User profile for user: David Lee
David Lee Author
User level: Level 2
431 points

Proxy server and Kerberos

Dear all,

Does anyone know if Mac OS X's proxy authentication is able to use Kerberos?

Thanks,

David Lee

All Apple Macs, Mac OS X (10.5.6)

Posted on Aug 11, 2010 7:24 AM

Reply
4 replies
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Aug 11, 2010 7:55 AM in response to David Lee

Hi

That all depends on which Proxy Server is providing the authentication and how it's integrated into an SSO environment. Most Proxy Servers of my experience will be part of a Windows Active Directory Environment. I've yet to see one that allows SSO access that works on the mac. On a PC it appears to work as expected whenever I've looked. In other words the user does not have to re-authenticate when launching a browser. Same user on a mac does unless they've ticked the appropriate box in either the Proxy Tab or used Keychain Manager.

Tony
Reply
User profile for user: David Lee
David Lee Author
User level: Level 2
431 points

Aug 11, 2010 7:47 AM in response to Antonio Rocco

Thanks for the quick response.

Well it will be clearswift proxy server which is capable of being kerberised and currently work using NTLM and AD on pcs.

Before I bother someone to go and do the kerberos work I wanted to check that the mac proxy client (if there is such a thing) is cabable of authenticating through kerberos. The Macs are already using kerberos for other services (cifs, extensis font server, exchange) providing sso.

Do you know if the Network prefs and Safari are able to take kerberos?

Thanks,

David Lee
Reply
User profile for user: Antonio Rocco
Antonio Rocco
User level: Level 6
12,404 points

Aug 11, 2010 9:36 AM in response to David Lee

Hi

+"Do you know if the Network prefs and Safari are able to take kerberos?"+

AFAIK - No to both. As added extras Bonjour and SMB/CIFS can't be made Principals on the client OS either. For OSX Server the built in Samba Service can be made a Principal if OSX Server is 'bound' or 'Connected to a Directory System. The 'bind' or Directory System in this case being Active Directory. SMB/CIFS on OSX Server is basically equivalent to NT SP4.

It may be possible to 'hack' the OS and possibly Safari to support SSO? If there is a way I don't know of one. If you do find a way you potentially have problems with future OS updates as these would/could possibly undo the hack?

Tony
Reply
User profile for user: David Lee
David Lee Author
User level: Level 2
431 points

Aug 11, 2010 10:23 AM in response to Antonio Rocco

Ok thanks,

I didn't think I was going to get the proxy to single sign on.

This 'added extras' SMB stuff is a bit of a tangent to the original question and somewhat confusing.

Just in case anyone stumbles across this:

- A Mac OS X client can connect to an SMB/CIFS share with kerberos SSO.
- The SMB/CIFS Share can be on Windows Server or Mac OS X Server but the Mac OS X Server can require extra configuration. Windows ought to work out of the box. Even following the Small Bus Server wizards you will get this working.

Anyway, back to the original question.

I agree that a hack is not ideal but I wonder if there is any reputable middleware that can handle this. Something like Authoxy where I can configure the middleware to SSO and the configure the mac os proxy settings to talk to the middleware.

Any ideas anyone?

Thanks,

David Lee
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Proxy server and Kerberos

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up