Using kinit on macOS for Integrated Security
Before you begin
- You need a valid Active Directory account.
- Your Mac must be able to resolve and reach your AD domain controllers.
- Your SQL Server must allow Windows/AD authentication.
1. Configure Kerberos on macOS (krb5.conf)
macOS can use Kerberos without a custom config, but many enterprise environments require explicit realm and KDC settings.
Create or update the Kerberos configuration file at /etc/krb5.conf with values provided by your IT team.
Example:
[libdefaults]
default_realm = YOURDOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
rdns = false
[realms]
YOURDOMAIN.COM = {
kdc = dc1.yourdomain.com
kdc = dc2.yourdomain.com
admin_server = dc1.yourdomain.com
}
[domain_realm]
.yourdomain.com = YOURDOMAIN.COM
yourdomain.com = YOURDOMAIN.COMSave the file, then open a new Terminal session before running kinit.
2. Request a Kerberos ticket
Open Terminal and run:
kinit your_username@YOURDOMAIN.COMEnter your AD password when prompted. If successful, no error message is shown.
3. Verify your ticket exists
Run:
klistConfirm you see a valid ticket for your AD principal and that it has not expired.
4. Connect in SQL Studio
- Open or create a server connection.
- Set Hostname and Port (usually 1433).
- Enable Integrated Security.
- Leave username/password blank unless your environment requires a specific format.
- Use encryption settings required by your SQL Server policy.
5. Refresh an expired ticket
If connection fails after time passes, your Kerberos ticket may be expired. Request a new ticket:
kinit your_username@YOURDOMAIN.COMCommon issues
Clock skew
Kerberos is time-sensitive. Ensure your Mac date/time is correct and synchronized.
Realm mismatch
Use uppercase realm format (for example, YOURDOMAIN.COM) when running kinit.
No ticket found
If klist returns no tickets, rerun kinit and verify credentials.