{"id":147181,"date":"2023-08-17T15:55:20","date_gmt":"2023-08-17T19:55:20","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=147181"},"modified":"2025-09-30T15:06:18","modified_gmt":"2025-09-30T19:06:18","slug":"macos-kerberos-single-sign-on-extension","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/services\/cccs\/desktop\/macos-kerberos-single-sign-on-extension\/","title":{"rendered":"macOS Kerberos Single Sign-on Extension"},"content":{"rendered":"<p>The Kerberos Single Sign-on Extension (SSO) facilitates password syncing and access to University systems. The extension works whenever the University&#8217;s directory is reachable, meaning password syncing can be accomplished from off-campus using the <a href=\"https:\/\/www.bu.edu\/tech\/services\/cccs\/remote\/vpn\/\">VPN<\/a>. FileVault and Keychain credential syncing is also more reliable than it was in the past.<\/p>\n<h2>Requirements<\/h2>\n<ul>\n<li>Your Mac must be enrolled in a Mobile Device Management (MDM) solution, such as Kandji, Jamf, or Intune.<\/li>\n<li>Password syncing requires you to be using a local account. Your local IT support can help determine if your account needs to be converted from a mobile account to a local one.<\/li>\n<\/ul>\n<h2>Getting Started<\/h2>\n<p>Initial setup of the Kerberos SSO Extension requires you to be connected to the BU network. When on campus, this means being connected to <a href=\"https:\/\/www.bu.edu\/tech\/services\/infrastructure\/networks\/wireless\/eduroam\/\">eduroam<\/a> with your BU login or the wired network. When off campus, you&#8217;ll need to use Cisco Secure Client to <a href=\"https:\/\/www.bu.edu\/tech\/services\/cccs\/remote\/vpn\/use\/\">connect to the BU VPN<\/a>. This should already be installed in your Mac&#8217;s Applications folder.<\/p>\n<h3>First Setup<\/h3>\n<p>When the extension detects that the BU network is available, a sign-in window should appear automatically. If not, you can click the key-shaped menu icon at the top right of your Apple menu bar and click &#8220;Sign In&#8221; to start the process.<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-signin.png\" alt=\"Screenshot of the macOS Kerberos SSO extension menu item. The Sign In option is highlighted.\" width=\"173\" height=\"134\" class=\"wp-image-147183 aligncenter\" \/><\/p>\n<p>Enter your BU login name and Kerberos password in the prompt that appears, then click &#8220;Sign In.&#8221;<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-user_pass-622x636.png\" alt=\"Screenshot of the extension's username and password prompt.\" width=\"332\" height=\"340\" class=\"wp-image-147184 aligncenter\" srcset=\"https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-user_pass-622x636.png 622w, https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-user_pass-768x785.png 768w, https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-user_pass.png 908w\" sizes=\"(max-width: 332px) 100vw, 332px\" \/><\/p>\n<p>A Password Synchronization prompt will now appear. Enter your BU Kerberos password in the &#8220;Active Directory password&#8221; field, then your current Mac password. Once entered, click &#8220;Sync Password.&#8221;<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-pass_sync-533x636.png\" alt=\"Screenshot of the extension's password synchronization prompt.\" width=\"338\" height=\"403\" class=\"wp-image-147185 aligncenter\" srcset=\"https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-pass_sync-533x636.png 533w, https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-pass_sync.png 748w\" sizes=\"(max-width: 338px) 100vw, 338px\" \/><\/p>\n<p>If there was a problem with one of the passwords you entered, the extension will tell you which one needs to be changed. Once successful, you&#8217;ll see a prompt confirming that your Mac and BU Kerberos password is now in sync.<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-confirmation-533x636.png\" alt=\"Screenshot of a successful password sync, telling the user that they should use their Active Directory password to log into their mac moving forward.\" width=\"341\" height=\"407\" class=\" wp-image-147186 aligncenter\" srcset=\"https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-confirmation-533x636.png 533w, https:\/\/www.bu.edu\/tech\/files\/2023\/08\/kerb-sso-confirmation.png 748w\" sizes=\"(max-width: 341px) 100vw, 341px\" \/><\/p>\n<p>So long as the BU network is reachable, the extension should remain active. If you are on the BU network but the extension isn&#8217;t working, you can return to the key-shaped menu icon and click &#8220;Reconnect.&#8221;<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-reconnect.png\" alt=\"Screenshot of the Kerberos SSO Extension menu with the Reconnect option highlighted.\" width=\"243\" height=\"191\" class=\"wp-image-147187 aligncenter\" \/><\/p>\n<h2>Password Changes<\/h2>\n<p>The Kerberos SSO Extension will check for password changes in BU&#8217;s directory and on your Mac when it connects to the BU network. If it determines that your passwords are not in sync, you will be prompted to provide your Active Directory and Mac passwords again as you did during first setup.<\/p>\n<p>You can change your BU Kerberos password by clicking the key-shaped menu and selecting &#8220;Change Password\u2026.&#8221; You&#8217;ll be taken to <a href=\"https:\/\/www.bu.edu\/tech\/services\/security\/iam\/authentication\/kerberos\/kerberos\/reset\/\">our page on how to change your password<\/a> for further instructions.<\/p>\n<p><img loading=\"lazy\" src=\"\/tech\/files\/2023\/08\/kerb-sso-changepw.png\" alt=\"Screenshot of the Kerberos SSO Extension with Change Password option highlighted.\" width=\"233\" height=\"185\" class=\"wp-image-147188 aligncenter\" \/><\/p>\n<p>If the Kerberos SSO Extension has not prompted you for your updated password, you can force an update by clicking the key-shaped menu icon and clicking &#8220;Reconnect.&#8221;<\/p>\n<h3>Password Expiration<\/h3>\n<p>While the Kerberos SSO Extension shows that your password doesn&#8217;t expire, your password may expire based on information stored in systems that the Extension cannot access. If your password is expiring, you should receive additional information from IS&amp;T ahead of its expiration.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Kerberos Single Sign-on Extension (SSO) facilitates password syncing and access to University systems. The extension works whenever the University&#8217;s directory is reachable, meaning password syncing can be accomplished from off-campus using the VPN. FileVault and Keychain credential syncing is also more reliable than it was in the past. Requirements Your Mac must be enrolled&#8230;<\/p>\n","protected":false},"author":6864,"featured_media":0,"parent":12745,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/147181"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/6864"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=147181"}],"version-history":[{"count":4,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/147181\/revisions"}],"predecessor-version":[{"id":159879,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/147181\/revisions\/159879"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/12745"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=147181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}