User profile for user: VinayBarigidad
VinayBarigidad Author
User level: Level 1
4 points

Unable to Login as Active Directory (AD) User, after AD is configured on my Mac

Environment Details:

  • Active Directory is setup on Azure VM
  • VPN Gateway is configured on Azure
  • VPN Certificate is generated


On User's Mac following steps are executed

  1. Setup the VPN Certificate
  2. Update the DNS to include AD Server IP and Search for the AD Server
  3. Configure the VPN on Mac. Connect to VPN.
  4. Bind the Mac to the AD
  5. Ping the AD Server (Works fine)
  6. Create AD User account on the Mac
  7. Now try to switch the user to the AD User, from the local Apple ID user.
  8. Login screen comes up.
  9. User types the default password given


Mac is unable to connect to AD and verify the user. The error message at this time is "Password is incorrect".


I have been breaking my head on this problem since last 4 days to understand what may have gone wrong, because it worked fine on a machine in the lab, but it is throwing this error on the user's machine, when I connect to them remotely and try to configure.


Any help would be greatly appreciated.


Thanks

Vinay


Posted on Nov 27, 2023 2:25 AM

Reply
Question marked as Top-ranking reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,505 points

Posted on Nov 27, 2023 3:46 PM

I suspect your VPN connection is dropping when you log out of the initial user account. Can you verify the VPN tunnel is still active when at the login window? The machine in the lab likely worked because you did not need the VPN connection as the machine was on the same LAN as the DC. Are you creating Mobile Accounts or are you expecting all logins to be live with no cached credentials? How are you handling FileVault on a reboot if you are not caching the accounts?


Instead of AD bind, have you looked at SSO login to Azure/Entra? Apple is introducing Platform SSO in Sonoma, allowing configuration via an MDM to shim into the login window experience. This will allow your Microsoft auth window to replace the login window and you will be able to support MFA and smart card. If you can't wait for Platform SSO to shake out, you can look at MDM specific solutions such as Jamf Connect (add-on to Jamf Pro) or the SSO options in select alternative MDMs.


AD bind is basically deprecated. While most still works, there is some dust and cracks in the feature.


Hope this is helpful.

View in context

Similar questions

3 replies
Question marked as Top-ranking reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,505 points

Nov 27, 2023 3:46 PM in response to VinayBarigidad

I suspect your VPN connection is dropping when you log out of the initial user account. Can you verify the VPN tunnel is still active when at the login window? The machine in the lab likely worked because you did not need the VPN connection as the machine was on the same LAN as the DC. Are you creating Mobile Accounts or are you expecting all logins to be live with no cached credentials? How are you handling FileVault on a reboot if you are not caching the accounts?


Instead of AD bind, have you looked at SSO login to Azure/Entra? Apple is introducing Platform SSO in Sonoma, allowing configuration via an MDM to shim into the login window experience. This will allow your Microsoft auth window to replace the login window and you will be able to support MFA and smart card. If you can't wait for Platform SSO to shake out, you can look at MDM specific solutions such as Jamf Connect (add-on to Jamf Pro) or the SSO options in select alternative MDMs.


AD bind is basically deprecated. While most still works, there is some dust and cracks in the feature.


Hope this is helpful.

Reply
User profile for user: VinayBarigidad
VinayBarigidad Author
User level: Level 1
4 points

Nov 28, 2023 4:31 AM in response to Strontium90

Thank you.


On "Can you verify the VPN tunnel is still active when at the login window? "


I verified this and the VPN is inactive, when at the login window.


On "Are you creating Mobile Accounts or are you expecting all logins to be live with no cached credentials?"

I am creating Mobile accounts and I have also enabled caching of the credentials.


On "How are you handling FileVault on a reboot if you are not caching the accounts?"

Since I am not very familiar with MacOS, I do not know much about FileVault and how it is being handled. I checked this on the user's machine and FileVault is enabled on the user's machine. Should I be doing something here?


I will have to check on the SSO that You have mentioned, as all the user's machines are on Sonoma.


Thanks for your inputs

Reply
User profile for user: Strontium90
Strontium90
User level: Level 5
5,505 points

Nov 28, 2023 9:02 AM in response to VinayBarigidad

Check out: Platform Single Sign-on for macOS - Apple Support


As for FileVault, if you are not using an MDM and you did not record the recovery key, you will not be able to access that machine if the only FV account is the end user. And if you are allowing Apple IDs but not managed Apple IDs, then the recovery key may be in the user's personal Apple ID. If they leave, you will not be able to access the device.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Unable to Login as Active Directory (AD) User, after AD is configured on my Mac

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up