Skip navigation

Automatic use of Active Directory credentials for Proxy Auth

2666 Views 12 Replies Latest reply: Jul 2, 2013 6:54 PM by antoine44 RSS
antoine44 Calculating status...
Currently Being Moderated
Nov 14, 2012 12:13 AM

Hello,

 

 

I am trying to add some MacBook computers to our network and make them follow the same guidelines than the windows computers, with also the same features...

 

Here is the hardware list :

  • MacBooks
  • 1 Mac Mini server with OSX server to apply policies
  • windows computers
  • an Windows Active Directory
  • a Bluecoat proxy

 

 

I binded them to the Active Directory to let any user login on a Apple machine with the same credentials.

This is working.

 

However, our Proxy is asking for authentication (security policies) for any user who wants to access the internet.

The proxy is connected to the Active Directory and use it as the central place for identity.

 

We are currently using (in windows computer) an automatic proxy configuration using an URL. This url redirect the computer to the good proxy depending on his URL.

 

I would like to do the same with the Apple computers but when I access the web, on any browser, I got the Authentication popup that ask for AD credentials.

The problem is, I do not want user to have to enter their credentials, as they are the same than the one they use to login already (AD credentials).

 

If I let this, then, they will store the credentials in the keychain and as the AD ask for change of password every 60 days, the computer would use the old credentials automatically to access internet (dashboard widget, notifications center...) and then multiple authentication with wrong password would lock the AD account.

Same problem if I wanted to use the HTTP/HTTPS configuration for proxy in the System preferences instead of automatic proxy, I would have to save a password which would be wrong after 60 days.

 

On windows, computers use automatically the AD credentials for the proxy. There is no need to enter credentials to browse internet.

I am sure, I misconfigured something in the AD binding or I miss something in the configuration of the macbooks.

 

Does anyone has an idea ?

 

Thanks

MacBook Pro with Retina display, OS X Mountain Lion (10.8.2)
  • John Lockwood Level 5 Level 5 (5,075 points)

    You can manually enter and store login details for a web-proxy server in System Preferences -> Network -> Ethernet -> Advanced -> Proxies

     

    and use the Web Proxy option and enable the option to enter login details. Once you have done this you will not have to re-enter them each time you boot your Mac.

  • Ben Bissett Calculating status...

    You will need to change your group policy for the users in AD to lock the accounts after x amount of tries. We have this set to 5 attempts.

     

    The mac will attempt to log in with the incorrect details and as it will not connect (if the password has expired) it will prompt you to enter a password. This is when you enter the new password that was created when you logged in (AD will prompt for new password at logon when the password has expired). If you enter the new password and select the remember button the keychain entry will be changed to the new password and you should be good to go.

  • Ben Bissett Level 1 Level 1 (25 points)

    5 times should be more than enough. You will find that the account will only be locked if the user is unaware of the process and continually tries different passwords.

     

    The proxy settings can be set through group policy but you are looking at two things, first is the proxy settings, this will include the ip address of the proxy and the port number and what services are to use the proxy, second is the authentication. You will notice, even on a PC running windows that when the user is forced to change their password they will still be required to enter the new password when connecting to the internet and, if you are also running an exchange server on the domain, email. It's the same for the macs.

     

    You will find that there are some applications that are not SSO and do not get their authentication from a Kerberos ticket , Dropbox for one can and does lock out accounts. Firefox has it's own proxy settings although it can be set to obtain the system settings. The best I have come up with is to make a list of those applications that perform in this way and get the user to change the password when it expires.

  • Ben Bissett Level 1 Level 1 (25 points)

    "For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy."

     

    From a security point of view I wouldn't recommend not having to enter the password for proxy, as (providing the pc wasn't locked) any user would be able to use the pc and gain inernet access without the need to authenticate making it very difficult to identify a user if any issues should arise.

     

    AD needs kerberos to pass the TGT to the mac which in turn will generate the SGT.

     

    As far as I know Kerberos is permanently running in AD.

  • Ben Bissett Level 1 Level 1 (25 points)

    "I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?"

     

    Yes, there would not be any SGT for the services.

  • mazza2590 Calculating status...

    Hi  Antoine44

     

    Have you found a permanent solution to this issue?

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.