By After successfully binding the Lion server to the Active Directory domain, consider implementing Kerberos on the server to provide single sign-on capability to your users. Doing away with the need for multiple passwords and authentications is called single sign-on. Kerberos is used by both Active Directory and Open Directory for authentication across various applications so that after a user logs in to the network, the user can access all network assets, such as file servers, for which she has permission without the need for further authentication. Single sign-on in Active Directory works by AD’s issuing a ticket when a user logs in to the domain. The ticket represents everything that the user can do. After you log in initially, all other authentication activities are handled automatically by the ticket.
Of course, for single sign-on to work for Mac clients on an Active Directory network, single sign-on must first be implemented in Active Directory. To implement Kerberos and SSO for Mac clients in an Active Directory domain, follow these steps:. Open Server Admin. If necessary, connect to your Mac OS X Server by choosing Server→Connect and entering your server administrator username and password. Click the triangle next to the server name and then select Open Directory. Click the Settings icon in the toolbar.
Click the Kerberize button. The Kerberize the Open Directory Master dialog opens and requests authentication.
The credential you enter must have administrator rights over the Kerberos domain. Contact your Active Directory administrator to gain the necessary rights. Test that single sign-on is working properly by logging in as a user and attempting to access a resource to which the user has permission that’s managed by Active Directory. In a working deployment, access is granted without the need to reauthenticate.
How to login to kerberos from Mac OS X 10.4 Last revision July 11, 2013 You need to login to kerberos first with your SUNet ID and password before you can connect from Mac OS X 10.4 to the, sesfs.stanford.edu. System Requirements Instructions on this page are only for Mac OS X version 10.4.11.
They were last tested in 2010 and are not guaranteed to work! These instructions may work for versions of 10.4 prior to 10.4.11. Another page gives instructions for kerberos logins from. You must install the Kerberos for Macintosh Configuration Tool software package from the web site to make the correct kerberos settings on your computer. If you want to use the GUI interface to login to kerberos, you must also install the Stanford Desktop Tools software package from the web site to get the Stanford Kerberos Login application.
If you can't find Stanford Kerberos Login on your computer or get it to work, you can run a command from the built-in Terminal application. That option will be described. Login using Stanford Kerberos Login Other programs on your computer, such as your email client, may also be configured to use kerberos authentication.
If you have already entered your SUNet ID and password today in the Authenticate to Kerberos window, your authentication should be good for at least 24 hours and you can skip this step. In that case, for connecting to file shares on sesfs.stanford.edu. Find Stanford Kerberos Login and open it.
The screenshot below shows the typical location in the Applications folder. Stanford Kerberos Login will put up this login prompt window: If this window appears, but the Name:, Realm:, and Password: fields are not visible, click anywhere in the window and they will be revealed. Make sure the Realm: field says stanford.edu. The Name: field will be pre-filled with your account name from the Mac. Change it if necessary to be your SUNet ID name, and then type your SUNet ID password in the Password: field. Click on the OK button to submit your login. If you typed your name or password incorrectly, you will get a 'Kerberos Login Failed' message.
If you login correctly the login window will simply disappear with no further messages. If you logged into kerberos successfully, for connecting to file shares on sesfs.stanford.edu.
If not, try the instructions below for kerberos login using the Terminal application. Login using Terminal This method uses the kerberos programs that are built-in to Mac OS X 10.3 and later versions. However, your computer must have the correct kerberos configuration. That is accomplished by installing the Kerberos for Macintosh Configuration Tool software package from the web site.
Open the Terminal application. It is usually found in the Utilities sub-folder of the Applications folder, as shown in this screenshot: In the Terminal window that opens, type the command kinit followed by a space and your SUNet ID name with the @stanford.edu suffix, as shown in this screenshot: You must use your original SUNet ID, not one of your email aliases. Press the Return key to run the command. It will then prompt you for your SUNet ID password, as shown in this screenshot: Type your SUNet ID password and press the Return key.
If you typed your password incorrectly, you will get a 'Kerberos Login Failed' message and another prompt to try again. Remember that passwords are case-sensitive. Make sure that the Caps Lock key is not pressed down.
There is no further response if you login correctly. Close the Terminal window when you are done, or if you give up because you can't remember your password! If you logged into kerberos successfully, for connecting to file shares on sesfs.stanford.edu.