Are there any Kerberos feature or behavior changes in macOS 27?

Hello, at our school we are using a kerberos proxy. Now we will introduce ipads. In my tests I have set this proxy in wifi settings. On next internet connection I was asked for my account credentials. After that I had full access to internet with ALL apps. Obviously ios has set up a network relay which handles the kerberos authentication for the while device. I have searched for documentation on this topic, but you will find only docs for kerberos with SSO and per app tickets. Do someone has hints for this? Especially where are the password for the kerberos authentication stored on the ipad - it is not the same as in the wifi proxy settings! With regards, Helge

If "send and receive" on imessages has my Microsoft work email address, can my imessage content be synched with Microsoft ? Because I recently logged into our big data system through SSH client using my work email address, on a Console I saw one of my imessage thread printed. I reached Microsoft and their reply was to get advise reaching out to Apple support as their knowledge of iMessage is limited. Based on general knowledge about data protection the messages are most likely not synced unless there is a setting that you can allow from my side. PLEASE HELP ! This is a Mystery !!

I created a custom PAM module following this and It works fine with etc/pam.d/sudo but doesn't work with etc/pam.d/authorization and etc/pam.d/login. sudo # sudo: auth account password session auth include sudo_local auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth sufficient pam_smartcard.so auth required pam_opendirectory.so account required pam_permit.so password required pam_deny.so session required pam_permit.so authorization # authorization: auth account auth sufficient /usr/local/Cellar/cpam/1.0.0/lib/security/cpam.so auth optional pam_krb5.so use_first_pass use_kcminit no_auth_ccache auth optional pam_ntlm.so use_first_pass auth sufficient pam_smartcard.so use_first_pass account required pam_opendirectory.so Is it even allowed to add a custom PAM to \etc\pam.d\login or etc\pam.d\authorization ? Is it possible to create a mechanism with custom logic and replace it with<string>builtin:authenticate,privileged</string> in system.login.console authorization right ? Note: I have also tried moving the .so file to /usr/lib/pam but it failed even after disabling SIP.

I am trying to learn how PAM works in macOS, in that process I came across one of the apple open source project in git hub. So I downloaded the project and opened it in xcode. When I tried to build the project initially I got base SDK error. I resolved that by changing the value to macOS(initially the value for base SDK is macosx.internal). After that most of the dependency error are resolved but now I am getting some of the header files are not found and also some of '.a' files are also missing. I have explored over the internet for those files but unable to get those. I have attached the missing header files and '.a' files below. Can you please help me in build this project. GitHub link: [https://github.com/apple-oss-distributions/pam_modules/tree/pam_modules-195) Header files: #include <Security/SecKeychainPriv.h> #include <OpenDirectory/OpenDirectoryPriv.h> #include <Heimdal/krb5.h>

I'm looking for API to add a new kerberos credentials to macOS internal ticket store. Basically, I'd like to replace the whole authentication process with a proprietary component and not rely on the OS kerberos implementation, and get the following items: Client-to-server ticket encrypted using the resource's secret key. A new Authenticator encrypted using Client/Server Session Key I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself. Also, I'd like to keep another kerberos item retrieved after the first communication with the resource and it's used for SSO to allow additional request to the resource for a certain period of time. this item is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.

I know that ASWebAuthenticationSession usually is used with OAuth and similar protocols, but now I' interested, does ASWebAuthenticationSession supports other auth types? I've made such tests (iOS 14.5, Xcode 12.5.1): Tested ASWebAuthenticationSession with kerberos/negotiate URL (with callback scheme http) - SFSafariViewController loads error page with 401 error and no alert for creds; completion handler of ASWebAuthenticationSession is not called; Tested ASWebAuthenticationSession with NTLM, Digest and Basic URLs (with callback scheme http) - SFSafariViewController shows alert for creds; with correct creds content is shown; completion handler of ASWebAuthenticationSession also is not called; Performed the same test with SFSafariViewController - same results. Do I understand correctly, that ASWebAuthenticationSession doesn't support such auth types, but SFSafariViewController supports them? Why SFSafariViewController doesn't show alert for creds in case of kerberos/negotiate auth?