> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/powershell/remote-desktop-manager-powershell/remote-desktop-manager-macos-enable-integrated-authentication-with-kerberos.md).

# Remote Desktop Manager macOS – Enable integrated authentication with Kerberos

To use Integrated Authentication (Windows Authentication) on macOS, you will need to setup a ***Kerberos ticket*** linking your current user to a Windows domain account. A summary of key steps are included below.

{% hint style="danger" %}
This experimental feature has worked in our internal tests and is a workaround to the integrated security feature which does not work on macOS with SQL Server.

That being said, the initial implementation of Kerberos was meant to help our community with using this authentication method. However, multiple changes have been made on the Kerberos side since the implementation, so it is possible that this method is now outdated.
{% endhint %}

### Pre-requisite: get the Kerberos Domain Controller (KDC) config

We offer two methods, the manual discovery or a PowerShell Script

Run on: Windows PC that is joined to your Active Directory Domain. Note that any production grade domain will have more than one domain controller. Either of the following methods could answer with a different server depending on a multitude of factors. Be prepared to run this discovery again if the designated server becomes unavailable.

#### Manual discovery

{% hint style="info" %}
**nltest.exe** is a console utility that you can run using the basic command interpreter or PowerShell.
{% endhint %}

Run nltest in the command shell of your choice.

```powershell
nltest /dsgetdc:%USERDNSDOMAIN%

DC: \\dc-33.domain.company.com
Address: \\2111:4444:2111:33:1111:ecff:ffff:3333

The command completed successfully
```

Copy the DC name which is the required KDC configuration value, in this case dc-33.domain.company.com

#### PowerShell script

Run the following in a PowerShell window (remember that the PC must be joined to the target domain)

```powershell
$dcinfo = Get-ADDomainController -Discover
Write-Output "Domain name $($dcinfo.Domain)"
Write-Output "Domain Controller $($dcinfo.HostName)"
Write-Output "`nSuggested krb5.conf content`n-----------------------------------------"
Write-Output "[libdefaults]"
Write-Output "default_realm = $($dcinfo.Domain.ToUpper())"
Write-Output "
Write-Output "[realms]`n$($dcinfo.Domain.ToUpper()) = {"
Write-Output "kds = $($dcinfo.HostName)"
Write-Output "}"
```

### Setup Kerberos on macOS

#### Step 1: Configuring KDC in krb5.conf

Edit the /etc/krb5.conf in an editor of your choice, note that you need to elevate your privileges (sudo or other). If you have obtained the result of the PowerShell script, simply copy the appropriate lines. Follows the steps needed if you used the manual discovery.

{% hint style="warning" %}
The domain must be in ALL CAPS.
{% endhint %}

Configure the following settings:

```powershell
[libdefaults]
 default_realm = DOMAIN.COMPANY.COM

[realms]
DOMAIN.COMPANY.COM = {
 kdc = dc-33.domain.company.com
}
```

Then save the krb5.conf file and exit.

#### Step 2: Testing the ticket granting ticket retrieval

Use the command kinit <username@DOMAIN.COMPANY.COM> to get a TGT from KDC. You will be prompted for your domain password.

`kinit username<area>@DOMAIN.COMPANY.COM`

Use klist to see the available tickets. If the kinit was successful, you should see a ticket.

```
klist

krbtgt/DOMAIN.COMPANY.COM@ DOMAIN.COMPANY.COM.
```

#### Step 3: Connect in Remote Desktop Manager

1. Create a new SQL Server workspace.
2. Fill in the workspace information (Name and Host).
3. Select the “ ***Integrated Security (Active Directory)*** – ***Experimental*** ” mode.
4. Select the database.
5. Save the workspace.

<figure><img src="https://cdnweb.devolutions.net/docs/docs_en_kb_KB4792.png" alt=""><figcaption></figcaption></figure>

If you have followed all the steps above, you should be able to connect successfully to the workspace.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/powershell/remote-desktop-manager-powershell/remote-desktop-manager-macos-enable-integrated-authentication-with-kerberos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.