Hello
(This is not a Centrify-specific issue, but I hope you may be able to point me in the right direction).
We bind our Macs to AD using the Apple AD plugin, and all our staff and students login using their AD accounts. We give admin rights to some users by using their AD account and mapping it to the OS X local admin group. We also subscribe to Office 365, and users are authenticated using PingFederate, from a cloud-based service. Therefore, we use SSO to allow access to 365 without requiring an additional login.
We have discovered that a curious potential security hole. Scenario as follows
- Student Jane is logged in (AD user)
- Staff member Bob is helping her install some software, and enters his AD username/password in the Apple OS X dialog box that appears when dragging an application to /Applications.
- Student Jane opens her browser and goes to https://outlook.office365.com.
- Staff member Bob's email appears, not Jane's.
Looking in Ticket Viewer, Bob is listed as having a kerberos ticket, but only after entering his username and password.
We have replicated this issue on 10.10.5 and 10.11.5.
So, my questions are:
a) Is there any way to not generate a kerberos ticket in this scenario?
b) If we used Centrify to bind to AD, would the same issue arise?
c) If we used local admin user accounts, rather than AD accounts for administrative elevation, can we restrict these users from logging in, but still allow the account to be used when dialog boxes appear?
Many thanks, Rob