Active Directory Authentication Failing w/new ML Install

We just ran into a problem at the school where I work with Macs running 10.8.2 would reject valid user credentials with the password box shake.

Rebinding, turning off mobile accounts, disabling UNC paths for home directories, disabling authentication from any domain in the forest, even moving to a new switch made no difference.

Finally, our network manager decided to run a dcdiag scan on the network and discovered a minor replication error on one of our three Domain Controllers. Once that was fixed all of our Macs were able to log in reliably.

Apparently 10.8.2 is not very tolerant of errors on the network. In our case the issue was so minor that no other device or service that authenticates against AD exhibited any problems, just the 10.8.2 Macs.

I spoke with an Apple engineer who confirmed that he had seen similar issues when the domain isn't quite right, DNS being the most common cause he cited.

So, after a few months of testing, capture and sending logs back and forth to Apple Engineers, we found out there is a setting in AD, under User Account that prevent us to log into AD from Mountain Lion. If you would go to your AD server, open up a user account properties, then go to Account tab, the "Do not require Kerberos preauthentication" option is checked. As soon as I uncheck that option, immediately I was able to log into AD on the Mac client. Apple engineers copied all my AD settings and setup a test environment on their end and match exact mine AD environment. They was able to reproduce this issue.

The bad part about this is... our environment required the "Do not require Kerberos preauthentication" is checked in AD, in order for our users to login into some of our Unix and Linux services. Which mean that it is impossible for us to remove that check mark because most, if not all of them some way or another require to login into applications that run on Unix and Linux. Apple is working to see if they can come up with a fix. Apparently, no one has report this issue except us. I believe most of you out there don't have that check mark checked in your environment... Anyone out there have any suggestion to by pass or have a work around for this?

This is a known issue with older Cisco VPN solutions as well. We have the same issue so we just disable it and make the account. Enable it again after account creation is complete. Funny too because we had a case with Apple so they are aware.

Leafyseahobbt, did you ever resolve your Gmail/Outlook 2011 issue in which you are getting the authentication errors? I have attempted to set up my Gmail account a dozen times, and have tried every other method I've seen in this forum and across the web to no avail.

Exact error is: The Server for account "my account" returned the error "[AUTHENTICATIONFAILED] Authentication Failed." You username/password or security settings may be incorrect."

Beyond frustrated....any help is greatly appreciated.

YAY!! You can disregard. I remembered I had enabled two way authentication in Gmail. I logged in to Gmail, went to Google Account Settings, and generated an Outlook App Specific password. Then, went through the normal setup of adding an account in Outlook, used the newly generated app specific password, and it worked great.

Thanks, and I hope this helps someone else remember that!