How to Configure Single Sign-On for Mac Clients in Lion Server - dummies

How to Configure Single Sign-On for Mac Clients in Lion Server

By John Rizzo

After successfully binding the Lion server to the Active Directory domain, consider implementing Kerberos on the server to provide single sign-on capability to your users. Doing away with the need for multiple passwords and authentications is called single sign-on.

Kerberos is used by both Active Directory and Open Directory for authentication across various applications so that after a user logs in to the network, the user can access all network assets, such as file servers, for which she has permission without the need for further authentication.

Single sign-on in Active Directory works by AD’s issuing a ticket when a user logs in to the domain. The ticket represents everything that the user can do. After you log in initially, all other authentication activities are handled automatically by the ticket.

Of course, for single sign-on to work for Mac clients on an Active Directory network, single sign-on must first be implemented in Active Directory.

To implement Kerberos and SSO for Mac clients in an Active Directory domain, follow these steps:

  1. Open Server Admin.

  2. If necessary, connect to your Mac OS X Server by choosing Server→Connect and entering your server administrator username and password.

  3. Click the triangle next to the server name and then select Open Directory.

  4. Click the Settings icon in the toolbar.

  5. Click the Kerberize button.

    The Kerberize the Open Directory Master dialog opens and requests authentication. The credential you enter must have administrator rights over the Kerberos domain. Contact your Active Directory administrator to gain the necessary rights.

    That’s it!


Test that single sign-on is working properly by logging in as a user and attempting to access a resource to which the user has permission that’s managed by Active Directory. In a working deployment, access is granted without the need to reauthenticate.