Article adapated from Jeff Geerling (

Kerberos authentication allows your computer to log into certain services automatically without you having to enter (and re-enter) your password (it’s a SSO—single sign-on—service). Kerberos v5 is baked into Windows and Internet Explorer and works great with many LDAP-enabled services (for example, Drupal’s LDAP module allows includes a submodule for SSO support).

So using Jeff’s article I’ve modified it slightly for use in my environment, I created a script uploaded it to the JSS and assigned it all machines at login:

loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
echo $loggedInUser
sudo -u $loggedInUser defaults write AuthServerWhitelist "YOUR ADFS URL HERE"
sudo -u $loggedInUser defaults write AuthNegotiateDelegateWhitelist "YOUR ADFS URL HERE"
echo $(date)
exit 0


Just copy and paste the above script and replace the “YOUR ADFS URL HERE” to well your ADFS url.

To confirm it worked, log into a machine open chrome and type chrome://policy you’ll now see your two configured entries in your policy list: