How Single Sign-On Authentication Works in Lion Server - dummies

How Single Sign-On Authentication Works in Lion Server

By John Rizzo

Mac OS X Kerberos single sign-on authentication is a secure and painless way to connect to loads of unique, broad ranging Lion services when it’s set up as an Open Directory master.

If a user needs to connect to many unique services, he could send a username and password to each service, opening a path for an evildoer to intercept and crack your password. The more secure alternative is to use Kerberos single sign-on authentication, in which the user enters a password once and gets access to all services.

With Kerberos enabled, the password is never transmitted over the network. Instead, a ticketing system issues encrypted tokens called tickets and authenticates you once (usually from the Mac OS X login window), and subsequent tickets allow access to other shared services.

Think of Kerberos as spending the day visiting a popular amusement park. The first thing you do when you arrive at the park is buy a pass. This pass is your Kerberos ticket granting ticket (TGT), issued by the Kerberos Key Distribution Center (KDC) when you log in to Mac OS X on a shared directory.

At the park, you pay the entry fee and access the grounds all day. Users log in once and get access to the whole park. However, the pass doesn’t automatically mean that you can jump on any ride or that you get hot dogs and popcorn. You still need to queue for each ride and pay for your snacks.

In Kerberos, your TGT is presented when accessing a service, such as file sharing or e-mail. The KDC creates a new service ticket that your client uses to authenticate to the service. But the user isn’t presented with a login screen after that first login.

When the park closes, your pass is not good for the next day. In Kerberos, when you log out, the TGT and service tickets are destroyed. Should anyone have managed to figure out how to break in to the ticket system, TGTs are good for a set period of time only: ten hours after the login to Mac OS X Server. And the Kerberos tickets are stored in RAM, not the hard drive.

Mac OS X Server is easy to set up as a KDC; when you set it up as an Open Directory master, a KDC is set up automatically. Open Directory can also make use of another KDC running on another server, such as an Active Directory domain controller. In Mac OS X, you can view, create, and destroy TGTs by using the Ticket Viewer application found in /System/Library/CoreServices.


View TGTs and service tickets for the current user by typing klist in Terminal and pressing Return. Here’s an example of what you might see:

client:~ lianabare$ klist
Default principal: lianabare@MASTER.EXAMPLE.COM
Valid Starting Expires Service Principal
06/30/11 14:24:40 06/30/11 00:24:40 krbtgt/MASTER.EXAMPLE.COM@MASTER.EXAMPLE.COM
 renew until 06/30/11 14:24:34
06/30/11 14:24:41 06/30/11 00:24:40 afpserver/
 renew until 06/30/11 14:24:34
06/30/11 14:24:59 06/30/11 00:24:40 http/
 renew until 06/30/11 14:24:34
06/30/11 14:26:27 06/30/11 00:24:40 xmpp/
 renew until 06/30/11 14:24:34