Getting a Machine Kerberos Ticket on macOS without binding

The TCS Cert Request tool can be used to request a certificate from Active Directory Certificate authority. A normal operation is to request a certificate as either a user or the computer. Both require a valid Kerberos ticket. Getting a kerberos ticket as an macOS user is easy. You just need to know the user name, kerberos realm (domain) and password:

kinit Administrator@TWOCANOES.COM
Administrator@TWOCANOES.COM’s password:

However, authenticating as the computer is harder. The computer account is usually created on binding with the Active Directory plug-in. It does this by using Active Directory admin credentials to create a computer object in AD, and then resetting the password on the computer account. The password is then saved locally.

However, if the Mac is not bound to Active Directory, there is no easy way to know this password. The simplest way around this issue is to reset the computer password. Note that resetting the password will invalidate any computers bound to this machine account.

Active Directory Users and Computers does not allow an Administrator to change the computer password in Active Directory Users and Computers, but the Windows tool ADSIEdit does.

Launch ADSIEdit by searching in the Start menu, navigate to the Computer object (or create one in Active Directory Users and ComputersĀ if it doesn’t exist), and right click to Reset Password…:

Set the password to a reasonably complex password:

Back on the Mac, get a kerberos ticket as the computer account by using kinit. In this example, the computer name is machpower$ and the comain is TWOCANOES.COM. Note that the $ must be escaped:

With the kerberos ticket, you can now use TCS Cert Request (or the tcscertrequest in the app bundle) to request a certificate from AD:

If the operation is successful, there will be a new certificate and private key in the keychain: