This article provides example Kerberos scripts for both Microsoft® Windows® and Apple® macOS™ devices.
Kerberos authentication scripts provide a single sign-on solution for Windows and macOS devices which are members of an Active Directory® domain. The scripts are also compatible with applications which do not support an explicit proxy, or inline redirects.
You must amend the attached scripts to suit your organizational needs. Where text is in courier and italic
, replace those fields with the network appropriate host names, domain names, and so on.
Note: At the time of writing, error handling is not included in the scripts. Any errors will be ignored.
Prerequisites
- The Smoothwall Filter Guardian module must be installed and licensed.
- A Web proxy authentication policy must be in place.
- Both transparent and non-transparent policies are allowed.
- You can use any authentication method from the Web proxy > Authentication > Policy wizard that has "redirect" in the name, such as, Negotiate Kerberos/NTLM (via redirect).
- An SSL login redirect authentication policy can be used.
- Core authentication policies are also compatible.
For a detailed description of setting up Web proxy authentication policies, refer to our help topic, Creating Authentication Policies.
- A Smoothwall access rule must exist allowing access to the Kerberos Login (814) service: Adding new Smoothwall Access Rules.
- Windows 8.1 and above have a default delay of five minutes before running any logon scripts. It is recommended you change this to no more than ten seconds, otherwise users may be able to browse to the Internet unauthenticated.
- The Smoothwall appliance must use a fully qualified host name.
Considerations
- Client devices cannot be multi-homed, that is, connected to multiple LANs simultaneously, such as wired and wireless.
- Client devices cannot be dual-stacked, that is, have both IPv4 and IPv6 addresses in use
Note: The above two restrictions actually apply to all transparent authentication methods currently supported by Smoothwall.
- Smoothwalls located in a cluster need a different type of Kerberos script. For more information, contact Smoothwall Support.
For Windows Devices Deployments
- You must set
background_logon.vbs
as a logon script in a Group Policy Object (GPO), asbackground_logon.vbs
callslogon_loop.vbs
- Both scripts must be installed into the domain's NETLOGON share via the GPO Manager
- This share is replicated between all domain controllers, ensuring the scripts are always available
Download a copy of the Windows scripts
For macOS Devices Deployment
- If required, you can rename the
com.smoothwall.kerberoslogin.plist
script, replacingsmoothwall.kerberoslogin
with your own- For example,
com.mydomain.kerberosscript.plist
- If you do decide to rename the file, ensure you use the correct filename in the
mac-client
script
- For example,
- Both scripts must be installed on the client device as follows:
- Install the
mac-client
script to/usr/local/bin
- For client devices running an OS X version earlier than 10.11 or a macOS version earlier than 10.12, install the
com.smoothwall.kerberoslogin.plist
script to any permanent location that the logged in user can access - For client devices running OS X 10.11 or higher, or macOS 10.12 or higher, install the
com.smoothwall.kerberoslogin.plist
script to/Library/LaunchAgents
- Install the
This is due to Apple's Rootless or System Integrity Protection Feature. See their guidance here: About System Integrity Protection on your Mac
Due to a newer change of Apple the following is also required:
Mac OS X
Due to Apple’s System Integrity Protection, (SIP) edit permission to file.
Two files in the zip com.smoothwall.kerberoslogin.plist and mac-client.
Edit com.smoothwall.kerberoslogin.plist:
<array>
<string>/library/mac-client</string>
<string>http://smoothwall:814/</string>
</array>
Move plist file into a folder like /Library/LaunchAgents.
It needs the following permissions rw_-r_-r_ root wheel.
Move macclient file into /Library/ folder.
It needs the following permissions rw_-r_x-r_x root wheel.
Changing the permissions:
- Terminal login as su (requires root pw for the mac).
- sudo chown root:wheel Library/LaunchAgents/com.smoothwall.kerberoslogin.plist.
- sudo chmod 644 /Library/LaunchAgents/com.smoothwall.kerberoslogin.plist.
- sudo chown root:wheel /Library/mac-client.
- sudo chmod 755 /Library/mac-client.
Reboot the Mac and login as a domain user to test.
Test permissions:
- Terminal login as su.
- ls -al /Library/mac-client.
- ls -al /Library/LaunchAgents/com.smoothwall.kerberoslogin.
- We recommend distributing the scripts via your Mobile Device Management (MDM) system, or as part of the users' profiles.