Currently Being ModeratedNov 18, 2012 10:20 PM (in response to antoine44)
To add up some info on this :
We have some network drives (SMB) that are used to share data. To access those, computer needs to be authenticated against the AD.
With a local session on a mac (which is not an AD account then), the drive will ask an AD account to be mounted.
With an AD account on a mac, no problem to mount the drive, no need to enter credentials (no need to re-enter AD credentials).
For me, the proxy should be working in the same way.
Im pretty new to all of this, so I don't understand where is the misconfiguration.
Currently Being ModeratedNov 19, 2012 1:53 AM (in response to antoine44)
Another point of test is the auto-authentication with Sharepoint internal websites.
On windows, launching the sharepoint in Internet Explorer, will display the page, already logged with the AD account.
On mac, the browser will ask for authentication to give access. It won't be automatic.
Currently Being ModeratedNov 19, 2012 6:57 AM (in response to antoine44)
You can manually enter and store login details for a web-proxy server in System Preferences -> Network -> Ethernet -> Advanced -> Proxies
and use the Web Proxy option and enable the option to enter login details. Once you have done this you will not have to re-enter them each time you boot your Mac.
Currently Being ModeratedNov 19, 2012 5:52 PM (in response to John Lockwood)
Yes but as I said, I would like to avoid this, because user's password need to be changed every 60 days (Active Directory will force user to change his password every 60 days).
So if an old password is stored and then used by the mac to reach internet (some applications like widgets and notifications center try automatically to reach internet at boot), the proxy will use this old password to check identity and multiple use of old password LOCK account in the AD.
I woud like the mac to use automatically the account (AD login/password) used to open the session for the proxy and all other services that need AD authen (like sharepoints, smb...). Like a windows would do.
Currently Being ModeratedNov 20, 2012 3:07 AM (in response to antoine44)
You will need to change your group policy for the users in AD to lock the accounts after x amount of tries. We have this set to 5 attempts.
The mac will attempt to log in with the incorrect details and as it will not connect (if the password has expired) it will prompt you to enter a password. This is when you enter the new password that was created when you logged in (AD will prompt for new password at logon when the password has expired). If you enter the new password and select the remember button the keychain entry will be changed to the new password and you should be good to go.
Currently Being ModeratedNov 20, 2012 5:51 PM (in response to Ben Bissett)
This is one good solution.
However need to check out with security if they agree with this. Also I think that 5 times may be not enought.
So from what you say, there is no mean to do like windows ? (automatic auth)
Currently Being ModeratedNov 21, 2012 1:10 AM (in response to antoine44)
5 times should be more than enough. You will find that the account will only be locked if the user is unaware of the process and continually tries different passwords.
The proxy settings can be set through group policy but you are looking at two things, first is the proxy settings, this will include the ip address of the proxy and the port number and what services are to use the proxy, second is the authentication. You will notice, even on a PC running windows that when the user is forced to change their password they will still be required to enter the new password when connecting to the internet and, if you are also running an exchange server on the domain, email. It's the same for the macs.
You will find that there are some applications that are not SSO and do not get their authentication from a Kerberos ticket , Dropbox for one can and does lock out accounts. Firefox has it's own proxy settings although it can be set to obtain the system settings. The best I have come up with is to make a list of those applications that perform in this way and get the user to change the password when it expires.
Currently Being ModeratedNov 21, 2012 2:17 AM (in response to Ben Bissett)
The proxy settings are handled with a .pac file. So no problem on this side, only authentication.
For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy.
I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?
Currently Being ModeratedNov 21, 2012 2:26 AM (in response to antoine44)
"For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy."
From a security point of view I wouldn't recommend not having to enter the password for proxy, as (providing the pc wasn't locked) any user would be able to use the pc and gain inernet access without the need to authenticate making it very difficult to identify a user if any issues should arise.
AD needs kerberos to pass the TGT to the mac which in turn will generate the SGT.
As far as I know Kerberos is permanently running in AD.
Currently Being ModeratedNov 21, 2012 2:28 AM (in response to Ben Bissett)
"I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?"
Yes, there would not be any SGT for the services.
Currently Being ModeratedJul 2, 2013 8:28 AM (in response to antoine44)
Have you found a permanent solution to this issue?
Currently Being ModeratedJul 2, 2013 6:54 PM (in response to mazza2590)
but stil didnt try with Kerberos (waiting for AD update)