We activated that but it only works when the user has logged in themself minimum onetime via their AD stored password, but we wan’t to built a little Self Service around it for our Helpdesk but not all know their AD Password due to Two Factor Authentication.
Which by my unterstanding means that they have to login one time so foreman can grab their hash out of LDAP and proof against it, and trusting apache with his keytab that the User reported by the Browser is mapped to the User stored in the DB linked to LDAP makes then the SSO