macOS Big Sur and Kerberos SSO via Per-App Tunnel


It works!

If you’ve read my blogs about macOS Catalina Kerberos SSO over Per-App Tunnel and the followup, you’ll know that this has been a use-case I’m interested in solving. I put a great deal of effort into filing feedback with Apple and providing steps to replicate the issue. I was quite excited when I saw the per-app Tunnel improvements specifically mentioned in the WWDC videos, and hoped perhaps some changes were made to enable this functionality.

Remembering the Use-Cases

I sat down and re-hashed all the old use-cases I drew up for making this work:

  1. What if the new Kerberos SSO Extension in macOS BigSur was just another one of those applications that you redirected over a Tunnel?
  2. Could you, in theory, get Kerberos Tickets to an unbound (non-AD joined) Mac to use for authenticating internal websites over Per-App Tunnel?
  3. Could you use the Kerberos SSO Extension to sync your local (non-mobile) macOS User’s password with the on-prem AD password over Per-App Tunnel?
  4. Could you change your on-prem AD password remotely over Per-App Tunnel when it neared the expiration date?

Beta Testing Results

I ran through the same validation tests again and here’s what happened:

Testing ItemPer-App Tunnel
Kerberos Ticket Obtained over TunnelYes!
Password Expiration Date CorrectYes!
Extension Detects local PW different from ADYes!
User Change AD Password via Extension over TunnelYes!

Applicability to Workspace ONE

Internally, we had some discussion on why to use the SSO Extension instead of Cert-Based Auth with Workspace ONE Access (and Device Compliance). Honestly, I think these two solutions target drastically different use cases. First, the SSO Extension directly addresses password sync between a local (to macOS) user account and identity in Active Directory. Second, I see the SSO Extension as an easy way to enable SSO for internal web apps (such as those hosted on a Windows server in IIS). Since the authentication can be done by IIS, you can provide a single sign-on experience to those apps without needing to build-in SAML support (and subsequently Workspace ONE Access integration). With macOS leveraging the Unified Access Gateway for per-app tunnel, you can leverage compliance in Workspace ONE to remove the per-app VPN profile.

Next Steps

I’ll be continuing to test this and working with our internal Tunnel team. In the mean time, I’ve written up the steps in Deploying Workspace ONE Tunnel for macOS [TechZone]. I invite anyone beta testing Big Sur to try it out and send me feedback as to your experience!


See also