Skip to main content
Question

Active Directory Bind setting userPrincipalName? (dsconfig AD behavior?)

  • November 7, 2013
  • 3 replies
  • 16 views
A
Forum|alt.badge.img+5

This appears to be the behavior of dsconfigad on OS X, but I'm not sure. I'm trying to figure out what is causing this as it's causing me headaches for 802.1X authentication.

The issue is the Mac's computer object in Active Directory has userPrincipalName set. Looking at my Windows computers, most of them do not have this attribute set in Active Directory, though I have found a few that do. The problem is when requesting a certificate from Active Directory Certificate Services the userPrincipalName should be in the format of computername$@contoso.com. The Macs that have userPrincipalName set have "host/computername.contoso.com@CONTOSO.COM" set as userPrincipalName. This appears to be the valid format for a Service Principal Name (SPN).

To quickly find computers with this issue you can use some PowerShell:

import-module activedirectory
Get-ADComputer -filter {userPrincipalName -like "host*"} | fl

Or if you want to see computers that don't have a userPrincipalName set to host/...

import-module activedirectory
Get-ADComputer -filter {-not (userPrincipalName -like "host*")} | fl

I haven't seen any other unknown values for userPrincipalName in my Active Directory, so at least it's an easy issue to search for (so far) though I'm not sure if changing the userPrincipalName for an Active Directory computer is going to cause trouble or not. Anyone know?

I'm still in pre-production with rolling out Active Directory binding and 802.1X certificates to the Macs, so I don't yet have a large sample. If anyone is willing to check their own domains with the PowerShell above I'd appreciate it.

    3 replies

    bentoms
    Forum|alt.badge.img+35
    • bentoms
    • Hall of Fame
    • November 7, 2013

    What if you used something else, like %COMPUTERNAME%

    E
    Forum|alt.badge.img+5
    • evarona
    • Contributor
    • November 7, 2013

    @azbikowski: Out of about 30,000 computers in our AD, 7 came back matching with a UPN of host/computer@CONTOSO.COM (none were Macs). This is quite different from your example. It leads me to ask how the heck are you binding your Macs to AD? I typically use the binding in Casper Imaging but on a few occasions have had to use the CLI. Perhaps you can use the DNS name in the SAN field when you request the certificate.

    For my own (albeit somewhat selfish reasons) edification, are you using an MS PKI? Is it setup for NDES and are you using a dynamic CA with a dynamic challenge? If so, I'd like to talk to you about how you're getting SCEP to automatically issue device certificates. Thanks

    A
    Forum|alt.badge.img+5
    • azbikowski
    • Author
    • Contributor
    • November 7, 2013

    Thanks for the info @evarona. Today I'm going to figure out how to reproduce the issue (if I can.) All the Macs that I have bound to AD at the moment are test computers that have been bound, unbound, and rebound multiple times. I'm really hoping this is the cause. Depending on the test case the Mac was blound with Directory Utility, dsconfigad, or Casper.

    I am using Active Directory Certificate Services, but I'm not using SCEP. I tried getting SCEP working for Lion but never had any luck. Mountain Lion and up can acquire certificates using DCE/RPC (the same as Windows) and from there it's just configuring a certificate template to add the Macs UPN (Server 2008 Enterprise or higher required) and deploying a mobileconfig file to an AD bound Mac.

    Terms & ConditionsCookie settingsAccessibility statement