Automatic use of Active Directory credentials for Proxy Auth

You can manually enter and store login details for a web-proxy server in System Preferences -> Network -> Ethernet -> Advanced -> Proxies

and use the Web Proxy option and enable the option to enter login details. Once you have done this you will not have to re-enter them each time you boot your Mac.

You will need to change your group policy for the users in AD to lock the accounts after x amount of tries. We have this set to 5 attempts.

The mac will attempt to log in with the incorrect details and as it will not connect (if the password has expired) it will prompt you to enter a password. This is when you enter the new password that was created when you logged in (AD will prompt for new password at logon when the password has expired). If you enter the new password and select the remember button the keychain entry will be changed to the new password and you should be good to go.

5 times should be more than enough. You will find that the account will only be locked if the user is unaware of the process and continually tries different passwords.

The proxy settings can be set through group policy but you are looking at two things, first is the proxy settings, this will include the ip address of the proxy and the port number and what services are to use the proxy, second is the authentication. You will notice, even on a PC running windows that when the user is forced to change their password they will still be required to enter the new password when connecting to the internet and, if you are also running an exchange server on the domain, email. It's the same for the macs.

You will find that there are some applications that are not SSO and do not get their authentication from a Kerberos ticket , Dropbox for one can and does lock out accounts. Firefox has it's own proxy settings although it can be set to obtain the system settings. The best I have come up with is to make a list of those applications that perform in this way and get the user to change the password when it expires.

"For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy."

From a security point of view I wouldn't recommend not having to enter the password for proxy, as (providing the pc wasn't locked) any user would be able to use the pc and gain inernet access without the need to authenticate making it very difficult to identify a user if any issues should arise.

AD needs kerberos to pass the TGT to the mac which in turn will generate the SGT.

As far as I know Kerberos is permanently running in AD.

"I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?"

Yes, there would not be any SGT for the services.

Hi Antoine44

Have you found a permanent solution to this issue?

Has a solution ever been found for this issue? I am experiencing lots of keychain issues with my users after a required AD password change.

Some proxy servers do support Kerberos authentication e.g. Squid, I would guess the Microsoft one would if configured to do so. This would be I feel the only complete solution in that it should give a 'single sign-on' just like you are already experiencing for the file server and not require saving credentials to the users keychain which as previously discussed would result in out-of-date credentials when the users password ages out and has to be changed.

For those people not as concerned about users having to update their details i.e. re-enter them and re-save them to their keychain then that would work.

It should be noted that if you use the keychain to store the users credentials then these will get stored in the 'Local Items' keychain. This keychain is notorious for having problems in a network home directory environment. Furthermore the 'Local Items' keychain is also specific to a single Mac as it is stored in a ByMachine folder so will not 'follow' the user when they hot-desk to another machine.

(Apple have affectively decimated the network home directory system when they introduced the Local Items keychain which was linked to the introduction of iCloud keychain syncing introduced along with Mavericks. It was so bad I had to abandon a Squid system I had been intending to use. I could not get Squid to do Kerberos with a Mac Open Directory server but that is a different story.)

We have 2 types of Mac Client configs under our domain. Desktop and shared devices (iMacs,Mac Minis and Macbooks) use kerberos authentication.

1:1 Macbooks only ever have one person logging in to it, so I point their proxy to a forward facing .pac file which determines if the user is on our network or an external one. If external the proxy is bypassed, if internal the proxy is directed to a custom port on our web filter to apply "staff" level filtering. If we ever need to audit a users usage for the 1:1 devices, we know the device name and IP so its easy to trace.