Configuring Single Sign-On for Mac Clients
After successfully binding the Mac server to the Active Directory domain (see the section “Binding Your Server to Active Directory,” earlier in this chapter), another step to consider is to implement Kerberos on the server. Both Active Directory and Open Directory use Kerberos for authentication across various applications so that after a user logs in to the network, the user can access all network assets, such as file servers, for which he or she has permission without the need for further authentication. Doing away with the need for multiple passwords and authentications is called single sign-on.
Single sign-on in Active Directory works by AD’s issuing a ticket when a user logs in to the domain. The ticket represents everything that the user can do. After a user logs in initially, the ticket handles all other authentication activities automatically.
To implement Kerberos and SSO for Mac clients in an Active Directory domain, you need to type a command in the Terminal application (in the /Applications/Utilities folder). Type this:
sudo dsconfigad -enablesso