Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Njofrekk
Njofrekk Author
User level: Level 2
198 points

Active Directory-Apple ID password lockout

In my office we have three Macbooks bound to Active Directory domain and all three machines experience the same problem. On all three machines we use different local Admin, Mobile AD Managed User accounts. Accounts use private Apple IDs on Itunes and App store. All three accounts experienced what seemed to be random AD account lockouts.

We've managed to somewhat narrow it down through troubleshooting to an issue with Apple ID and/or Keychain.

Users have, in the beginning, created their Apple IDs with their business e-mails and when they logged in their Apple IDs on App store they get locked out of AD almost immediately.

After they changed their Apple IDs to their private emails, they got locked out of AD every time they tried to authenticate themselves more than 5 times on App Store (or anywhere else some app requires Apple ID). Even though their IDs have absolutely nothing in common with their AD account Usernames and Passwords. Somehow Apple ID or Keychain tries to authenticate itself on AD. Every time you enter wrong or correct Password it raises the "badpwdcount" counter by 1. If you try to authenticate five or more times it causes it to lock the user from AD because of the "5 wrong passwords GPO" in AD.

Even if the user enters a valid Password, it still raises the counter by 1. If the User authenticates Apple ID with his business e-mail the lockout is immediate which would mean the Apple ID forces itself on AD in rapid succession or does something to it which causes it to lock the user for using AD e-mail and pass. Doesn't even matter if the pass is the same on AD and Apple ID.

Can you suggest which logs should we check in AD to possibly find the reason since the logs we checked have no information. Even the attribute that should display machine name from which the lockout was made holds no information.
We know when the lockouts occur and we manage to avoid them but we would like to know why they occur. Why does Apple ID or possibly Keychain have anything to do with authenticating on AD.

We have researched this issue extensively on the Interwebs and have found no information we could relate to. The only similar posts here on Communities are from way back in 2007 and the lockout issues revolve around some old passwords stored on IPad and such. None of that info relates to our AD lockout problems.

We even did some heavy troubleshooting with Certificates but to no avail.

Anyone else have the same or similar problems?

MacBook Air, OS X El Capitan (10.11.6)

Posted on Jul 21, 2016 2:20 AM

Reply
7 replies
User profile for user: Njofrekk
Njofrekk Author
User level: Level 2
198 points

Jan 25, 2017 11:31 PM in response to Njofrekk

To whom it may concern! This is no longer an issue as Apple has fixed this problem in the latest Sierra patch 10.12.3.

"Enterprise content: Resolves an issue were network or cached user accounts (such as Active Directory accounts) using the maxFailedLoginAttempts password policy were becoming disabled."

About the macOS Sierra 10.12.3 Update - Apple Support

Kudos to the Jamf Nation community for urging Apple to deal with this problem.


Cheers!

Reply
User profile for user: Inquisitor-LSL
Inquisitor-LSL
User level: Level 1
18 points

Jul 21, 2016 7:25 AM in response to Njofrekk

I run multiple Mac Pro's and Macbook Pro's (El Capitan OS X 10.11.5 & 10.11.6) with mobile AD accounts and AD bindings back to WIN2012R2 domain AD server, where system login is different than apple id used for access to apple stores/itunes, and have no issue with lockouts as you describe.


I have experienced many issues though with 'compatibility' between earlier versions of OS X (Mavericks and Yosemite) with WINSBS2003 then WIN2008 Server OS. Not sure what software platform (OS X to WIN) relationship you have.


I have found many issues were simply corrected by signing out of iCloud, reboot MAC then sign back into iCloud, not sure if doing the same could help you. The offender generally was OS X, particularly after an upgrade.


Are your Mac's AD bound, but looking for LDAP and or NIS too? This was one of my issues back with WIN2008 and Mavericks.

Reply
User profile for user: Njofrekk
Njofrekk Author
User level: Level 2
198 points

Jul 22, 2016 1:17 AM in response to Inquisitor-LSL

Thanks for your reply. Any info is welcome.

We use Win2012R2 servers. Macs have latest El Capitan version and are brand new computers, connected by ethernet cable to the domain network. They are bound to the AD and we use our AD accounts to log in.


So far we've tried deleting local account data, deleting Keychain, unbinding and rebinding them, using network accounts and upgrading them to Mobile accounts... the issue remains the same - while authenticating with Apple ID on App store our "badpwdcount" AD attribute gets +1 for every ID password authentication try. My opinion is that the Keychain tries authenticating on AD for some reason and it gets recorded as a bad pass.

Here's a snippet from Powershell:

User uploaded file

How can I check if Macs are looking for LDAP or NIS? I don't think that is the problem but I'd like to check it out.

Reply
User profile for user: Njofrekk
Njofrekk Author
User level: Level 2
198 points

Aug 16, 2016 2:25 AM in response to Njofrekk

If there are any souls out there interested in this issue, could you guys try entering your Apple IDs several times into App Store while your Macs are bound to AD domain and check through Powershell if you guys experience the same badpwdcount increment and eventual lockout?

You can see the powershell command I used in the above picture.

Thanks.

Reply

Active Directory-Apple ID password lockout

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up