Active Directory Authentication Failing w/new ML Install

Didn't solve it for me either. My machine isn't tied into the AD, instead it resides on the same network, and has only local accounts. Though I (used to) connect to SMB directories using AD login credentials everyday.

I'm also getting locked out after the first attempt.

I just found a workaround, well, sort of.

-If I use the limited, non-admin account on the Mac(local, non-AD), I'm able to connect to SMB shares. No lockout, same exact credentials, just different local account.

Same problem here. After one password error account locked

Mountain lion: 10.8.1

Server: AD on Windows server 2008 R2

You guys can add me to the list. Trying to configure 10.8.1 Mountain Lion Server to connect with our Active Directory server running Windows Server 2008 R2. I can add a user, but cannot login after logoff. Any ideas greatly appreciated

I am happy to report that I installed 10.8.2 and I am able to create a mobile account and not have it lock my Active Directory account. I have rebooted several times, with network connection and without, and it continues to work. I've also tested logging out, logging in to the Administrator account and then logging back into the AD account and it still works.

I think Apple may have fixed the problem. Stragenly, there was no mention of Active Directory in the release notes.

Please post other successes/failures here.

Thanks.

Actually, Apple does list it in the release notes. http://support.apple.com/kb/HT5460

Sadly, 10.8.2 does not seem to fix the issue with AD primarygroupid mappings for us. We still cannot log in with users whose primarygroupid value is interpreted (incorrectly) as "-2", unless we manually map GID to primaryGroupID via Directory Utility.

I suppose that we can continue with the policy of manually mapping this attribute, but I really wish that Apple would get this fixed!

Hi, hoping there's still some people around to help me on this issue.

I recently began experiencing issues with my MS Outlook 2011 for mac last week, after I upgraded to Mountain Lion. However I didn' t immediately notice an issue because the problem was specifically with my gmail. Gmail occasionally throws a tantrum and needs the Captcha to be unlocked anyway, as I often access email from a number of devices and gmail is paranoid about this being a potental threat.

I have four email addresses collected by Outlook. These are a gmail, and two private domain emails (all these three are IMAP) and also a POP hotmail.

So last Monday my two private emails stopped working as well, with the error message 'failed to authenticate, username or password incorrect etc etc' which keeps popping up no matter how many times I enter the password. Even when this happened I still didn't immediately blame ML as our domain was begin upgraded at the time and I thought it might be that.

So, after unlocking the google captcha and confirming that the domain wasn't the problem, I've narrowed it down to either Outlook or ML. Then today, the POP hotmail failed in Outlook as well, which totally threw me as POP is almost indestructible.

Also, the really confusing part is that the gmail and two domain emails stopped working at the same time on my iPhone, so that's clearly not an ML issue, and I've had iOS6 since day one and that was working fine until last week. On my iPhone I use the Mail app to collect all the ame email except the POP account.

So I have tried:

Unlocking the Captchas

Deleting and redoing keychain passwords

Confirming that all details are correct

Gmail now works on the iPhone, but not on my Macbook.

Domain emails don't work at all, and neither does the hotmail.

Just to reiterate Outlook worked fine with all these accounts until last week.

If anyone can offer any ideas that would be much appreciated - I've been without email for a week and it's killing me!

Thanks

I have a similar issue where the wifi keeps dropping with Authentication Failure. The client has everything linked to AD but my Mac just has a local machine account. I do connect to a printer using an ip address.

Very annoying and I hope Apple will fix this soon.

Thanks for the tip but this did nothing for me. Still drops the wifi with Authentication Failure. I have to switch the wifi off and on to continue.

This method (from SSSnet Tech) does not work for me. When I try the "

Check Map user GID to attribute primaryGroupID" , the login screen just bouncing twice after I enter my AD username & password and hit Enter. I had another post created for my issue. Bassically samething happens with cannot log into AD with a Mountain Lion machine. I had also captured the log. Please help me find out a solution for this.

https://discussions.apple.com/thread/4608362

I appreciate all your help and time!

TTLE

Anyone know how to find the primarygroupID value in AD? I tried 513, which is the default one, but doesn't work. Please help!

Has anyone looked into the Sync function once you create the Mobile account.... just by browsing around I noticed that this is syncing very frequently....just wonder if it attributes to the locking out of accounts in AD. I will be doing some test on a brand new macbook pro with my AD account. I have created the mobile account in the user and groups window rather than it making one automatically when a user logs in. will write up more notes as they come.

We ran into this issue today with a Mac user. I stumbled across this post and just thought I'd share what fixed it for us.

Issue: When logging into a Mac (10.7.5 or 10.8.2) with User1, login would not prompt to create mobile account, or would just act like the password was wrong. With User2, it always worked as expected.

After reading through this entire thread and trying a few extra steps, here's what we found.

When running this command (run on a domain joined mac) we could get all the info on User1 and User2.

Substitute YOURDOMAIN for whatever domain you are joined to and having issues with.

dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user1

dscl /Active\ Directory/YOURDOMAIN/All\ Domains -read /Users/user2

Looking at the returned properties we noticed that User1 also had a sub-domain account in the forest appearing in output:

Domain\User1

sub.Domain\User1

and User2 (works) did not:

Domain\User2

What fixed it for us was to do one of the following solutions.

Solution 1: Rename the Sub-domain user. Apparently Unix uses this username forest-wide, so when we joined the domain the default search policy would try "All Domains".

This would result in the Sub.Domain user registering a "badPwdCount" property and eventually locking out the Sub.Domain\User1 account when logging into the mac as Domain\User1.

The account would log in, but to a half-created home folder, and never prompt to create a mobile account.

Once the Sub.Domain account was gone, the user immediately worked. You may need to wait for replication in a large Active Directory environment.

Solution 2: Change the Search Policy in OSX to use one domain (instead of default All Domains).

You have to un-check the "Allow authentication from any domain in the forest", apply, then go to Search Policy and specify the desired domain, and then remove "All domains"

Either of these solutions resolved our "some users always work and other users always don't work" issue.

Until today we hadn't figured out why it was happening to only a small number of users. It was isolated to users with the same User1 account in multiple domains in the forest.

Hopefully this saves someone time :).

Not a real solution, but this works for me. I run the IT in a school with around 100 iMacs running SL and they are bound to OD (SL Server) and AD (Win 2k7) as they are dual boot. Trialling upgrading to ML and have had the same issue - password field shakes when trying to log on. I can log in as local admin etc.

I noticed that after working in local admin account for a while building up an image machine, I tried and did log in using our student test account and it was bound correctly and everything that should be seen / accessible was there - home folder on the Win Server etc. I also happened to notice that after this period of time, the red dot 'network accounts unavailable' came up, quickly followed by the orange dot then this disappeared and log in success.

The only difference was the length of time the iMac was on. Wondering, I tried logging in after various time intervals and finally it logged in after around 2 hours. I set the system to turn on at 6:00am and when I tried to log in at around 8:30am the next day - it did! The only potential issue is if a student restarts the system, you go back to the 2 hour delay, so I've removed the option to restart and shut down from the Student Policy. Logging out and back in with same or different account works fine unless system has been rebooted.

In summary, it seems to be the time it takes to talk properly to the servers before being able to log in. At least it seems I can now go ahead and upgrade to ML and just have them all boot up at 6:00am.

I hope that someone out there who understands better will be able to look at this and maybe find a more satisfactory solution to this.