A network user can use single sign-on authentication to gain access to services on OS X Server. With single sign-on, a user enters a name and password only once, then has access to services associated with single sign-on for 8 to 10 hours. After that, the user must enter his or her user name and password again to continue.
For example, single sign-on is like getting a press pass to a jazz festival held at multiple nightclubs over a three-day weekend. You prove your identity once to get the pass. Until the pass expires, you can show it at any nightclub to get a ticket for a performance. All participating nightclubs accept your pass without seeing your proof of identity again.
When you use single sign-on, passwords are transmitted over the network less often, so there’s less chance for malicious hackers to intercept passwords sent over your network.
OS X Server uses Kerberos technology to provide the single sign-on authentication. For information about Kerberos, see www.learn-networking.com.
Users’ apps don’t take advantage of single sign-on by default; users must change account settings in apps such as Mail, Calendar, and Messages to use Kerberos authentication.
You can also use the dsconfigad command to kerberize a service. For information, see Kerberize services with an Active Directory server.