Using the Kerberos SSO extension with macOS
Overview
On macOS, the Kerberos SSO extension proactively acquires a Kerberos TGT upon network state changes to ensure that the user is ready to authenticate when needed. The Kerberos SSO extension also helps your users manage their Active Directory accounts. Additionally, it allows users to change their Active Directory passwords and notifies them when a password is close to expiring. Users can also change their local account passwords to match their Active Directory passwords.
The Kerberos SSO extension should be used with an on-premise Active Directory domain. Azure Active Directory isn’t supported. To use the Kerberos SSO extension, devices don’t need to be joined to an Active Directory domain. Additionally, users don’t need to log in to their Mac computers with Active Directory or mobile accounts; instead, Apple recommends using local accounts.
Account use
The Kerberos SSO extension doesn’t require that your Mac be bound to Active Directory or that the user be logged in to the Mac with a mobile account. Apple suggests you use the Kerberos SSO extension with a local account. The Kerberos SSO extension was specifically created to enhance Active Directory integration from a local account. However, should you choose to continue using mobile accounts, you can still use the Kerberos SSO extension. When used with mobile accounts:
Password sync won’t work. If you use the Kerberos SSO extension to change your Active Directory password and you’re logged in to your Mac with the same user account you’re using with the Kerberos SSO extension, password changes function as they do from the Users & Groups preference pane. But if you perform an external password change—meaning you change your password on a website, or your help desk resets it—the Kerberos SSO extension can’t bring your mobile account password back in sync with your Active Directory password.
Using a password change URL with the Kerberos extension is unsupported.
User sign-in methods and options
Users must authenticate to the Kerberos SSO extension. They can begin this process in any of several ways:
If the Mac is connected to the network where your Active Directory domain is available, the user is prompted to authenticate immediately after the Extensible SSO configuration profile is installed.
Whenever the Mac is connected to a network where your Active Directory domain is available, the user is immediately prompted to authenticate.
If Safari or any other app is used to access a website that accepts or requires Kerberos authentication, the user is prompted to authenticate.
The user can select the Kerberos SSO extension menu extra, then click Sign In.
If the user chose to sign in to the Kerberos SSO extension automatically, they’re no longer prompted for credentials until they change their password. If they don’t choose to sign in automatically, they’re prompted for credentials when their Kerberos credential expires—usually in 10 hours.
If the user enabled the password sync feature, they’re asked for their current Active Directory and local passwords. After they enter both and then click OK, the passwords are synced.