Kerberos Integration

You can configure Jamf Connect to use Kerberos authentication to complete password changes directly to Active Directory rather than a cloud identity provider (IdP).

Jamf Connect can also get Kerberos tickets for authentication to an Active Directory domain, if the user's network password matches their Active Directory password. To determine the username, Jamf Connect uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.

When configured, Jamf Connect interacts with the Active Directory domain in the following ways:

  • Jamf Connect is site-aware. It uses an LDAP ping methodology to determine the best site to use. Jamf Connect continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.

  • Jamf Connect uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.

  • Jamf Connect can detect password expiration policies and uses them when displaying a password expiration notice.

  • Jamf Connect re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.

Certificates with Jamf Connect

Jamf Connect can also get certificates from an Active Directory Web Certificate Authority (CA) using Kerberos authentication. If configured, Jamf Connect creates a certificate signing request (CSR) and submits it to the URL specified in your Jamf Connect configuration profile using the certificate template supplied there. If successful, Jamf Connect places the signed certificate into the user’s keychain.


To get certificates, users must trust the CA’s SSL certificate.

By default, Jamf Connect creates a key-value pair for the CSR and marks it as non-exportable from the user’s keychain. This can be turned off in the preference file. Jamf Connect automatically renews the certificate, if the most recent certificate for that user has less than 30 days of validity left.


Because the user is usually not connected to the Active Directory domain when signing in with an IdP, Jamf Connect waits for the domain to be reachable before attempting to sign in as the user. Jamf Connect does not cache the user password but rather relies on the user’s keychain for storage.