2017-07-12 21:52:27 +03:00
In order to use Integrated Authentication (aka Windows Authentication) on macOS or Linux you will need to setup a Kerberos ticket linking your current user to a Windows domain account. A summary of key steps are included below.
# Setup Kerberos on Mac
## Requirements
Access to a Windows domain-joined machine in order to query your Kerberos Domain Controller
## Steps to set up Integrated Authentication
### Step 1: Find Kerberos KDC (Key Distribution Center)
2017-07-14 00:30:22 +03:00
- **Run on**: Windows, Windows command line
2017-07-12 21:52:27 +03:00
- **Action**: `nltest /dsgetdc:DOMAIN.COMPANY.COM` (where “DOMAIN.COMPANY.COM” maps to your domain’
- **Sample Output**
```
2017-07-13 04:30:51 +03:00
DC: \\dc-33.domain.company.com
2017-07-12 21:52:27 +03:00
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333
...
The command completed successfully
```
- **Information to extract**
2017-07-13 04:30:51 +03:00
The DC name, in this case `dc-33.domain.company.com`
2017-07-12 21:52:27 +03:00
### Step 2: Configuring KDC in krb5.conf
- **Run on**: MAC
- **Action**: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
```
[libdefaults]
default_realm = DOMAIN.COMPANY.COM
[realms]
DOMAIN.COMPANY.COM = {
2017-07-13 04:30:51 +03:00
kdc = dc-33.domain.company.com
2017-07-12 21:52:27 +03:00
}
```
Then save the krb5.conf file and exit
**Note** Domain must be in ALL CAPS
### Step 3: Testing the Ticket Granting Ticket retrieval
- **Run on**: Mac
- **Action**:
2017-07-13 04:30:51 +03:00
- Use the command `kinit username@DOMAIN.COMPANY.COM` to get a TGT from KDC. You will be prompted for your domain password.
2017-07-12 21:52:27 +03:00
- Use `klist` to see the available tickets. If the kinit was successful, you should see a ticket from krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.
### Step 4: Connect in VSCode
- Create a new connection profile
- Choose `Integrated` as the authentication type
- If all goes well and the steps above worked, you should be able to connect successfully!
# Setup Kerberos on Linux
### Step 0: Install krb5-user package
- **Run on**: Linux
- **Action**: `apt-get krb5-user`
### Step 1: Find Kerberos KDC (Key Distribution Center)
- **Run on**: Windows command line
- **Action**: `nltest /dsgetdc:DOMAIN.COMPANY.COM` (where “DOMAIN.COMPANY.COM” maps to your domain’
- **Sample Output**
```
2017-07-13 04:30:51 +03:00
DC: \\dc-33.domain.company.com
2017-07-12 21:52:27 +03:00
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333
...
The command completed successfully
```
- **Information to extract**
The DC name, in this case `co1-red-dc-33.domain.company.com`
### Step 2: Configuring KDC in krb5.conf
- **Run on**: Linux
- **Action**: Edit the /etc/krb5.conf in an editor of your choice. Configure the following keys
```
[libdefaults]
default_realm = DOMAIN.COMPANY.COM
[realms]
DOMAIN.COMPANY.COM = {
2017-07-13 04:30:51 +03:00
kdc = dc-33.domain.company.com
2017-07-12 21:52:27 +03:00
}
```
Then save the krb5.conf file and exit
**Note** Domain must be in ALL CAPS
### Step 3: Testing the Ticket Granting Ticket retrieval
- **Run on**: Linux
- **Action**:
2017-07-13 04:30:51 +03:00
- Use the command `kinit username@DOMAIN.COMPANY.COM` to get a TGT from KDC. You will be prompted for your domain password.
2017-07-12 21:52:27 +03:00
- Use `klist` to see the available tickets. If the kinit was successful, you should see a ticket from krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.
### Step 4: Connect in VSCode
- Create a new connection profile
- Choose `Integrated` as the authentication type
- If all goes well and the steps above worked, you should be able to connect successfully!
