user on mac can't login to AD, but can login from windows ... solved

  • 431 Views
  • Last Post 23 September 2017
barkills posted this 22 September 2017

For about a month, we’ve been struggling with a pesky problem which boils down to the above description. As the above description suggests, the password is known to the user and the AD account is functional. The full details on this problem are noted at http://blogs.uw.edu/barkills/2017/09/22/user-on-mac-cant-login-to-ad-but-can-login-from-windows/.

  The takeaway is there is a known problem where if your AD user samAccountName matches another AD user displayName or sn, you may have problems logging in from a Mac. Which obviously is a pretty arbitrary condition that it’d be really difficult to prevent.   This seems to be because Apple when writing the code for their AD directory plug-in decided that if the ANR search they are using produces more than one result, they arbitrarily pick one, try the password against it, and if it fails, then produce a standard logon failure error message.   After we figured this out, I couldn’t find any evidence on the internet that anyone else had run into this issue. Since I posted it on the windows-hied list, I’ve heard from a handful of folks who have run into the same thing, but I don’t think anyone called enough attention to it. So here I am. J   Brian  

Order By: Standard | Newest | Votes
Ravi.Sabharanjak posted this 22 September 2017

There is a place for an ANR search, but probably not when someone is logging in!
Thanks for sharing this.
-Ravi
On Sep 22, 2017 10:18 AM, "Brian Arkills" <barkills@xxxxxxxxxxxxxxxx> wrote:

For about a month, we’ve been struggling with a pesky problem which boils down to the above description. As the above description suggests, the password is known to the user and the AD account is functional. The full details on this problem are noted at http://blogs.uw.edu/barkills/2017/09/22/user-on-mac-cant-login-to-ad-but-can-login-from-windows/.   The takeaway is there is a known problem where if your AD user samAccountName matches another AD user displayName or sn, you may have problems logging in from a Mac. Which obviously is a pretty arbitrary condition that it’d be really difficult to prevent.   This seems to be because Apple when writing the code for their AD directory plug-in decided that if the ANR search they are using produces more than one result, they arbitrarily pick one, try the password against it, and if it fails, then produce a standard logon failure error message.   After we figured this out, I couldn’t find any evidence on the internet that anyone else had run into this issue. Since I posted it on the windows-hied list, I’ve heard from a handful of folks who have run into the same thing, but I don’t think anyone called enough attention to it. So here I am. J   Brian  

SmitaCarneiro posted this 22 September 2017

This is sure to come in useful, now that more Macs are using AD for authentication.

Thanks for sharing Brian.

 

Smita Carneiro, GCWN

Active Directory Systems Engineer

IT Security and Policy

www.itap.purdue.edu

 

ITaP logo clipping path2

 

show

jeremyts posted this 23 September 2017

Wow…great find and post Brian! Really interesting that anyone would consider using ANR for an authentication query.

 

Cheers,

Jeremy

 

show

Close