores their password in their Keychain—Because the user is usually not connected to the Active Directory domain when signing in to Okta, Jamf Connect waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect does not cache the user password but rather relies on the user’s keychain for storage.

  2. Define the Kerberos Realm—The all-caps version of your Active Directory domain is usually used. Jamf Connect Sync uses the Kerberos Realm to build the user’s Kerberos principal and to determine if the user can reach the domain.

  3. Enable Kerberos Tickets in Jamf Connect—Users can select Get Kerberos Tickets in the Jamf Connect Preferences menu to enable Kerberos. Alternatively, you can set the TicketsOnSignIn key to true in a configuration profile scoped to the computer.

Active Directory Operation

Jamf Connect Sync interacts with the Active Directory domain in the following ways:

  • Jamf Connect Sync is site-aware. It uses an LDAP Ping methodology to determine the best site to use. Jamf Connect continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.

  • Jamf Connect Sync uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.

  • The application supports functional levels of Windows 2000 through Windows 2016.

  • Jamf Connect can detect password expiration policies and uses them when displaying a password expiration time.

  • Jamf Connect re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.


Jamf Connect Sync can get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect creates a certificate signing request (CSR) and submits it to the URL specified in Preferences using the certificate template supplied there. If successful, Jamf Connect places the signed certificate into the user’s keychain.

Note: To allow Jamf Connect Sync to do this, the user must trust the CA’s SSL certificate.

By default, Jamf Connect creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file.

Jamf Connect automatically renews the certificate if the most recent certificate for that user has less than 30 days of validity left.

Related Information

See the following sections of this guide for more information:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.