Enable Kerberos SSO to on-premises Active Directory and Microsoft Entra ID Kerberos resources in Platform SSO
Mac users can join their new device to Microsoft Entra ID during the first-run out-of-box experience (OOBE). The macOS Platform single sign-on (PSSO) is a capability on macOS that is enabled using the Microsoft Enterprise Single Sign-on Extension. PSSO allows users to sign in to a Mac device using a hardware-bound key, smart card, or their Microsoft Entra ID password.
This tutorial shows you how to configure Platform SSO to support Kerberos-based SSO to on-premises and cloud resources, in addition to SSO to Microsoft Entra ID. Kerberos SSO is an optional capability within Platform SSO, but it's recommended if users still need to access on-premises Active Directory resources that use Kerberos for authentication.
Prerequisites
- A minimum version of macOS 14.6 Sonoma.
- Microsoft Intune Company Portal version 5.2408.0 or later
- A Mac device enrolled in mobile device management (MDM).
- A configured SSO extension MDM payload with Platform SSO settings by an administrator, already deployed to the device. Refer to the Platform SSO documentation or Intune deployment guide if Intune is your MDM.
- Deploy Microsoft Entra Kerberos, which is required for some Kerberos capabilities in on-premises Active Directory. Refer to the Cloud Kerberos trust deployment guide for Windows Hello for Business for more details or refer directly to the Cloud Kerberos trust configuration instructions to begin the setup. If you have already deployed Windows Hello for Business with Cloud Kerberos trust or passwordless security key sign-in for Windows, then this step has already been completed.
Set up your macOS device
Refer to the Microsoft Entra ID macOS Platform SSO documentation to learn how to configure and deploy Platform SSO. Platform SSO should be deployed on Enterprise-managed Macs regardless of whether you choose to deploy Kerberos SSO using this guide.
Kerberos SSO MDM profile configuration
You must configure a Kerberos SSO MDM profile. Use the following settings, ensuring that you replace all references to contoso.com and Contoso with the proper values for your environment:
| Configuration Key | Recommended Value | Note |
|---|---|---|
preferredKDCs |
<string>kkdcp://login.microsoftonline.com/contoso.com/kerberos</string> |
Replace the contoso.com value with the value of one of your tenant domains or your tenant's GUID |
Hosts |
<string>contoso.com</string> |
Replace contoso.com with your on-premises domain/forest name |
Hosts |
<string>*.contoso.com</string> |
Replace contoso.com with your on-premises domain/forest name. Keep the preceding *. characters before your domain/forest name |
PayloadOrganization |
<string>Contoso</string> |
Replace Contoso with the name of your organization |
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>ExtensionData</key>
<dict>
<key>allowPasswordChange</key>
<true/>
<key>allowPlatformSSOAuthFallback</key>
<true/>
<key>performKerberosOnly</key>
<true/>
<key>pwReqComplexity</key>
<true/>
<key>syncLocalPassword</key>
<true/>
<key>usePlatformSSOTGT</key>
<true/>
<key>preferredKDCs</key>
<array>
<string>kkdcp://login.microsoftonline.com/contoso.com/kerberos</string>
</array>
</dict>
<key>ExtensionIdentifier</key>
<string>com.apple.AppSSOKerberos.KerberosExtension</string>
<key>Hosts</key>
<array>
<string>contoso.com</string>
<string>*.contoso.com</string>
<string>windows.net</string>
<string>*.windows.net</string>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<string>MICROSOFTONLINE.COM</string>
<string>*.MICROSOFTONLINE.COM</string>
</array>
<key>PayloadDisplayName</key>
<string>Single Sign-On Extensions Payload</string>
<key>PayloadIdentifier</key>
<string>1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5C</string>
<key>PayloadType</key>
<string>com.apple.extensiblesso</string>
<key>PayloadUUID</key>
<string>1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Realm</key>
<string>KERBEROS.MICROSOFTONLINE.COM</string>
<key>TeamIdentifier</key>
<string>apple</string>
<key>Type</key>
<string>Credential</string>
<key>URLs</key>
<array/>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>Kerberos SSO Extension for macOS</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6</string>
<key>PayloadOrganization</key>
<string>Contoso</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2bbbbbb2-3cc3-4dd4-5ee5-6ffffffffff6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Save the configuration using a text editor with the mobileconfig file extension (for example, the file could be named kerberos.mobileconfig) after you have updated the configuration with the proper values for your environment.
Intune configuration steps
If you use Intune as your MDM, you can perform the following steps to deploy the profile. Make sure you follow the previous instructions about replacing contoso.com values with the proper values for your organization.
- Sign in to the Microsoft Intune admin center.
- Select Devices > Configuration > Create > New policy.
- Enter the following properties:
- Platform: Select macOS.
- Profile type: Select Templates.
- Choose the Custom template and select Create.
- In Basics, enter the following properties:
- Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, name the policy macOS - Platform SSO Kerberos.
- Description: Enter a description for the policy. This setting is optional, but recommended.
- Select Next.
- Enter a name in the Custom configuration profile name box.
- Choose a Deployment channel. Device channel is recommended.
- Click the folder icon to upload your Configuration profile file. Choose the kerberos.mobileconfig file you saved previously after customizing the template.
- Select Next.
- In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as
US-NC IT TeamorJohnGlenn_ITDepartment. Select Next.
- For more information about scope tags, see Use RBAC roles and scope tags for distributed IT.
- In Assignments, select the users or user groups that will receive your profile. Platform SSO policies are user-based policies. Don't assign the platform SSO policy to devices.
- For more information on assigning profiles, see Assign user and device profiles.
- Select Next.
- In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
The next time the device checks for configuration updates, the settings you configured are applied.
Testing Kerberos SSO
Once the profile has been assigned to the device, you can check that your device has Kerberos tickets by running the following command in the Terminal app:
app-sso platform -s
You should have two Kerberos tickets, one for your on-premises AD with the ticketKeyPath value of tgt_ad and one for your Microsoft Entra ID tenant with the ticketKeyPath value of tgt_cloud. The output should resemble the following:
Validate your configuration is working by testing with appropriate Kerberos-capable resources:
- Test on-premises Active Directory functionality by accessing an on-premises AD-integrated file server using Finder or a web application using Safari. The user should be able to access the file share without being challenged for interactive credentials.
- Test Microsoft Entra ID Kerberos functionality by accessing an Azure Files share enabled for Microsoft Entra ID cloud kerberos. The user should be able to access the file share without being challenged for interactive credentials. Refer to this guide if you need to configure a cloud file share in Azure Files.