12 Replies Latest reply: Jul 2, 2013 6:54 PM by antoine44
antoine44 Level 1 (0 points)




I am trying to add some MacBook computers to our network and make them follow the same guidelines than the windows computers, with also the same features...


Here is the hardware list :

  • MacBooks
  • 1 Mac Mini server with OSX server to apply policies
  • windows computers
  • an Windows Active Directory
  • a Bluecoat proxy



I binded them to the Active Directory to let any user login on a Apple machine with the same credentials.

This is working.


However, our Proxy is asking for authentication (security policies) for any user who wants to access the internet.

The proxy is connected to the Active Directory and use it as the central place for identity.


We are currently using (in windows computer) an automatic proxy configuration using an URL. This url redirect the computer to the good proxy depending on his URL.


I would like to do the same with the Apple computers but when I access the web, on any browser, I got the Authentication popup that ask for AD credentials.

The problem is, I do not want user to have to enter their credentials, as they are the same than the one they use to login already (AD credentials).


If I let this, then, they will store the credentials in the keychain and as the AD ask for change of password every 60 days, the computer would use the old credentials automatically to access internet (dashboard widget, notifications center...) and then multiple authentication with wrong password would lock the AD account.

Same problem if I wanted to use the HTTP/HTTPS configuration for proxy in the System preferences instead of automatic proxy, I would have to save a password which would be wrong after 60 days.


On windows, computers use automatically the AD credentials for the proxy. There is no need to enter credentials to browse internet.

I am sure, I misconfigured something in the AD binding or I miss something in the configuration of the macbooks.


Does anyone has an idea ?



MacBook Pro with Retina display, OS X Mountain Lion (10.8.2)
  • antoine44 Level 1 (0 points)

    To add up some info on this :


    We have some network drives (SMB) that are used to share data. To access those, computer needs to be authenticated against the AD.


    With a local session on a mac (which is not an AD account then), the drive will ask an AD account to be mounted.

    With an AD account on a mac, no problem to mount the drive, no need to enter credentials (no need to re-enter AD credentials).


    For me, the proxy should be working in the same way.

    Im pretty new to all of this, so I don't understand where is the misconfiguration.

  • antoine44 Level 1 (0 points)

    Another point of test is the auto-authentication with Sharepoint internal websites.

    On windows, launching the sharepoint in Internet Explorer, will display the page, already logged with the AD account.

    On mac, the browser will ask for authentication to give access. It won't be automatic.

  • John Lockwood Level 5 (7,691 points)

    You can manually enter and store login details for a web-proxy server in System Preferences -> Network -> Ethernet -> Advanced -> Proxies


    and use the Web Proxy option and enable the option to enter login details. Once you have done this you will not have to re-enter them each time you boot your Mac.

  • antoine44 Level 1 (0 points)

    Yes but as I said, I would like to avoid this, because user's password need to be changed every 60 days (Active Directory will force user to change his password every 60 days).


    So if an old password is stored and then used by the mac to reach internet (some applications like widgets and notifications center try automatically to reach internet at boot), the proxy will use this old password to check identity and multiple use of old password LOCK account in the AD.


    I woud like the mac to use automatically the account (AD login/password) used to open the session for the proxy and all other services that need AD authen (like sharepoints, smb...). Like a windows would do.

  • Ben Bissett Level 1 (30 points)

    You will need to change your group policy for the users in AD to lock the accounts after x amount of tries. We have this set to 5 attempts.


    The mac will attempt to log in with the incorrect details and as it will not connect (if the password has expired) it will prompt you to enter a password. This is when you enter the new password that was created when you logged in (AD will prompt for new password at logon when the password has expired). If you enter the new password and select the remember button the keychain entry will be changed to the new password and you should be good to go.

  • antoine44 Level 1 (0 points)

    This is one good solution.


    However need to check out with security if they agree with this. Also I think that 5 times may be not enought.


    So from what you say, there is no mean to do like windows ? (automatic auth)

  • Ben Bissett Level 1 (30 points)

    5 times should be more than enough. You will find that the account will only be locked if the user is unaware of the process and continually tries different passwords.


    The proxy settings can be set through group policy but you are looking at two things, first is the proxy settings, this will include the ip address of the proxy and the port number and what services are to use the proxy, second is the authentication. You will notice, even on a PC running windows that when the user is forced to change their password they will still be required to enter the new password when connecting to the internet and, if you are also running an exchange server on the domain, email. It's the same for the macs.


    You will find that there are some applications that are not SSO and do not get their authentication from a Kerberos ticket , Dropbox for one can and does lock out accounts. Firefox has it's own proxy settings although it can be set to obtain the system settings. The best I have come up with is to make a list of those applications that perform in this way and get the user to change the password when it expires.

  • antoine44 Level 1 (0 points)

    The proxy settings are handled with a .pac file. So no problem on this side, only authentication.


    For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy.


    I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?

  • Ben Bissett Level 1 (30 points)

    "For our windows computer, authentication is automatic, even when changind the password after its expiration, no need to enter the password for proxy."


    From a security point of view I wouldn't recommend not having to enter the password for proxy, as (providing the pc wasn't locked) any user would be able to use the pc and gain inernet access without the need to authenticate making it very difficult to identify a user if any issues should arise.


    AD needs kerberos to pass the TGT to the mac which in turn will generate the SGT.


    As far as I know Kerberos is permanently running in AD.

  • Ben Bissett Level 1 (30 points)

    "I found out that we are not using Kerberos with AD. Is it related to the fact that I cannot authenticate automatically on a number of services (like the proxy) ?"


    Yes, there would not be any SGT for the services.

  • mazza2590 Level 1 (0 points)

    Hi  Antoine44


    Have you found a permanent solution to this issue?

  • antoine44 Level 1 (0 points)



    but stil didnt try with Kerberos (waiting for AD update)