Chat now with support
Chat with Support

Safeguard Authentication Services 4.1.5 - Mac OS X/macOS Administration Guide

One Identity Privileged Access Suite for Unix Installation The Authentication Services Mac OS X components Configuring the Authentication Services client Special Mac OS X features Authentication Services limitations on Mac OS X Authentication Services Group Policy for Mac OS X Certificate Autoenrollment

Authentication Services directory utility plugin

You use the Directory Utility application to configure the Directory Service Plugins that provide identity information for authenticating to the machine. When installed, Authentication Services is one of the plugins.

The Authentication Services Directory Utility plugin provides a GUI utility for joining and leaving Active Directory domains, and controlling the local Authentication Services configuration.

On Leopard (10.5), the Authentication Services Directory Utility Plugin is installed at:

/Applications/Utilities/Directory Utility.app/Contents/Plugins/VAS.daplug

On Snow Leopard (10.6) and Lion (10.7) it is installed at:

/System/Library/CoreServices/Directory Utility.app/contents/PlugIns/VAS.daplug

Authentication Services security server plugin

The system Security Server controls all authorization on the Mac OS X system.

To correctly initialize Authentication Services user login sessions, a VASMechanism Security Server plugin is installed and configured in the /etc/authorization file by the Authentication Services join process. This plugin is installed under /System/Library/ CoreServices/SecurityAgentPlugins/VASMechanism.bundle. The Authentication Services mechanism initializes a Kerberos ticket cache for each Authentication Services user's login session with the Kerberos tickets obtained during DirectoryService authentication. Note that these ticket caches are fully compatible with the system Kerberos.app utility and the system MIT Kerberos command line utilities, so that the rest of the Mac OS X system components can reuse the Kerberos functionality.

Configuring the Authentication Services client

Before you can log in with Active Directory users and manage agent settings for users and computers, you must first join your Mac OS X/macOS machine to an Active Directory domain.

NOTE: For earlier versions of Mac OS X (prior to 10.11), use the Directory Utility application as explained in this chapter. For later versions of Mac OS X/macOS (10.11 and higher), use the QAS Join application.

The following section guides you through the steps necessary to launch the Directory Utility application to configure your system for comprehensive Active Directory integration. When using the QAS Join application, you will notice that the screens are a bit different, but the procedure is similar to what is documented here.

Launch the directory utility application

To launch the Mac OS X 10.7 (or higher) Directory Utility Application

  1. Open System Preferences and select the Users & Groups preferences.

  2. Select Login Options on the bottom left side of the view.

  3. Select the Network Account Server Join... button on the bottom right side.

  4. Click the Open Directory Utility button.

Caution: Do not enter the name of your domain and click OK from this dialog. If you do, you will join using the native Apple Active Directory plugin which has no support for Active Directory group policies. You must open the Directory Utility application to join the domain using Authentication Services.

Related Documents