Skip navigation

Active Directory Authentication Failing w/new ML Install

33045 Views 50 Replies Latest reply: Jan 15, 2014 6:03 PM by methodologist RSS
  • iamtheadman Level 1 Level 1 (5 points)

    Just updated to 10.8.1 and it didn't solve the Active Directory mobile account issue. Just tested with our IT team and the AD account still locks after the first login attempt. So we continue to wait.

  • blayn Calculating status...

    Didn't solve it for me either. My machine isn't tied into the AD, instead it resides on the same network, and has only local accounts. Though I (used to) connect to SMB directories using AD login credentials everyday.

     

    I'm also getting locked out after the first attempt.

  • blayn Level 1 Level 1 (0 points)

    I just found a workaround, well, sort of.

     

    -If I use the limited, non-admin account on the Mac(local, non-AD), I'm able to connect to SMB shares. No lockout, same exact credentials, just different local account.

  • AW139 Calculating status...

    Same problem here. After one password error account locked

     

    Mountain lion: 10.8.1

    Server: AD on Windows server 2008 R2

  • tedlee88 Calculating status...

    You guys can add me to the list.  Trying to configure 10.8.1 Mountain Lion Server to connect with our Active Directory server running Windows Server 2008 R2.  I can add a user, but cannot login after logoff.  Any ideas greatly appreciated

  • iamtheadman Level 1 Level 1 (5 points)

    I am happy to report that I installed 10.8.2 and I am able to create a mobile account and not have it lock my Active Directory account. I have rebooted several times, with network connection and without, and it continues to work. I've also tested logging out, logging in to the Administrator account and then logging back into the AD account and it still works.

     

    I think Apple may have fixed the problem. Stragenly, there was no mention of Active Directory in the release notes.

     

    Please post other successes/failures here.

     

    Thanks.

  • iamtheadman Level 1 Level 1 (5 points)

    Actually, Apple does list it in the release notes. http://support.apple.com/kb/HT5460

  • Andrew Cunningham Calculating status...

    Sadly, 10.8.2 does not seem to fix the issue with AD primarygroupid mappings for us. We still cannot log in with users whose primarygroupid value is interpreted (incorrectly) as "-2", unless we manually map GID to primaryGroupID via Directory Utility.

     

    I suppose that we can continue with the policy of manually mapping this attribute, but I really wish that Apple would get this fixed!

  • Leafyseahobbt Calculating status...

    Hi, hoping there's still some people around to help me on this issue.

     

    I recently began experiencing issues with my MS Outlook 2011 for mac last week, after I upgraded to Mountain Lion. However I didn' t immediately notice an issue because the problem was specifically with my gmail. Gmail occasionally throws a tantrum and needs the Captcha to be unlocked anyway, as I often access email from a number of devices and gmail is paranoid about this being a potental threat.

    I have four email addresses collected by Outlook. These are a gmail, and two private domain emails (all these three are IMAP) and also a POP hotmail.

    So last Monday my two private emails stopped working as well, with the error message 'failed to authenticate, username or password incorrect etc etc' which keeps popping up no matter how many times I enter the password. Even when this happened I still didn't immediately blame ML as our domain was begin upgraded at the time and I thought it might be that.

    So, after unlocking the google captcha and confirming that the domain wasn't the problem, I've narrowed it down to either Outlook or ML. Then today, the POP hotmail failed in Outlook as well, which totally threw me as POP is almost indestructible.

    Also, the really confusing part is that the gmail and two domain emails stopped working at the same time on my iPhone, so that's clearly not an ML issue, and I've had iOS6 since day one and that was working fine until last week. On my iPhone I use the Mail app to collect all the ame email except the POP account.

     

    So I have tried:

     

    Unlocking the Captchas

    Deleting and redoing keychain passwords

    Confirming that all details are correct

     

    Gmail now works on the iPhone, but not on my Macbook.

    Domain emails don't work at all, and neither does the hotmail.

     

    Just to reiterate Outlook worked fine with all these accounts until last week.

     

    If anyone can offer any ideas that would be much appreciated - I've been without email for a week and it's killing me!

     

    Thanks

  • opentrail Calculating status...

    I have a similar issue where the wifi keeps dropping with Authentication Failure. The client has everything linked to AD but my Mac just has a local machine account. I do connect to a printer using an ip address.

     

    Very annoying and I hope Apple will fix this soon.

  • opentrail Level 1 Level 1 (10 points)

    Thanks for the tip but this did nothing for me. Still drops the wifi with Authentication Failure. I have to switch the wifi off and on to continue.

  • ttle Calculating status...

    This method (from SSSnet Tech) does not work for me. When I try the "

    Check Map user GID to attribute primaryGroupID" , the login screen just bouncing twice after I enter my AD username & password and hit Enter. I had another post created for my issue. Bassically samething happens with cannot log into AD with a Mountain Lion machine. I had also captured the log. Please help me find out a solution for this.

     

    https://discussions.apple.com/message/20609798#20609798

     

    I appreciate all your help and time!

     

    TTLE

  • ttle Level 1 Level 1 (0 points)

    Anyone know how to find the primarygroupID value in AD? I tried 513, which is the default one, but doesn't work. Please help!

  • scottpaigeng Calculating status...

    Has anyone looked into the Sync function once you create the Mobile account.... just by browsing around I noticed that this is syncing very frequently....just wonder if it attributes to the locking out of accounts in AD. I will be doing some test on a brand new macbook pro with my AD account. I have created the mobile account in the user and groups window rather than it making one automatically when a user logs in. will write up more notes as they come.

  • -Reece Calculating status...

    We ran into this issue today with a Mac user. I stumbled across this post and just thought I'd share what fixed it for us.

     

    Issue: When logging into a Mac (10.7.5 or 10.8.2) with User1, login would not prompt to create mobile account, or would just act like the password was wrong. With User2, it always worked as expected.

     

    After reading through this entire thread and trying a few extra steps, here's what we found.

    When running this command (run on a domain joined mac) we could get all the info on User1 and User2.

    Substitute YOURDOMAIN for whatever domain you are joined to and having issues with.

    dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user1

    dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user2

     

    Looking at the returned properties we noticed that User1 also had a sub-domain account in the forest appearing in output:

     

    Domain\User1

    sub.Domain\User1

     

    and User2 (works) did not:

    Domain\User2

     

    What fixed it for us was to do one of the following solutions.

     

    Solution 1: Rename the Sub-domain user. Apparently Unix uses this username forest-wide, so when we joined the domain the default search policy would try "All Domains".

    This would result in the Sub.Domain user registering a "badPwdCount" property and eventually locking out the Sub.Domain\User1 account when logging into the mac as Domain\User1.

    The account would log in, but to a half-created home folder, and never prompt to create a mobile account.

    Once the Sub.Domain account was gone, the user immediately worked. You may need to wait for replication in a large Active Directory environment.

     

    Solution 2: Change the Search Policy in OSX to use one domain (instead of default All Domains).

    You have to un-check the "Allow authentication from any domain in the forest", apply, then go to Search Policy and specify the desired domain, and then remove "All domains"

     

    Either of these solutions resolved our "some users always work and other users always don't work" issue.

    Until today we hadn't figured out why it was happening to only a small number of users. It was isolated to users with the same User1 account in multiple domains in the forest.

     

    Hopefully this saves someone time :).

Actions

More Like This

  • Retrieving data ...

Bookmarked By (7)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.