Kerberos Integration

You can configure Jamf Connect to use Kerberos authentication to complete password changes directly to Active Directory rather than a cloud identity provider (IdP).

Jamf Connect can also get Kerberos tickets for authentication to an Active Directory domain, if the user's network password matches their Active Directory password. To determine the username, Jamf Connect uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.

When configured, Jamf Connect interacts with the Active Directory domain in the following ways:

  • Jamf Connect is site-aware. It uses an LDAP ping methodology to determine the best site to use. Jamf Connect continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.

  • Jamf Connect uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.

  • Jamf Connect can detect password expiration policies and uses them when displaying a password expiration notice.

  • Jamf Connect re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.

Kerberos Settings

Domain: com.jamf.connect

Dictionary: Kerberos

Description: Used to integrate Jamf Connect with a Kerberos realm for password syncing

Key

Description

Example

Realm

Kerberos Realm

Specifies the Kerberos realm used to get Kerberos tickets. Your Kerberos realm should be written in all caps.

<key>Realm</key>

<string>YOURCOMPANY.NET</string>

AutoRenewTickets

Renew Kerberos Tickets

Determines if the Kerberos tickets should be renewed

<key>AutoRenewTickets</key>

<false/>

ShortName

A custom short name to use to obtain Kerberos tickets.

<key>ShortName</key>

<string>Joel</string>

ShortNameAttribute

Short Name Attribute

The ID token attribute to use as a short name. If unspecified, the ShortName value will be used. If no values are found for ShortNameAttribute or ShortName and the AskForShortName key is set to true, the end user will be prompted to enter their short name.

Notes:

  • Short Name Attribute cannot be used to specify the short name if MFA is enabled.

  • If Okta is your IdP, you must also have the Client ID (ROPGID) and Tenant ID (TenantID) preference keys configured for Jamf Connect to use the short name specified by ShortNameAttribute.

<key>ShortNameAttribute</key>

<string>attribute</string>

AskForShortName

Ask for Short Name

Determines if the user is asked to enter their Kerberos short name on first sign in

<key>AskForShortName</key>

<false/>

AskForShortNameMessage

Ask for Short Name Message

The message displayed to users when requesting their Kerberos short name

<key>AskForShortNameMessage</key>

<string>Enter your Active Directory username.</string>

Certificates

Jamf Connect can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect creates a certificate signing request (CSR) and submits it to the URL specified in your Jamf Connect configuration profile using the certificate template supplied there. If successful, Jamf Connect places the signed certificate into the user’s keychain.

Note: To get certificates, users must trust the CA’s SSL certificate.

By default, Jamf Connect creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file. Jamf Connect automatically renews the certificate, if the most recent certificate for that user has less than 30 days of validity left.

Note: Because the user is usually not connected to the Active Directory domain when signing in with an IdP, Jamf Connect waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect does not cache the user password but rather relies on the user’s keychain for storage.

Certificate Settings

Domain: com.jamf.connect

Dictionary: Certificates

Description: Used to configure Windows web CA settings

Key

Description

Example

WindowsCA

X.509 Certificate Authority

Specifies the URL of the Windows web certificate authority (CA) for Jamf Connect to use for certificates

<key>WindowsCA</key>

<string>dc1.jamfconnect.test</string>

CertificateTemplate

Certificate Template

Certificate template from a Windows web CA

<key>CertificateTemplate</key>

<string>User Auth</string>

GetCertificateAutomatically

Get Certificates Automatically

Enables Jamf Connect to get a certificate from a Windows web CA automatically on sign-in

<key>GetCertificateAutomatically</key>

<false/>

SecureNetworks

Associated Wi-Fi Networks

A list of secure wireless networks to associate with the certificate Jamf Connect created

<key>SecureNetworks</key>

<array>

<string>SSID1</string>

<string>SSID2</string>

</array

ExportableCertificateKey

Allow Private Key Exports

Allow the private key of the user certificate to be exported

<key>ExportableCertificateKey</key>

<false/>

Related Information

For related information, see the following:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.