Mac OS X 10.5: About Kerberos in Mac OS X 10.5 clients

This article has been archived and is no longer updated by Apple.

Mac OS X 10.5 Leopard utilizes Kerberos to make it easier to share services with other Macs.

Kerberos is a "single sign on" technology. When you connect to a Mac that supports Kerberos, just like any Mac OS X 10.5 Mac, you are granted a "ticket" that permits you to continue to use services on that machine, without re-authenticating, until your ticket expires.

For example, consider two Mac OS X 10.5-based Macs, named "laptop" and "family". "Family" has screen sharing and file sharing turned on. If "laptop" connects to one of the shared folders on "family", "laptop" can subsequently connect to screen sharing on "family" without having to supply login credentials again.

Between 10.5 clients, this Kerberos exchange is only attempted if you connect using Bonjour. For example, if you navigate to the Mac in Finder, or use Finder's Go menu to connect to server "my-machine.local".

Normally, once your computer has gained a Kerberos ticket in this manner, you should keep that Kerberos ticket until it expires.

If you want to manually remove your Kerberos ticket, you can do so using the Kerberos utility in Mac OS X 10.5:

  1. Open Keychain Access (in /Applications/Utilities).
  2. From the Keychain Access menu, choose Kerberos Ticket Viewer.
  3. In the Kerberos application's Ticket Cache window, find the key that looks like "yourusername@LKDC:SHA1..." followed by a long string of alphanumeric characters.
  4. Click "Destroy" to delete that key.


Published Date: Feb 20, 2012