Troubleshooting MAC OS 10.8.5 authentication with Active Directory

Discussion in 'OS X Mountain Lion (10.8)' started by victory-tb, May 11, 2015.

  1. victory-tb macrumors newbie

    Joined:
    May 11, 2015
    #1
    Hi everyone, we have about 50 MAC OS 10.8.5 clients which are bound to the domain successfully. But the problem exist as below:

    Our domain have a mix of 2 Windows 2003 SP2 DC, 4 Windows 2008 SP2 and 3 Windows 2008 R2 ... the MAC clients just can be authenticated/bound to Windows 2003 SP2 only. When we turn off 2 Windows 2003 SP2 DC, all the client can not be authenticated to the domain, the AD debug log show as below:

    "2015-05-08 16:54:57.998256 ICT - 26.2345.2347, Module: ActiveDirectory - resolving 'gw-ads1.abc.edu'
    2015-05-08 16:54:57.998543 ICT - 26.2345.2347, Module: ActiveDirectory - added socket 18 for host 'gw-ads1.abc.edu:3268' address '172.16.41.10' to kqueue list
    2015-05-08 16:54:57.999473 ICT - 26.2345.2347, Module: ActiveDirectory - connecting to host 'gw-ads1.abc.edu' for domain 'abc.edu'
    2015-05-08 16:54:57.999505 ICT - 26.2345.2347, Module: ActiveDirectory - packet encryption is allowed
    2015-05-08 16:54:58.000157 ICT - Retrieved keychain password for 's00102005n-01$' module '' node '/Active Directory/ABCEDU'
    2015-05-08 16:54:58.000210 ICT - 26.2345.2347, Module: ActiveDirectory - switching to cache 'MEMORY:0x7fa75b4676a0'
    2015-05-08 16:54:58.000213 ICT - 26.2345.2347, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x7fa75b4676a0
    2015-05-08 16:54:58.000769 ICT - Retrieved keychain password for 's00102005n-01$' module '' node '/Active Directory/ABCEDU'
    2015-05-08 16:54:58.000820 ICT - 26.2345.2347, Module: ActiveDirectory - switching to cache 'MEMORY:0x7fa75b4676a0'
    2015-05-08 16:54:58.000824 ICT - 26.2345.2347, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x7fa75b4676a0
    2015-05-08 16:54:58.005125 ICT - 26.2345.2347, Module: ActiveDirectory - failed LDAP operation for 'authenticate connection' with error 'Local error'
    2015-05-08 16:54:58.005132 ICT - 26.2345.2347, Module: ActiveDirectory - failed to make connection to update service discovery data
    2015-05-08 16:54:58.005170 ICT - 26.2345.2347, Module: ActiveDirectory - failed to verify connectivity to '172.16.41.10' with socket 18"

    This pharagraph of error log happen to all the Windows 2008 [SP2 and R2] DC when the client attempt to authenticate. [at this time Windows 2003 SP2 DC are turned off]

    After we turn on one of the Windows 2003 SP2 DC, the client could be authenticated, the AD debug log as below:

    "2015-05-08 16:54:58.009821 ICT - 26.2345.2347, Module: ActiveDirectory - resolving 'ads-s02.abc.edu'
    2015-05-08 16:54:58.010257 ICT - 26.2345.2347, Module: ActiveDirectory - added socket 18 for host 'ads-s02.abc.edu:3268' address '172.16.44.109' to kqueue list
    2015-05-08 16:54:58.011153 ICT - 26.2345.2347, Module: ActiveDirectory - connecting to host 'ads-s02.abc.edu' for domain 'abc.edu'
    2015-05-08 16:54:58.011186 ICT - 26.2345.2347, Module: ActiveDirectory - packet encryption is allowed
    2015-05-08 16:54:58.011849 ICT - Retrieved keychain password for 's00102005n-01$' module '' node '/Active Directory/ABCEDU'
    2015-05-08 16:54:58.011905 ICT - 26.2345.2347, Module: ActiveDirectory - switching to cache 'MEMORY:0x7fa75b4676a0'
    2015-05-08 16:54:58.011913 ICT - 26.2345.2347, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x7fa75b4676a0
    2015-05-08 16:54:58.012480 ICT - Retrieved keychain password for 's00102005n-01$' module '' node '/Active Directory/ABCEDU'
    2015-05-08 16:54:58.012533 ICT - 26.2345.2347, Module: ActiveDirectory - switching to cache 'MEMORY:0x7fa75b4676a0'
    2015-05-08 16:54:58.012544 ICT - 26.2345.2347, Module: ActiveDirectory - switching GSS to cache 'MEMORY:0x7fa75b4676a0
    2015-05-08 16:54:58.018230 ICT - 26.2345.2347, Module: ActiveDirectory - Authenticated to LDAP using Kerberos credential - 's00102005n-01$@ABC.EDU'
    2015-05-08 16:54:58.019308 ICT - 26.2345.2347, Module: ActiveDirectory - verified connectivity to '172.16.44.109' with socket 18"

    Firewall rules are the same and tested for ports, DNS service record are tested, time is synced. I suspect there is a configuration of signing or encryption that are enable by Windows 2008 GPO in our environment, but this GPO is not affected to Windows 2003, but I do not know exactly as our AD system is built over 10 years with no document.

    With a clean build test system with mixed AD DC, we could easily bind to the domain event when DC 2003 SP2 off.

    Thanks to have any advice on this issue.

    Vic
     
  2. victory-tb thread starter macrumors newbie

    Joined:
    May 11, 2015
    #2
    The problem seem to be addressed by reviewing our GPO, there is a registry config "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\msDC-SupportedEncryptionTypes" with an integer value & the kerberos encryption types. Removing this registry setting with regedit seem to solve the issue.

    Thanks for reading !
     

Share This Page