Kerberos Single Sign-on extension with Apple devices
The Kerberos Single Sign-on (Kerberos SSO) extension simplifies the process of acquiring a Kerberos ticket-granting ticket (TGT) from your organization’s on-premise Active Directory or other identity provider domain, allowing users to seamlessly authenticate to resources like websites, apps, and file servers.
Requirements for using the Kerberos SSO extension
To use the Kerberos SSO extension, you must have:
Devices managed with a mobile device management (MDM) solution with support for the Extensible Single Sign-on (SSO) configuration profile payload.
Access to the network where the on-premise Active Directory domain is hosted. This network access can be through Wi-Fi, Ethernet, or VPN.
An Active Directory domain using Windows Server 2008 or later. The Kerberos SSO extension isn’t intended for use with Microsoft Entra ID, which requires a traditional on-premise Active Directory domain.
The extension in iOS, iPadOS, and visionOS 1.1
In iOS, iPadOS, and visionOS 1.1, the Kerberos SSO extension is activated only after receiving an HTTP 401 Negotiate challenge. To save battery life, this extension doesn’t request Active Directory site codes or refresh a Kerberos TGT until challenged.
The Kerberos SSO extension features for iOS, iPadOS, and visionOS 1.1 include the following:
Authentication methods: Adds support for multiple different authentication methods including passwords and certificate identities (PKINIT). The certificate identity can be on a CryptoTokenKit smart card, an MDM-supplied identity, or the local keychain. The extension also supports changing the Active Directory password when the authentication dialog is showing or using a URL to a separate website.
Password expiration: Requests password expiration information from the domain immediately after authenticating, after password changes, and periodically during the day. This information is used to provide password expiration notifications and request new credentials if the user has changed their password on another device.
VPN support: Supports many different network configurations including various VPN technologies such as per-app VPN. If per-app VPN is used, the Kerberos SSO extension uses the per-app VPN only when the requesting app or website is configured to use it.
Domain reachability: Use an LDAP ping to the domain to request and then cache Active Directory site codes for the current network connection to the domain. It shares the site code with Kerberos requests for other processes and does this to preserve battery life. For more information, see the Microsoft documentation 6.3.3 LDAP Ping.
Negotiation challenges: Handles HTTP 401 Negotiate challenges for websites, NSURLSession requests, and background NSURLSession tasks.
The extension in macOS
In macOS, the Kerberos SSO extension proactively acquires a Kerberos TGT upon network state changes to ensure that the user is ready to authenticate when needed. The Kerberos SSO extension also helps your users manage their Active Directory accounts. Additionally, it allows users to change their Active Directory passwords and notifies them when a password is close to expiring. Users can also change their local account passwords to match their Active Directory passwords.
The Kerberos SSO extension should be used with an on-premise Active Directory domain. Devices don’t need to be joined to an Active Directory domain to use the Kerberos SSO extension. Additionally, users don’t need to log in to their Mac computers with Active Directory or mobile accounts; instead, Apple recommends using local accounts.
Users must authenticate to the Kerberos SSO extension. They can begin this process in any of several ways:
If the Mac is connected to the network where the Active Directory domain is available, the user is prompted to authenticate immediately after the Extensible SSO configuration profile is installed.
If the profile is already installed, whenever the Mac is connected to a network where the Active Directory domain is available, the user is immediately prompted to authenticate.
If Safari or any other app is used to access a website that accepts or requires Kerberos authentication, the user is prompted to authenticate.
The user can select the Kerberos SSO extension menu extra, then click Sign In.
The Kerberos SSO extension features for macOS include the following:
Authentication methods: The extension supports multiple different authentication methods including passwords and certificate identities (PKINIT). The certificate identity can be on a CryptoTokenKit smart card, an MDM-supplied identity, or the local keychain. The extension also supports changing the AD password when the authentication dialog is showing or using a URL to a separate website.
Password expiration: The extension requests password expiration information from the domain immediately after authenticating, after password changes, and periodically during the day. This information is used to provide password expiration notifications and request new credentials if the user has changed their password on another device.
VPN support: The extension supports many different network configurations, including VPN services, such as per-app VPN. If the VPN is a Network Extension VPN, it automatically triggers a connection when authenticating or changing passwords. In contrast, if the connection is a per-app VPN, the Kerberos SSO extension menu extra always shows that the network is available. That’s because it uses an LDAP ping to determine corporate network availability. When the per-app VPN disconnects, the LDAP ping reconnects it, resulting in what appears to be a continuous per-app VPN connection. In actuality, the Kerberos SSO extension has been triggered for Kerberos traffic on demand.
Add the following entries to your App to App Layer VPN Mapping to use the Kerberos SSO extension with per-app VPN:
com.apple.KerberosExtension using designated requirement identifier com.apple.KerberosExtension and anchor apple
com.apple.AppSSOAgent using designated requirement identifier com.apple.AppSSOAgent and anchor apple
com.apple.KerberosMenuExtra using designated requirement: identifier com.apple.KerberosMenuExtra and anchor apple
Domain reachability: The extension uses an LDAP ping to the domain to request, and then cache, AD Site codes for the current network connection to the domain. It does this to preserve battery life. It also shares the site code with Kerberos requests for other processes. For more information, see the Microsoft documentation 6.3.3 LDAP Ping.
Kerberos TGT refresh: The extension attempts to always keep your Kerberos TGT fresh. It does this by monitoring network connections and the Kerberos cache changes. When your corporate network is available and a new ticket is needed, it proactively requests a new one. If the user elects to sign in automatically, the extension seamlessly requests a new ticket until the user’s password expires. If the user doesn’t choose to sign in automatically, the user is prompted for credentials when their Kerberos credential expires—usually in 10 hours.
Password sync: The extension syncs the local account password with the Active Directory password. After the initial sync, it monitors the local and Active Directory account password change dates to determine if the account passwords are still in sync. It uses the dates instead of attempting a login to prevent locking out the local or AD account because of too many failed attempts.
Run scripts: The extension posts notifications when various events occur. These notifications can trigger scripts to execute to support extending the functionality. Notifications are sent instead of directly executing scripts because the Kerberos extension processes are sandboxed and the sandbox would help prevent the scripts from running. There is also a command line tool,
app-sso, that allows scripts to read the state of the extension and request common actions such as sign in.Menu extra: The extension includes a menu extra to allow the user to sign in, reconnect, change the password, sign out, and to view the connection status. The reconnect option always retrieves a new TGT and refreshes the password expiration information from the domain.
Account use
The Kerberos SSO extension doesn’t require that your Mac be bound to Active Directory or that the user be logged in to the Mac with a mobile account. Apple suggests you use the Kerberos SSO extension with a local account. The Kerberos SSO extension was specifically created to enhance Active Directory integration from a local account. However, should you choose to continue using mobile accounts, you can still use the Kerberos SSO extension. When used with mobile accounts:
Password sync won’t work. If you use the Kerberos SSO extension to change your Active Directory password and you’re logged in to your Mac with the same user account you’re using with the Kerberos SSO extension, password changes function as they do from the Users & Groups preference pane. But if you perform an external password change—meaning you change your password on a website, or your help desk resets it—the Kerberos SSO extension can’t bring your mobile account password back in sync with your Active Directory password.
Using a password change URL with the Kerberos extension is unsupported.