Kerberos Extensible Single Sign-on (iOS)
Kerberos Extensible Single Sign-on (SSO) allows users to authenticate once and access multiple resources without having to re-enter their credentials.
Kerberos Extensible SSO authentication features include mutual authentication, ticket-based authentication, and encryption of authentication messages. These features help to prevent security threats and protect from credential theft and other vulnerabilities.
Do this when:
Details
Realm |
The IP address or hostname of the domain or administrative network partition that shares a common security policy and authentication database. |
Add Host Names | Select Add to identify each host or domain name the app extension can authenticate through. |
Extension Data
Principal Name | The principal username. Do not include the realm. |
Site Code | The URL of the Active Directory site used by the Kerberos extension. |
Certificate | The Public Key Cryptography for Initial Authentication (PKINIT) certificate for renewing the Kerberos credential. |
Allow Automatic Login | Turn on to allow automatic logins. When disabled, passwords cannot save to the keychain. |
Is Default Realm | Sets the realm as the default when there is more than one Kerberos extension configured. |
Require User Presence | Turn on to require the user to give Touch ID, Face ID, or their passcode to access a keychain entry. |
Use Site Auto-Discovery | Turn on to allow the Kerberos extension to use LDAP and DNS to determine its AD site name. |
Add Preferred KDCs | Select Add to identify each Key Distribution Center (KDC) to handle Kerberos traffic. The list order is by preference. |
Add Credential Bundle ID ACL | Identify each bundled ID allowed to access the Ticket Granting Ticket (TGT). You may identify them individually or using a CSV file. Adding individual bundle IDs manuallySelect Add to identify each bundled ID. Adding multiple bundle IDs with a CSV Select
Import to locate and import your CSV
file. Add Credential Bundle ID ACL lists
the applications from your CSV file. Note: Each line of the CSV file must be in the format
Application Bundle Identifier,
Application Name .Important: Validate that all
applications are present. Missing applications may indicate
a problem with your CSV file. |