Kerberos Authentication Scripts

Article #:

Product:

Version:

KB-36

All

All

Summary:

This article provides example Kerberos scripts for both Microsoft® Windows® and Apple® macOS™ devices.

Kerberos authentication scripts provide a single sign-on solution for Windows and macOS devices which are members of an Active Directory® domain. The scripts are also compatible with applications which do not support an explicit proxy, or inline redirects.

You must amend the attached scripts to suit your organizational needs. Where text is in courier and italic, replace those fields with the network appropriate hostnames, domain names, and so on.

Note: At the time of writing, error handling is not included in the scripts. Any errors will be ignored.

Solution:

Prerequisites

  • Guardian must be installed.
  • A Web proxy authentication policy must be in place.
    • Both transparent and non-transparent policies are allowed.
    • You can use any authentication method from the Web proxy > Authentication > Policy wizard that has "redirect" in the name, such as, Negotiate Kerberos/NTLM (via redirect).
    • An SSL login redirect authentication policy can be used.
    • Core authentication policies are also compatible.

For a detailed description of setting up Web proxy authentication policies, refer to our help topic, Creating Authentication Policies.

  • A firewall rule must exist allowing access to the Kerberos Login (814) service:
  • Windows 8.1 and above have a default delay of five minutes before running any logon scripts. It is recommended you change this to no more than ten seconds, otherwise users may be able to browse to the Internet unauthenticated.
  • The Smoothwall appliance must use a fully qualified hostname.

Considerations

  • Client devices cannot be multi-homed, that is, connected to multiple LANs simultaneously, such as wired and wireless.
  • Client devices cannot be dual-stacked, that is, have both IPv4 and IPv6 addresses in use

Note: The above two restrictions actually apply to all transparent authentication methods currently supported by Smoothwall.

  • Smoothwalls located in a cluster need a different type of Kerberos script. For more information, contact your Smoothwall representative.

For Windows Devices Deployments

  • You must set background_logon.vbs as a logon script in a Group Policy Object (GPO), as background_logon.vbs calls logon_loop.vbs
  • Both scripts must be installed into the domain's NETLOGON share via the GPO Manager
    • This share is replicated between all domain controllers, ensuring the scripts are always available

Download a copy of the Windows scripts

For macOS Devices Deployment

  • If required, you can rename the com.smoothwall.kerberoslogin.plist script, replacing smoothwall.kerberoslogin with your own
    • For example, com.mydomain.kerberosscript.plist
    • If you do decide to rename the file, ensure you use the correct filename in the mac-client script
  • Both scripts must be installed on the client device as follows:
    • Install the mac-client script to /usr/local/bin
    • For client devices running an OS X version earlier than 10.11 or a macOS version earlier than 10.12, install the com.smoothwall.kerberoslogin.plist script to any permanent location that the logged in user can access
    • For client devices running OS X 10.11 or higher, or macOS 10.12 or higher, install the com.smoothwall.kerberoslogin.plist script to /Library/LaunchAgents

This is due to Apple's Rootless or System Integrity Protection Feature as detailed in their knowledge base article number HT204899.

  • We recommend distributing the scripts via your Mobile Device Management (MDM) system, or as part of the users' profiles.

Download a copy of the macOS scripts

Attribution:

Last updated:

Author:

Contributions by:

13th April 2017

Samantha Nair

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.