Command line support—macOS
Administrators can use a command line tool called app-sso to control the Kerberos SSO extension and
access useful information. For example, they can use the tool to initiate sign-in, password changes, and
sign-out. It also can print useful information, like the currently signed-in user, the computer’s current
ActiveDirectory site, the user’s network home share, when the user’s password expires, and a variety
ofother useful information in property list or JSON format. This information can be parsed and uploaded
toa Mac management solution for inventory and other purposes.
For more information on using app-sso, run “app-sso -h” in the Terminal app.
Mobile accounts—macOS
The Kerberos SSO extension doesn’t require that your Mac be bound to Active Directory or that the user
be logged in to the Mac with a mobile account. Apple suggests you use the Kerberos SSO extension
with a local account. Local accounts work best with the recommended deployment model for macOS
andare the best choice for today’s Mac users, who may intermittently connect to your organization’s
network. The Kerberos SSO extension was specifically created to enhance Active Directory integration
froma local account.
However, should you choose to continue using mobile accounts, you can still use the Kerberos SSO
extension. This feature has the following requirements:
•
Password sync doesn’t work with mobile accounts. If you use the Kerberos SSO extension to change
your Active Directory password and you’re logged in to your Mac with the same user account you’re
using with the Kerberos SSO extension, password changes function as they do from the Users & Groups
preference pane. But if you perform an external password change—meaning you change your password
on a website, or your help desk resets it—the Kerberos SSO extension can’t bring your mobile account
password back in sync with your Active Directory password.
•
Using a password change URL with the Kerberos extension and a mobile account is unsupported.
Domain-realm mapping
An administrator may need to define a custom domain-realm mapping for Kerberos. For example, an
organization may have a Kerberos realm named “ad.pretendco.com,” but may need to use Kerberos
authentication for resources in the “fakecompany.com” domain.
Note: The Kerberos implementation on Apple operating systems can automatically determine domain-
realm mapping in almost all situations. It is very rare for an administrator to customize these settings.
Domain-realm mapping can be configured for the Kerberos SSO extension by following these steps:
1. In the Custom Configuration section of the Extensible SSO profile, add an object called
domainRealmMapping. The object type should be Dictionary.
2. Set the key of this dictionary to the name of your realm in caps.
3. Set the value of this dictionary to be of type Array. The first value should be the name of your
Kerberos realm in lowercase, beginning with a period. The second value should be the name of the
domain needing to authenticate against this realm, again starting with a period. Add arrays as needed.
For further information, refer to the Kerberos documentation.