Skip navigation

Active Directory Authentication Failing w/new ML Install

33043 Views 50 Replies Latest reply: Jan 15, 2014 6:03 PM by methodologist RSS
  • Gavin Agnew Calculating status...

    Not a real solution, but this works for me. I run the IT in a school with around 100 iMacs running SL and they are bound to OD (SL Server) and AD (Win 2k7) as they are dual boot. Trialling upgrading to ML and have had the same issue - password field shakes when trying to log on. I can log in as local admin etc.

     

    I noticed that after working in local admin account for a while building up an image machine, I tried and did log in using our student test account and it was bound correctly and everything that should be seen / accessible was there - home folder on the Win Server etc. I also happened to notice that after this period of time, the red dot 'network accounts unavailable' came up, quickly followed by the orange dot then this disappeared and log in success.

     

    The only difference was the length of time the iMac was on. Wondering, I tried logging in after various time intervals and finally it logged in after around 2 hours. I set the system to turn on at 6:00am and when I tried to log in at around 8:30am the next day - it did! The only potential issue is if a student restarts the system, you go back to the 2 hour delay, so I've removed the option to restart and shut down from the Student Policy. Logging out and back in with same or different account works fine unless system has been rebooted.

     

    In summary, it seems to be the time it takes to talk properly to the servers before being able to log in. At least it seems I can now go ahead and upgrade to ML and just have them all boot up at 6:00am.

     

    I hope that someone out there who understands better will be able to look at this and maybe find a more satisfactory solution to this.

  • Daniel Lyons Calculating status...

    We just ran into a problem at the school where I work with Macs running 10.8.2 would reject valid user credentials with the password box shake.

     

    Rebinding, turning off mobile accounts, disabling UNC paths for home directories, disabling authentication from any domain in the forest, even moving to a new switch made no difference.

     

    Finally, our network manager decided to run a dcdiag scan on the network and discovered a minor replication error on one of our three Domain Controllers. Once that was fixed all of our Macs were able to log in reliably.

     

    Apparently 10.8.2 is not very tolerant of errors on the network. In our case the issue was so minor that no other device or service that authenticates against AD exhibited any problems, just the 10.8.2 Macs.

     

    I spoke with an Apple engineer who confirmed that he had seen similar issues when the domain isn't quite right, DNS being the most common cause he cited.

  • ttle Level 1 Level 1 (0 points)

    So, after a few months of testing, capture and sending logs back and forth to Apple Engineers, we found out there is a setting in AD, under User Account that prevent us to log into AD from Mountain Lion. If you would go to your AD server, open up a user account properties, then go to Account tab, the "Do not require Kerberos preauthentication" option is checked. As soon as I uncheck that option, immediately I was able to log into AD on the Mac client. Apple engineers copied all my AD settings and setup a test environment on their end and match exact mine AD environment. They was able to reproduce this issue.

     

    The bad part about this is... our environment required the "Do not require Kerberos preauthentication" is checked in AD, in order for our users to login into some of our Unix and Linux services. Which mean that it is impossible for us to remove that check mark because most, if not all of them some way or another require to login into applications that run on Unix and Linux. Apple is working to see if they can come up with a fix. Apparently, no one has report this issue except us. I believe most of you out there don't have that check mark checked in your environment... Anyone out there have any suggestion to by pass or have a work around for this?

  • FL_MacTech Level 2 Level 2 (230 points)
    Currently Being Moderated
    May 24, 2013 12:33 AM (in response to ttle)

    This is a known issue with older Cisco VPN solutions as well. We have the same issue so we just disable it and make the account. Enable it again after account creation is complete. Funny too because we had a case with Apple so they are aware.

  • methodologist Calculating status...

    Leafyseahobbt, did you ever resolve your Gmail/Outlook 2011 issue in which you are getting the authentication errors?  I have attempted to set up my Gmail account a dozen times, and have tried every other method I've seen in this forum and across the web to no avail. 

     

    Exact error is:  The Server for account "my account" returned the error "[AUTHENTICATIONFAILED] Authentication Failed."  You username/password or security settings may be incorrect."

     

    Beyond frustrated....any help is greatly appreciated.

  • methodologist Level 1 Level 1 (0 points)

    YAY!!  You can disregard.  I remembered I had enabled two way authentication in Gmail.  I logged in to Gmail, went to Google Account Settings, and generated an Outlook App Specific password.  Then, went through the normal setup of adding an account in Outlook, used the newly generated app specific password, and it worked great.

     

    Thanks, and I hope this helps someone else remember that!

1 2 3 4 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (7)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.