-
Notifications
You must be signed in to change notification settings - Fork 468
How to enable Integrated Authentication on macOS and Linux using Kerberos
In order to use Integrated Authentication (aka Windows Authentication) on macOS or Linux you will need to setup a Kerberos ticket linking your current user to a Windows domain account. A summary of key steps are included below.
Find Kerberos KDC (Key Distribution Center) configuration value.
Run on: Windows PC that is joined to your Active Directory Domain,
Start cmd.exe and run nltest.
nltest /dsgetdc:DOMAIN.COMPANY.COM (where “DOMAIN.COMPANY.COM” maps to your domain’s name)
Sample Output
DC: \\dc-33.domain.company.com
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333
...
The command completed successfully
Copy the DC name which is the required KDC configuration value, in this case dc-33.domain.company.com
Action: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
sudo vi /etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.COMPANY.COM
[realms]
DOMAIN.COMPANY.COM = {
kdc = dc-33.domain.company.com
}Then save the krb5.conf file and exit
Note Domain must be in ALL CAPS
Action:
- Use the command
kinit username@DOMAIN.COMPANY.COMto get a TGT from KDC. You will be prompted for your domain password.
kinit username@DOMAIN.COMPANY.COM- Use
klistto see the available tickets. If the kinit was successful, you should see a ticket.
klist
krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.-
Create a new connection profile
-
Choose Integrated as the authentication type
If all goes well and the steps above worked, you should be able to connect successfully!
Action: sudo apt-get install krb5-user
sudo apt-get install krb5-userPS: you may need to do the following command first:
sudo apt updateAction: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
sudo vi /etc/krb5
[libdefaults]
default_realm = DOMAIN.COMPANY.COM
[realms]
DOMAIN.COMPANY.COM = {
kdc = dc-33.domain.company.com
}Then save the krb5.conf file and exit
Note Domain must be in ALL CAPS
Action:
- Use the command
kinit username@DOMAIN.COMPANY.COMto get a TGT from KDC. You will be prompted for your domain password.
kinit username@DOMAIN.COMPANY.COM- Use klist to see the available tickets. If the kinit was successful, you should see a ticket from
klist
krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.-
Create a new connection profile
-
Choose Integrated as the authentication type
If all goes well and the steps above worked, you should be able to connect successfully!
Want to contribute to the MSSQL extension?
-
Discussions – Share feedback and discuss potential improvements.
-
Report bugs – Help us identify and fix issues.
-
Suggest new features – Propose enhancements and new capabilities.
- Home
- Roadmap
- Getting started tutorial
- Customize keyboard shortcuts
- Customize extension options
- Manage connection profiles
- Operating Systems
- Contributing
- Usage reporting
- Enable Integrated Authentication on macOS and Linux using Kerberos
- OpenSSL configuration (Mac Only)
- Pre-Windows 10 pre-requisite
- Troubleshooting
- Releases