ExtremeZ-IP: Kerberos Single Sign-on

1 Star2 Stars3 Stars4 Stars5 Stars
  • Product:
  • Version:
    Version 4.0-Current
  • Document Type:
  • Revised:
  • Reviewed:


ExtremeZ-IP’s support of Kerberos provides “single sign-on” authentication between Mac OS X clients and all ExtremeZ-IP File Servers within Active Directory. This means that users only enter their username and password one time in order to access all ExtremeZ-IP file servers and other network resources that use Kerberos for authentication.


Server Configuration
By default, the ExtremeZ-IP service allows Kerberos authentication. Setting up Kerberos logins only requires Mac client side configuration. If Kerberos authentication has been turned off, you can enable it by checking the check box, “Allow Kerberos Logins” in the Security tab of the ExtremeZ-IP Administrator.

Client Configuration
In order to set up a Mac client to use Kerberos (if you are using Active Directory based Kerberos servers), you will need to bind the client computer to the Active Directory domain using the Directory Setup application and the steps below:

  1. Go to Applications> Utilities> Directory Setup Application
  2. Enable Active Directory and click configure (you may need to authenticate to unlock it)
  3. Fill in your Forest and Domain, choose a unique name for the computer and select any of the other options under advanced options that you want to use
  4. Click the Bind button
  5. Enter a username and password to complete the binding. Make sure you use an account that is allowed to add computers to the Domain or it will fail.
  6. Click OK
  7. On some versions of Mac OS X, after the computer is bound to Active Directory you may need to click the authentication tab to enable logging in with and Active Directory account.
  • Select Custom path
  • Add the Active Directory entry
  • Click Apply and close Directory Access

After a Macintosh user logs into Mac OS X using an Active Directory account, they will be able to connect to ExtremeZ-IP file servers without having to type a user name and password. If a local account on the Mac is used instead of an Active Directory logon, users will be prompted once for a username and password in order to be issued a Kerberos ticket.


  • The Mac client must be running Mac OS X 10.3.9 or higher.
  • Beginning with ExtremeZ-IP 5.0, users can log into Mac OS X using their Active Directory account’s short or long name. For example, Bob Jones might have a short account name of “bjones” and a long account name of “Bob Jones”. Kerberos tickets are only granted when logging in using the short name. They are not granted when logging in using a long name or a “domain\username”.

If you are not using Active Directory based Kerberos servers then you will need to manually configure Kerberos settings in the /Library/Preferences/edu.mit.Kerberos file. Instructions for doing so can be found at the link referenced at the end of this document.

Clock Skew Errors
The Kerberos authentication mechanism requires that the clock times on server and clients be within a prescribed number of minutes (usually 5). If the client clock time differs from the server time by too much, the attempt to authenticate with ExtremeZ-IP will fail. Unfortunately, the client is not given a specific reason for this logon failure. However, in ExtremeZ-IP 5.0 and later, an error message is placed in the Windows Event Log on the ExtremeZ-IP server in the event a client fails to authenticate because of a clock skew issue:

Error <error number> occurred during Kerberos login – this may indicate that the clock skew between the ExtremeZ-IP server and domain controller is too great.

Related Article: