Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Patrick Fist
Patrick Fist Author
User level: Level 1
51 points

AD User can't authenticate for mydevices webpage

Hello Everybody,


I am using OS X 10.10 and Server.app 4 (But I have this issue since Server 3.1.2). The OS is bound to the ActiveDirectory.

I have checked that the bind should be ok because authonly $username is working via dscl.

Also I allowed access to the mydevices page (via /profilemanager webinterface) for a AD group but a Member of this group cant login to domain.name.com/mydevices .


Any idea what I have missed? I tailed all known log files, did not found any error message I could directly consider to this symptom.

I am also aware of this KB OS X Server: Using the Profile Manager or Wiki service with Active Directory or third-party LDAP services but it says, "If all users and the server are bound to the same Active Directory domain, no additional configuration is required to support Active Directory users."

My configuration fit's, so I should be fine. But it is definitely not working.


Hope some of you know how to fix this, best,

Posted on Oct 23, 2014 9:14 AM

Reply
4 replies
User profile for user: Henke G
Henke G
User level: Level 1
10 points

Oct 27, 2014 3:08 AM in response to Patrick Fist

Hi, we're having the same problem (though we're on OS X 9.5 and server 3.3.2). As you wrote, our configuration also seems right and we should not have to enable plain text authentication as described in the KB. Anyway, we tried the command in the KB mentioned and after that login works. It changes from 'digest' to 'plain text' in the .plist-file. You can always rewrite the collabd.plist file with 'digest' to restore it's previous setting. We think, in our environment, that we have to setup/allow Digest MD5 Authentication to be able to not have to use plain text authentication.


Maybe it's something like this for you/your environment too?


/Henrik

Reply
User profile for user: Patrick Fist
Patrick Fist Author
User level: Level 1
51 points

Oct 27, 2014 4:03 AM in response to Patrick Fist

This is what I found in the /var/log/system.log today when a AD login fails.

Oct 27 11:57:05 hydra.s-f.com rpcsvchost[48257]: failed to create secure channel: RPC_NT_COMM_FAILURE (0xC0020052)
Oct 27 11:57:05 hydra.s-f.com collabd[43651]: [CSAuthService.m:326 3ec6000 +2165ms] Digest did not validate
Oct 27 11:57:05 hydra.s-f.com collabd[43651]: [CSServiceDispatcher.m:261 3ec6000 +0ms] Caught exception "Invalid Credentials" [CSAuthBadDigest] executing [http]Request{AuthService.validateUsernameAndPasswordDigest:remember:(<<scrubbed>>)}:
  (
  0   CoreFoundation                      0x00007fff8c71d64c __exceptionPreprocess + 172
  1   libobjc.A.dylib                     0x00007fff982b06de objc_exception_throw + 43
  2   CSService                           0x0000000101a30c90 -[CSAuthService sessionForDigest:remember:] + 1681
  3   CSService                           0x0000000101a305a7 -[CSAuthService validateUsernameAndPasswordDigest:remember:] + 65
  4   CoreFoundation                      0x00007fff8c5f633c __invoking___ + 140
  5   CoreFoundation                      0x00007fff8c5f6192 -[NSInvocation invoke] + 290
  6   CSService                           0x00000001019ade3d -[CSServiceDispatcher executeRequest:asPartOfBatch:usingServiceImpl:] + 4774
  7   CSService                           0x00000001019ae91e __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_3 + 83
  8   CSService                           0x00000001019b3a22 -[NSArray(CollabBlockMethods) map:] + 249
  9   CSService                           0x00000001019ae877 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke_2 + 160
  10  CSService                           0x00000001019b4100 +[CSExecutionTimer recordTime:ofBlock:] + 74
  11  CSService                           0x00000001019b3f3b +[CSExecutionTimer timerNamed:aroundBlock:] + 76
  12  CSService                           0x00000001019ae5c4 __43-[CSServiceDispatcher executeBatchRequest:]_block_invoke + 323
  13  PostgreSQLClient                    0x00000001019080b3 -[PGCConnection transactionInBlock:onError:] + 149
  14  CSService                           0x00000001019ae3fa -[CSServiceDispatcher executeBatchRequest:] + 277
  15  CSService                           0x0000000101a24aab +[CSServiceDispatchHTTPRouter routeServiceRequest:response:] + 1024
  16  CSService                           0x00000001019b499e __21-[CSServiceBase init]_block_invoke_6 + 48
  17  CSService                           0x0000000101a21af4 __53-[CSRoutingHTTPConnection httpResponseForMethod:URI:]_block_invoke + 92
  18  CSService                           0x0000000101a250ea -[CSHTTPBackgroundResponse bounce:] + 284
  19  Foundation                          0x00007fff8e7b7b7a __NSThread__main__ + 1345
  20  libsystem_pthread.dylib             0x00007fff8d37b2fc _pthread_body + 131
  21  libsystem_pthread.dylib             0x00007fff8d37b279 _pthread_body + 0
  22  libsystem_pthread.dylib             0x00007fff8d3794b1 thread_start + 13
  )
Oct 27 11:57:26 hydra.s-f.com rpcsvchost[48257]: failed to create secure channel: RPC_NT_COMM_FAILURE (0xC0020052)


Thank you Henke G, I will try your fix later and let everybody know if it worked. But using "plaintext" sounds like a security leak? Or is it still save enough?


best,

Reply
User profile for user: Henke G
Henke G
User level: Level 1
10 points

Oct 27, 2014 4:16 AM in response to Patrick Fist

Yes, using plain text authentication doesn't feel secure and is the last option for us. We only activated it to see if it would let us login to /mydevices etc. which it did. As mentioned in the KB "These steps will set the Profile Manager and Wiki services to use plain text authentication instead of digest authentication. To avoid passwords being sent over the network in clear text, you should enable SSL encryption for the Profile Manager and Wiki websites."

So , adding/activating SSL-encryption might be safe enough. We're still testing out which configuration is best for us. Lots of firewalls to configure...


best,

/Henke

Reply

AD User can't authenticate for mydevices webpage

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up