post/macos-bigsur-kerberos-sso-over-vpn/

[utterances-bot]

macOS Big Sur and Kerberos SSO via Per-App Tunnel - Robert Terakedis

It works!

https://blog.euc-rt.me/post/macos-bigsur-kerberos-sso-over-vpn/

[Jeyper]

Hello Robert, Congrats for you blog! Great help for macos management!

I had a problem with Kerberos SSO. In most enterprise networks and vpn clients works fine, but with the vpn (watchguard) of a specific company I cant get it to work.

I opened all ports to KDC (DCs) in the firewall. I can create a kerberos token (with kinit on console), I can add macos to domain, all ok... but when I try MDM Kerberos SSO, when loggin after entering credentials nothing happens. No error message, only sso windows closes. Out of VPN, on company network, I can log in frome MDM Kerberos SSO windows, so is not AD or profile bad config, is Firewall problem.

I try to get logs to see something, but its insane! Do you know in which file of the sysdiagnose the appsso traces appear?

Best Regards

[rterakedis]

Hello @Jeyper!

If you're troubleshooting using a sysdiagnose, you want to keep the following in mind:

• add the parameter --archive system_logs.logarchive to any log show command to show unified logging from the sysdiagnose and not the running system's unified log.
  • You can also use a path on that as well, depending on where you're dumping the sysdiagnose: ~/Downloads/sysdiagnose_2020.10.06_00-55-25-0700_Mac-OS-X_iMacPro1-1_ABCDE/system_logs.logarchive
• try to narrow the scope to the timeframe you did your testing. add --start "2020-10-06 00:47:00" --end "2020-10-06 00:48:49" parameters, or a general timeframe parameter --last 2h

In other words, something along these lines: log show --archive system_logs.logarchive --start "2020-10-06 00:47:00" --end "2020-10-06 00:48:49" --debug --predicate '(subsystem == "com.apple.Heimdal") OR (subsystem == "com.apple.AppSSO") OR (subsystem == "org.h5l.gss") OR (subsystem == "com.apple.network")'