-
Notifications
You must be signed in to change notification settings - Fork 462
How to enable Integrated Authentication on macOS and Linux using Kerberos
In order to use Integrated Authentication (aka Windows Authentication) on macOS or Linux you will need to setup a Kerberos ticket linking your current user to a Windows domain account. A summary of key steps are included below.
Setup Kerberos on Mac Requirements
Access to a Windows domain-joined machine in order to query your Kerberos Domain Controller
Run on: Windows, Windows command line Action: nltest /dsgetdc:DOMAIN.COMPANY.COM (where “DOMAIN.COMPANY.COM” maps to your domain’s name) Sample Output DC: \dc-33.domain.company.com Address: \2111:4444:2111:33:1111:ecff:ffff:3333 ... The command completed successfully Information to extract The DC name, in this case dc-33.domain.company.com
Run on: MAC
Action: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
[libdefaults] default_realm = DOMAIN.COMPANY.COM
[realms] DOMAIN.COMPANY.COM = { kdc = dc-33.domain.company.com } Then save the krb5.conf file and exit
Note Domain must be in ALL CAPS
Run on: Mac Action: Use the command kinit [email protected] to get a TGT from KDC. You will be prompted for your domain password. Use klist to see the available tickets. If the kinit was successful, you should see a ticket from krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.
Create a new connection profile Choose Integrated as the authentication type If all goes well and the steps above worked, you should be able to connect successfully! Setup Kerberos on Linux Step 0: Install krb5-user package
Run on: Linux Action: apt-get krb5-user
Run on: Windows command line Action: nltest /dsgetdc:DOMAIN.COMPANY.COM (where “DOMAIN.COMPANY.COM” maps to your domain’s name) Sample Output DC: \dc-33.domain.company.com Address: \2111:4444:2111:33:1111:ecff:ffff:3333 ... The command completed successfully Information to extract The DC name, in this case co1-red-dc-33.domain.company.com Step 2: Configuring KDC in krb5.conf
Run on: Linux
Action: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
[libdefaults] default_realm = DOMAIN.COMPANY.COM
[realms] DOMAIN.COMPANY.COM = { kdc = dc-33.domain.company.com } Then save the krb5.conf file and exit
Note Domain must be in ALL CAPS
Run on: Linux Action: Use the command kinit [email protected] to get a TGT from KDC. You will be prompted for your domain password. Use klist to see the available tickets. If the kinit was successful, you should see a ticket from krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM. Step 4: Connect in VSCode
Create a new connection profile Choose Integrated as the authentication type If all goes well and the steps above worked, you should be able to connect successfully!
- Getting started tutorial
- Enable Integrated Authentication on macOS and Linux using Kerberos
- Manage connection profiles
- Customize keyboard shortcuts
- Customize extension options
- Contributing
- Usage reporting
- OpenSSL configuration (Mac Only)
- Pre-Windows 10 pre-requisite
- Troubleshooting
- Operating Systems
- Releases