macOS Catalina Kerberos SSO over VPN Followup


I've been going back and forth with Apple about some of the issues I previously found using the macOS Catalina Kerberos SSO over Per-App VPN. As it turns out, they acknowledged some of the issues I was seeing and are supposedly working on a fix. I've been watching the past few beta releases for macOS, and I've not yet seen anything in the release notes to indicate they've implemented any fixes.

Partial Workaround

In the meantime, they did offer up a partial workaround. It would seem some of the functionality in the Kerberos SSO extension in macOS Catalina is based on the MIT library built-in to macOS. If you remember from the last post, one of the problems that I saw was an inability to change the user's AD password over per-App VPN. Doing so gave me a warning “Password Change Failed. Configuration file does not specify default realm”. This didn't really make sense as you're required to specify the realm in the Kerberos SSO extension MDM payload, and I could confirm that the parameter was being included in the XML for the payload.

Apple offered up that to get around that issue, we had to create an /etc/krb5.conf file and add the following two lines in it:

2 default_realm = EXAMPLE.ORG 

I was also instructed to run pkill -9 KerberosExtension to kill the Kerberos Extension to ensure it reloaded the configuration and read the krb5.conf file.

Results Post-Workaround

I ran through the same validation tests again and here's what happened:

Testing Item Per-App VPN (Tunnel) GlobalProtect (VPN)
Kerberos Ticket Obtained over VPN Yes! Yes!
Password Expiration Date Correct No! No!
Extension Detects local PW different from AD No! Yes!
User Change AD Password via Extension over VPN Yes! Yes!

Apple also instructed me to continue testing and capture logs using the following procedure:

  1. Enable the necessary debug modes by running:
1$ sudo log config --mode "level:debug,persist:debug" --subsystem
2$ sudo log config --mode "level:debug,persist:debug" --subsystem
3$ sudo log config --mode "level:debug,persist:debug" --subsystem org.h5l.gss
  1. run pkill -9 KerberosExtension AppSSOAgent KerberosMenuExtra
1$ pkill -9 KerberosExtension AppSSOAgent KerberosMenuExtra
  1. Reproduce the issue.
  2. Gather and send us a sysdiagnose (sudo sysdiagnose).
  3. Please also note the timestamps.
  4. To reset the logs run:
1$ sudo log config --subsystem --reset
2$ sudo log config --subsystem --reset
3$ sudo log config --subsystem org.h5l.gss --reset

Next Steps

I'll be continuing to test this and working with our internal Tunnel team. I'm hoping to get Apple additional information so they can see what is causing the remaining issues. I'm excited to get this working and having the ability to leverage this Extension while off-network. Feel free to leave comments below!