You can configure Self Service+ (formerly the Jamf Connect menu bar app) to use Kerberos authentication to complete password changes directly to Active Directory rather than a cloud identity provider (IdP).
Self Service+ can get Kerberos tickets for authentication to an Active Directory domain, if the user's network password matches their Active Directory password. To determine the username, Self Service+ uses the characters preceding the “@“ character of the user’s sign-in name and adds the Kerberos realm suffix.
Self Service+ is also able to get a Kerberos ticket prior to network authentication with an IdP. To configure your Self Service+ for Kerberos to authenticate first, set the Password Change Workflow (PasswordChangeWorkflow) setting to Kerberos. Optionally, you can adjust the Kerberos Timeout (Timeout) setting for a delay between 1 and 60 seconds before network authentication. For more information about the available Kerberos settings in Self Service+, see Kerberos Settings.
Self Service+ uses a rate limiting system to prevent excessive Kerberos requests with certain configurations that monitor network changes. The system allows for 1 request per step in steps of 30 seconds, 1 minute, 5 minutes, 10 minutes, and 30 minutes. After 10 minutes of no requests, the system will reset to the first step. Administrators cannot modify the times for each step and are set by Jamf.
When configured, Self Service+ interacts with the Active Directory domain in the following ways:
Self Service+ is site-aware. It uses an LDAP ping methodology to determine the best site to use. Self Service+ continues to use that site until it can no longer reach a domain controller or the network changes, which reinitiates the site lookup process.
Self Service+ uses the system Kerberos and LDAP libraries to ensure they are updated when macOS is updated.
Self Service+ can detect password expiration policies and uses them when displaying a password expiration notice.
Self Service+ re-evaluates the connection to the domain during startup and network changes. If configured, you can also specify an interval, in minutes.