Skip to content

How to enable Integrated Authentication on macOS and Linux using Kerberos

Jump to bottom
Arvind Ranasaria edited this page Sep 10, 2019 · 11 revisions

In order to use Integrated Authentication (aka Windows Authentication) on macOS or Linux you will need to setup a Kerberos ticket linking your current user to a Windows domain account. A summary of key steps are included below.

Pre-requsite: get the Kerberos Domain Controller (KDC) config

Find Kerberos KDC (Key Distribution Center) configuration value.

Run on: Windows PC that is joined to your Active Directory Domain,

Start cmd.exe and run nltest.

nltest /dsgetdc:DOMAIN.COMPANY.COM (where “DOMAIN.COMPANY.COM” maps to your domain’s name)

Sample Output
DC: \\dc-33.domain.company.com
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333
...
The command completed successfully

Copy the DC name which is the required KDC configuration value, in this case dc-33.domain.company.com

Setup Kerberos on Mac

Step 1: Configuring KDC in krb5.conf

Action: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys

sudo vi /etc/krb5.conf

[libdefaults]
  default_realm = DOMAIN.COMPANY.COM
 
[realms]
DOMAIN.COMPANY.COM = {
   kdc = dc-33.domain.company.com
}

Then save the krb5.conf file and exit

Note Domain must be in ALL CAPS

Step 2: Testing the Ticket Granting Ticket retrieval

Action:

  • Use the command kinit username@DOMAIN.COMPANY.COM to get a TGT from KDC. You will be prompted for your domain password.
kinit username@DOMAIN.COMPANY.COM
  • Use klist to see the available tickets. If the kinit was successful, you should see a ticket.
klist

krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.

Step 3: Connect in VSCode

  • Create a new connection profile

  • Choose Integrated as the authentication type

If all goes well and the steps above worked, you should be able to connect successfully!

Setup Kerberos on Linux

Step 1: Install krb5-user package

Action: sudo apt-get install krb5-user

sudo apt-get install krb5-user

Step 2: Configuring KDC in krb5.conf

Action: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys

sudo vi /etc/krb5

[libdefaults]
  default_realm = DOMAIN.COMPANY.COM
 
[realms]
DOMAIN.COMPANY.COM = {
   kdc = dc-33.domain.company.com
}

Then save the krb5.conf file and exit

Note Domain must be in ALL CAPS

Step 3: Testing the Ticket Granting Ticket retrieval

Action:

  • Use the command kinit username@DOMAIN.COMPANY.COM to get a TGT from KDC. You will be prompted for your domain password.
kinit username@DOMAIN.COMPANY.COM
  • Use klist to see the available tickets. If the kinit was successful, you should see a ticket from
klist

krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.

Step 4: Connect in VSCode

  • Create a new connection profile

  • Choose Integrated as the authentication type

If all goes well and the steps above worked, you should be able to connect successfully!

Table of Contents

Clone this wiki locally