Using Kerberos on Mac OS X

Using Kerberos on Mac OS X is quite simple although the tool is quite well hidden in the standard installation ( /System/Library/CoreServices/ or /System/Library/CoreServices/Ticket on 10.6) and the Kerberos tools itself has a few quirks (won't work properly until you create a certain file). Luckily MIT have created a package that solves these two problems - Mac OS X Kerberos Extras.

You should download Mac OS X Kerberos Extras and install.

Once installed the Kerberos tool will be available as a symbolic link to the actual location as /Applications/Utilities/ (pre 10.6) or /Applications/Utilities/Ticket (10.6). There will also be an example configuration file for Kerberos in /Library/Preferences/ is optionally installed by the installer but you don't need it - either deselect the checkbox that installs it, or delete after installation if it causes problems.

Using Kerberos on Mac OS X with DICE

Once you have installed Mac OS X Kerberos Extras start up the Kerberos tool (either or Ticket depending on system version (see above)). A window will pop up showing the Kerberos tickets you have (probably none at this point).

Simply click the New Icon ( Add Identity when using Ticket Viewer on 10.6) to bring up the login window then enter the following details:

Your DICE Username.
Your DICE password.

Then click Ok. On MacOS10 .6, you will only be asked only for your identity and password, for your identity you need to enter:


The ticket window will now list your active Informatics Kerberos ticket.

If you get a dialog box to the effect that "realm INF.ED.AC.UK is unknown", it may be because the MIT config file /Library/Preferences/ is blocking self-configuration. To fix this, try just deleting the MIT config file.

Once you have this ticket you can connect to Kerberised Informatics services such as SSH and IMAP without having to re-enter your username and password. Note that Kerberos tickets expire after a finite length of time (usually about 18 hours). Further details on the Informatics Kerberos service can be found in the Informatics Support Pages.

For Users That Have Entered Realm Details

The previous version of the Mac OS X Kerberos documentation instructed users to use the Edit -> Edit Realms... option to enter details of the Informatics Kerberos Realm this is not required and should be avoided. It is better to simply ensure that the Configure additional realms automatically using DNS option in this configuration dialog is enabled and allow the kerberos libraries to use DNS to automatically discover the required settings.

If you have already entered INF.ED.AC.UK Realm details simply delete them and follow the new instructions above.

Now you are Kerberised...

Why not add Cosign Single-signon capability to your browsers?

You can now also take advantage of OpenAFS : see AFSMacOSX for configuration details.

-- TobyBlake - 05 Oct 2010
-- GrahamDutton - 27 Jan 2010

Edit | Attach | Print version | History: r17 | r15 < r14 < r13 < r12 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r13 - 27 Aug 2011 - 20:58:23 - JamesCheney
SelfManaged.MacOSXKerberos moved from DatabaseGroup.MacOSXKerberos on 21 Sep 2005 - 01:15 by CarwynEdwards - put it back
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies