Kerberos Integration
You can configure Jamf Connect to use Kerberos authentication to complete password changes directly to Active Directory rather than a cloud identity provider (IdP).
Jamf Connect can also get Kerberos tickets for authentication to an Active Directory domain, if the user's network password matches their Active Directory password. To determine the username, Jamf Connect uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.
When configured, Jamf Connect interacts with the Active Directory domain in the following ways:
-
Jamf Connect is site-aware. It uses an LDAP ping methodology to determine the best site to use. Jamf Connect continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.
-
Jamf Connect uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.
-
Jamf Connect can detect password expiration policies and uses them when displaying a password expiration notice.
-
Jamf Connect re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.
Kerberos Settings
Domain: com.jamf.connect
Dictionary: Kerberos
Description: Used to integrate Jamf Connect with a Kerberos realm for password syncing
|
Key |
Description |
Example |
|
Realm |
Kerberos Realm Specifies the Kerberos realm used to get Kerberos tickets. Your Kerberos realm should be written in all caps. |
<key>Realm</key> <string>YOURCOMPANY.NET</string> |
|
AutoRenewTickets |
Renew Kerberos Tickets Determines if the Kerberos tickets should be renewed |
<key>AutoRenewTickets</key> <false/> |
|
ShortName |
A custom short name to use to obtain Kerberos tickets. |
<key>ShortName</key> <string>Joel</string> |
|
ShortNameAttribute |
Short Name Attribute The Active Directory LDAP attribute to use as a short name. If unspecified, the user's sign-in name is used. |
<key>ShortNameAttribute</key> <string>attribute</string> |
|
AskForShortName |
Ask for Short Name Determines if the user is asked to enter their Kerberos short name on first sign in |
<key>AskForShortName</key> <false/> |
|
AskForShortNameMessage |
Ask for Short Name Message The message displayed to users when requesting their Kerberos short name |
<key>AskForShortNameMessage</key> <string>Enter your Active Directory username.</string> |
Certificates
Jamf Connect can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect creates a certificate signing request (CSR) and submits it to the URL specified in your Jamf Connect configuration profile using the certificate template supplied there. If successful, Jamf Connect places the signed certificate into the user’s keychain.
Note: To get certificates, users must trust the CA’s SSL certificate.
By default, Jamf Connect creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file. Jamf Connect automatically renews the certificate, if the most recent certificate for that user has less than 30 days of validity left.
Note: Because the user is usually not connected to the Active Directory domain when signing in with an IdP, Jamf Connect waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect does not cache the user password but rather relies on the user’s keychain for storage.
Certificate Settings
Domain: com.jamf.connect
Dictionary: Certificate
Description: Used to configure Windows web CA settings
|
Key |
Description |
Example |
|
WindowsCA |
X.509 Certificate Authority Specifies the URL of the Windows web certificate authority (CA) for Jamf Connect to use for certificates |
<key>WindowsCA</key> <string>dc1.jamfconnect.test</string> |
|
CertificateTemplate |
Certificate Template Certificate template from a Windows web CA |
<key>CertificateTemplate</key> <string>User Auth</string> |
|
GetCertificateAutomatically |
Get Certificates Automatically Enables Jamf Connect to get a certificate from a Windows web CA automatically on sign-in |
<key>GetCertificateAutomatically</key> <false/> |
|
SecureNetworks |
Associated Wi-Fi Networks A list of secure wireless networks to associate with the certificate Jamf Connect created |
<key>SecureNetworks</key> <array> <string>SSID1</string> <string>SSID2</string> </array |
|
ExportableCertificateKey |
Allow Private Key Exports Allow the private key of the user certificate to be exported |
<key>ExportableCertificateKey</key> <false/> |
Related Information
For related information, see the following: