Single Sign on Mac to Windows Server via AD

Steve,

Do you mean like using cached credentials on Windows? Not sure what you mean by "credentials it already has"...

Thanks,

David

Yes. It can be done. The Mac in question must be bound to the domain and use kerebos for login. Its a rather drawn out process if you dont have alo tof macs (or at least a few mission critcal macs) on your network.

Check out:

www.afp548.com
www.bombich.com
www.macwindows.com

Aha.... Gotcha...

So Anthony is correct. You need to have your Mac "bound" to the AD domain. Really not a big deal to do... its rpetty easy in fact...

1. Make sure that you have all of your computers' time sync'ed. I have one of my domain controllers setup as an SNTP server. I define that computer in our Mac's date and time applet as the time source.
2. Go to Utilities/Directory Access
3. Click on Active Directory and click Configure
4. Setup your specific information. (Really just computer name and domain name are required for most AD installs)
5. Click the Advanced Settings button, and review the options. Set them to your liking.
6. If you have any AD groups that you would like to have administer the computer, set them up - you should see Enterprise Admins and Domain Admins by default.
7. Click Bind. This will add a computer account to AD for your Mac.
8. You will be prompted to enter an adminitrator's username and password to complete the operation - this is a AD admin it is asking for.

This should do it... you can now log into your Mac using a Windows user account. You will then be able to access network resources (fileshares, printers, etc) without having to enter your username and password again. (that is - until your kerberos ticket expires - but hopefully you log off at night...)

Here is a doc on Apple's site about it... very simply stated...

http://docs.info.apple.com/article.html?path=DirectoryAccess/1.8/en/c7od45.html

HTH...

David

HAha... have you catually tried it yet? 🙂

Sure have...

I have my Mac at home joined to my home AD network and have our entire design division setup this way at work. It works out really well... My only issue thus far has been getting guest access to a users' Public share from one Mac to another. (we have freelance designers that come in and out all the time). Everything else is working out great.

David

HAha... have you catually tried it yet? 🙂

Any number of times. I support a dozen or so Macs at work (Tiger and Panther both) connecting to AD.

We have occasional problems with passwords expiring on AD and the Mac user not being notified in time, but that's about all.

Well i didnt mean that it couldnt be done... just that from what ive read its never as simple as the documentation implies. Off course most of the complications tend to have to do with Network homes from what ive seen - which for me is the primary reaso n to bind my macs. I intend to do so but havent gotten to it yet as i dont currently havethe time for what could protentially turn into a day long project nor do i have an extra machine to test with...

Of course part of my weariness also comes from not being terribly familiar with windows network administration. Im familiar with OS X , Debian , RedHat and BSD, but you get me on a windows box and im like a fish out of water in regards to anything but the simplest of tasks.

Interesting...

Is the file server you are connecting to running Windows 2000 or 2003? Are you using regular ol' SFM on the server?

Our file server is Windows 2003, and instead of SFM we are using ExtremeZ-IP for AFP/IP support... we are not prompted for usernames/passwords once logged in...