Kerberos Integration

You can configure Jamf Connect to use Kerberos authentication to complete password changes directly to Active Directory rather than a cloud identity provider (IdP).

Jamf Connect can also get Kerberos tickets for authentication to an Active Directory domain, if the user's network password matches their Active Directory password. To determine the username, Jamf Connect uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.

When configured, Jamf Connect interacts with the Active Directory domain in the following ways:

  • Jamf Connect is site-aware. It uses an LDAP ping methodology to determine the best site to use. Jamf Connect continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.

  • Jamf Connect uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.

  • Jamf Connect can detect password expiration policies and uses them when displaying a password expiration notice.

  • Jamf Connect re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.

Kerberos Settings

Domain: com.jamf.connect

Dictionary: Kerberos

Description: Used to integrate Jamf Connect with a Kerberos realm for password syncing





Kerberos Realm

Specifies the Kerberos realm used to get Kerberos tickets. Your Kerberos realm should be written in all caps.




Renew Kerberos Tickets

Determines if the Kerberos tickets should be renewed




A custom short name to use to obtain Kerberos tickets.




Short Name Attribute

The Active Directory LDAP attribute to use as a short name. If unspecified, the user's sign-in name is used.




Ask for Short Name

Determines if the user is asked to enter their Kerberos short name on first sign in




Ask for Short Name Message

The message displayed to users when requesting their Kerberos short name


<string>Enter your Active Directory username.</string>


Jamf Connect can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect creates a certificate signing request (CSR) and submits it to the URL specified in your Jamf Connect configuration profile using the certificate template supplied there. If successful, Jamf Connect places the signed certificate into the user’s keychain.

Note: To get certificates, users must trust the CA’s SSL certificate.

By default, Jamf Connect creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file. Jamf Connect automatically renews the certificate, if the most recent certificate for that user has less than 30 days of validity left.

Note: Because the user is usually not connected to the Active Directory domain when signing in with an IdP, Jamf Connect waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect does not cache the user password but rather relies on the user’s keychain for storage.

Certificate Settings

Domain: com.jamf.connect

Dictionary: Certificate

Description: Used to configure Windows web CA settings





X.509 Certificate Authority

Specifies the URL of the Windows web certificate authority (CA) for Jamf Connect to use for certificates




Certificate Template

Certificate template from a Windows web CA


<string>User Auth</string>


Get Certificates Automatically

Enables Jamf Connect to get a certificate from a Windows web CA automatically on sign-in




Associated Wi-Fi Networks

A list of secure wireless networks to associate with the certificate Jamf Connect created







Allow Private Key Exports

Allow the private key of the user certificate to be exported



Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.