Integrating Kerberos with Jamf Connect Sync

Jamf Connect Sync can get Kerberos tickets for authentication to an Active directory domain, if the user's Okta password matches their Active Directory password. To determine the username, Jamf Connect Sync uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.

You can can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication.

Configuring Kerberos

You must complete the following steps before enabling Kerberos in Jamf Connect Sync:

  1. Ensure the user stores their password in their Keychain – Because the user is usually not connected to the Active Directory domain when signing in to Okta, Jamf Connect Sync waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect Sync does not cache the user password but rather relies on the user’s Keychain for storage. If Kerberos authentication fails, Jamf Connect Sync does not retry authentication. Instead, the application removes the password from the Keychain to ensure it is unable to use the password again, and then locks the user out of the computer.

  2. Define the Kerberos Realm – The all-caps version of your Active Directory domain is usually used. Jamf Connect Sync uses the Kerberos Realm to build the user’s Kerberos principal and to determine if the user can reach the domain.

  3. Enable Kerberos Tickets in Jamf Connect Sync – Users can select Get Kerberos Tickets in the Jamf Connect Sync Preferences menu to enable Kerberos. Alternatively, you can set the TicketsOnSignIn key to true in a configuration profile scoped to the computer.

Active Directory Operation

Jamf Connect Sync interacts with the Active Directory domain in the following ways:

  • Jamf Connect Sync is site-aware. It uses an LDAP Ping methodology to determine the best site to use. Jamf Connect Sync continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.

  • Jamf Connect Sync uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.

  • The application supports functional levels of Windows 2000 through Windows 2016.

  • Jamf Connect Sync can detect password expiration policies and uses them when displaying a password expiration time.

  • Jamf Connect Sync re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.

Certificates

Jamf Connect Sync can get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect Sync creates a certificate signing request (CSR) and submits it to the URL specified in Preferences using the certificate template supplied there. If successful, Jamf Connect Sync places the signed certificate into the user’s Keychain.

Note: To allow Jamf Connect Sync to do this, the user must trust the CA’s SSL certificate.

By default, Jamf Connect Sync creates a key pair for the CSR and marks it as non-exportable from the user’s Keychain. This can be turned off in the preference file.

Jamf Connect Sync automatically renews the certificate if the most recent certificate for that user has less than 30 days of validity left.

Related Information

See the following sections of this guide for more information:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.