Skip to main content
Question

Ad authentication to JSS fails randomly

  • February 10, 2012
  • 5 replies
  • 21 views
B
Forum|alt.badge.img+3

We are experiencing an odd issue where our AD accounts to the JSS will randomly stop working for 10-20 minutes. No interaction is required to get the logins to start working again to the JSS server other than to just wait. Local accounts continue to work during this period so we know the JSS is up and running properly. This has been happening since we started using AD authentication with v 8 and are currently at 8.43. We have tried rebinding which made no difference. The JSS is running on an xServe with 10.6.8 and the server itself is not bound to AD. This issue applies to both logging in via the web interface or using the apps (Casper Admin, etc.).

Thoughts?

Thanks,
Barry

    5 replies

    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Community Manager
    • February 10, 2012

    In the JSS go to Settings tab --> LDAP Server Connections and test whether you receive results. I would imagine that during this down time it will fail but it's the first thing I'd do for testing.

    Does your JSS use an authenticated AD account to connect to AD? Do your AD logs show any errors for that account? For testing purposes, change the account to a different known working account (such as your own) to see if that works better.

    My gut tells me this is probably a network or DNS issue. We pointed our JSS to a single DNS address that was set up round-robbin for our Global Catalog servers. Later, our Network Services folks bypassed changed management and decided to point the DNS entry to a load balancer, which broke stuff until we figured out what they did.

    C
    Forum|alt.badge.img+13
    • Chris
    • Valued Contributor
    • February 10, 2012

    We have a similar problem every now and then,
    when the AD service-account used for LDAP lookups and AD bindings gets locked out by the DC.
    Couldn't find a reason for that yet, the account is used only by the JSS.
    Weird...

    B
    Forum|alt.badge.img+3
    • barrya
    • Author
    • New Contributor
    • February 15, 2012

    Thanks for the suggestions. We tried most of this already (not the first time with Macs and AD issues) and I remember a "trick" we had to do when we had Exchange running and the Mac Entourage clients. We needed to edit the settings to point to only one domain controller.
    So rather than just point to our AD domain (ad.organization.edu), we are
    now pointing our authentication at a specific domain controller
    (control2.ad.organization.edu). This has kept us stable since last
    week. One note of caution, if that controller goes down. someone with
    a local account will have to login and change the controller the JSS
    is pointing to.

    I hope this will save someone sometime in the future.

    -Barry

    R
    Forum|alt.badge.img+12
    • rmanly
    • Contributor
    • February 16, 2012

    $0.02 We have been doing AD auth to Casper since v7 and have NOT experienced this issue.

    The only difference I can see from the provided info. is that our server IS bound to AD. Although how that would make a bit of difference in the JSS LDAP lookups is not clear.

    R
    Forum|alt.badge.img+6
    • rdagel
    • Contributor
    • February 16, 2012

    We have the issue about once every two weeks. when it happens, I go into the jss, go to the network pref in system prefs and go to advance and then dns. i change something then change it back and save. this always clears the issue. So it has to be some sort of DNS hiccup for us.

    Terms & ConditionsCookie settingsAccessibility statement