The Kerberos Single Sign-on Extension (SSO) facilitates password syncing and access to University systems. The extension works whenever the University’s directory is reachable, meaning password syncing can be accomplished from off-campus using the VPN. FileVault and Keychain credential syncing is also more reliable than it was in the past.

Requirements

  • Your Mac must be enrolled in a Mobile Device Management (MDM) solution, such as Kandji, Jamf, or InTune.
  • Password syncing requires you to be using a local account. Your local IT support can help determine if your account needs to be converted from a mobile account to a local one.

Getting Started

Initial setup of the Kerberos SSO Extension requires you to be connected to the BU network. When on campus, this means being connected to eduroam with your BU login or the wired network. When off campus, you’ll need to use Cisco Secure Client to connect to the BU VPN. This should already be installed in your Mac’s Applications folder.

First Setup

When the extension detects that the BU network is available, a sign-in window should appear automatically. If not, you can click the key-shaped menu icon at the top right of your Apple menu bar and click “Sign In” to start the process.

Screenshot of the macOS Kerberos SSO extension menu item. The Sign In option is highlighted.

Enter your BU login name and Kerberos password in the prompt that appears, then click “Sign In.”

Screenshot of the extension's username and password prompt.

A Password Synchronization prompt will now appear. Enter your BU Kerberos password in the “Active Directory password” field, then your current Mac password. Once entered, click “Sync Password.”

Screenshot of the extension's password synchronization prompt.

If there was a problem with one of the passwords you entered, the extension will tell you which one needs to be changed. Once successful, you’ll see a prompt confirming that your Mac and BU Kerberos password is now in sync.

Screenshot of a successful password sync, telling the user that they should use their Active Directory password to log into their mac moving forward.

So long as the BU network is reachable, the extension should remain active. If you are on the BU network but the extension isn’t working, you can return to the key-shaped menu icon and click “Reconnect.”

Screenshot of the Kerberos SSO Extension menu with the Reconnect option highlighted.

Password Changes

The Kerberos SSO Extension will check for password changes in BU’s directory and on your Mac when it connects to the BU network. If it determines that your passwords are not in sync, you will be prompted to provide your Active Directory and Mac passwords again as you did during first setup.

You can change your BU Kerberos password by clicking the key-shaped menu and selecting “Change Password….” You’ll be taken to our page on how to change your password for further instructions.

Screenshot of the Kerberos SSO Extension with Change Password option highlighted.

If the Kerberos SSO Extension has not prompted you for your updated password, you can force an update by clicking the key-shaped menu icon and clicking “Reconnect.”

Password Expiration

While the Kerberos SSO Extension shows that your password doesn’t expire, your password may expire based on information stored in systems that the Extension cannot access. If your password is expiring, you should receive additional information from IS&T ahead of its expiration.