Skip navigation

Active Directory Authentication Failing w/new ML Install

33038 Views 50 Replies Latest reply: Jan 15, 2014 6:03 PM by methodologist RSS
1 2 3 4 Previous Next
justinhamlin Level 1 Level 1 (0 points)
Currently Being Moderated
Jul 25, 2012 1:22 PM

Upgraded to Mountain Lion today, everything works flawlessly, except anything that requires Active Directory authentication:

 

  • Outlook 2011 connection to Exchange will not connect
  • Mail.app will not connect to Exchange
  • Contacts.app will not connect to Exchange
  • Calendar.app will not connect to Exchange
  • Microsoft Remote Desktop Connection will not authenticate against any server
  • Cannot add computer to the Domain after specifying Directory Server (authentication failure)
  • Cannot connect/authenticate to any Windows Server file share

 

I am an admin of my network, I have a 2nd Windows computer sitting here and can do all of these things just fine, so my credentials are correct.  Mountain Lion is the culript, just need to figure out the solution.

 

Why will Mountain Lion not pass authentication credentials correctly?  This is a MAJOR issue to anyone looking to use Mountain Lion in the enterprise.

MacBook Air, OS X Mountain Lion
  • iamtheadman Calculating status...

    I'm having a huge problem with Active Directory too. Our AD server is set to lock an account after three failed login attempts.

     

    It appears that for some reason when logging in to the network from the login page, you get two tries before being locked out instead of three. Also, when logged in, then logging out and then trying to log back in again, you get one try.

     

    There also appears to be a random, system-wide, issue when authenticating using Active Directory credentials, particularly with modal boxes asking for authentication. Sometimes it will work, other times it will lock the account on the first try EVEN WITH THE CORRECT INFORMAITON.

     

    I've been calling IT all day having them reset my password. They'll never let Mountain Lion in the building if this continues.

  • iamtheadman Level 1 Level 1 (5 points)

    Thank Justin.

     

    It's terrible. I logged a bug report with them too but just uder feedback.

     

    It seems to now be randomly locking my account even when I haven't done anything. I've been on the phone with my IT buddy and he'll watch it be unlocked, I'll logout of my account, and it will lock.

     

    Active Directory has been a nightmare since they launched Lion. With every "fix" came another problem. It seems this lack of caring or testing or whatever it is, has persisted into Mountain Lion.

     

    Thanks again.

    Adam

  • Waverider020 Calculating status...

    Sorry Justin,

    I have to say this makes no difference to me!

  • iamtheadman Level 1 Level 1 (5 points)

    Thanks for the efforts Justin but no dice here either.

     

    Here's what it's come down to for me. I've been working from the local admin account all morning. I logged out of Administrator and went to login to my Active Directory account. I absolutely made sure I typed everything perfectly, hit enter and it instantly locked my AD account.

     

    Seriously, does Apple test this stuff AT ALL?

  • iamtheadman Level 1 Level 1 (5 points)

    Hey Justin, when you created your user account, did you also have it create a mobile account?

  • iamtheadman Level 1 Level 1 (5 points)

    Hey Justin.

     

    Well, I figured out what is causing my problem. It's Mobile accounts. I started fresh with a new install and a standard Active Directory account (not Mobile). I authenticated 20+ times. Rebooted at least 10 times. Everything worked great. Then I decided to create the Mobile account. That's when everything broke again. My Active Directory account was getting locked after one accurate attempt to authenticate. When IT unlocked it I could go one step further but then would lock me out the next time I tried to authenticate.

     

    So for me, it's clearly a Mobile account problem. Which is bad because half of the Macs under my care are notebooks.

     

    Please let me know what you find out on your end.

     

    Thanks,

    Adam

  • Andrew Cunningham Calculating status...

    We are also seeing an issue in ML where some AD users cannot log in. The common factor is that they all have a PrimaryGroupID value of '-2'. Here are the relevant logs:

    2012-07-30 10:17:39.630098 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - found result - 'CN=tjohnsto,CN=Users,DC=butler,DC=edu'

    2012-07-30 10:17:39.630216 EDT - 4202.17304.17306.17310.17312, Node: /Active Directory/BUTLER/Global Catalog, Module: ldap - translation routine callback failed to translate 'dsAttrTypeStandard:PrimaryGroupID', falling through to other methods

    2012-07-30 10:17:39.649537 EDT - 4202.17304, Module: SystemCache - Ignoring entry (tjohnsto@/Active Directory/BUTLER/butler.edu) missing critical identifier dsAttrTypeStandard:PrimaryGroupID

    As you can see, the PrimaryGroupID cannot be handled by opendirectory, and the user is denied access.

    What we cannot determine is why some users are interpreted as having a GID of -2, despite the fact that their primary group in AD is the same (Domain Users).

    Any ideas??

  • iamtheadman Level 1 Level 1 (5 points)

    Andrew, are they not able to log in period but their A/D account is showing unlocked or is their A/D account showing locked?

  • SSSnet Tech Calculating status...

    We are having exactly the same issue.  All accounts work fine using machines bound to AD using 10.6 or 10.7.  Some  accounts using 10.8 will work, others not.  Fresh install or upgrade, same result.

     

    Filed Bug Track last week. 

    Problem ID: 11956556   

     

    Quick test = at the terminal window type "id account" on bound 10.8 machine, if AD groups come back, that account will work.  If "no such user" is returned, it won't work.

  • iamtheadman Level 1 Level 1 (5 points)

    Also Andrew and Justin, did you create mobile accounts for the accounts that are having problems?

  • iamtheadman Level 1 Level 1 (5 points)

    Just checked both my test machines--both with mobile accounts, both having the A/D problem--and both returned "no such user" in terminal. Reformatting/reinstalling on one of them and will try A/D account without mobile account and see what terminal returns. Stay tuned.

1 2 3 4 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (7)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.