Skip to main content

I have an AppleCare enterprise case open for this, but just curious if anyone here is experiencing the same thing:



When you are logged into a mobile account on an AD bound Mac and go to setup iCloud, the currently logged in network account will get locked out as soon as they attempt to provide a password when prompted to provide an admin password to complete the iCloud setup. The iCloud setup will "fail" but then the services seem to work anyway, but then if you unlock the network account it will lock again shortly after that as long as you stay signed into iCloud.



Been seeing this behavior for a few weeks, but wanted to wait until public release to discuss it here. Behavior has persisted through dev preview 8, and both GM builds (the second of which is the same as the final public build released today).

I have the same password for iCloud and AD so on my Mac AD does not lockout... I updated a test mac to Sierra and upon seeing the 'Change iCloud Password' box I typed a new iCloud password and AD was locked out...



I noticed that even when entering a new iCloud password my iCloud password was not changed in iCloud.

I heartily encourage those of you seeing this issue and have AppleCare agreements to submit a ticket and an impact statement.

I was able to replicate and filed a case @dgreening @jasonaswell

I have encountered this issue as well.

Doubts are rising that a fix for this is going to make it into 10.12.1...



Those of us going to the Apple Enterprise event at JNUC, please keep this issue (and the Sierra auto-download fiasco) in mind for talking points.

anybody been able to replicate the issue on 16B2548a that came out today?

Issue persists in 16B2548a. I've reported that up through our case as well. Engineering expects this to be addressed in "an" update, but can't say which one yet :/

I can confirm I'm seeing this issue on my Sierra machines (16A323). Luckily we have generally moved away from AD binding here with only few hold-outs (myself included, AD I just can't quit you). Luckily Nomad is looking pretty nifty. We don't have Enterprise support anymore ...



I dealt with AD issues through the entire Yosemite release cycle ... Enterprise support checked back in with me when El Capitan was out to see if that OS fixed issue (it did).

Unfortunately AD is here to stay in many many MANY enterprise environments, so Apple needs to get with it if they want businesses to keep buying their computers. While I appreciate that things tend to work better WITHOUT AD, its just not acceptable for Apple to consistently not thoroughly test AD integration in macOS/X.

Is the problem still occuring for you guys when you have iCloud Keychain turned off?



I noticed that disabling iCloud Keychain would get me 2 bad password attempts and re-enabling would get me 1 more, thus locking me out, but disabling and re-enabling other services wouldn't cause bad password attempts on my AD account.



I also think the the issue has stopped with iCloud Keychain disabled. I hope I'm not speaking too soon when I say that.

I just scoped a config profile set to not allow iCloud Keychain to my test box which I am reimaging currently. I'll see if that does away with the lockout.



Update: even with iCloud Keychain disallowed via Config Profile my account still got locked out when I signed in to a reimaged Sierra Mac with my Apple ID.

I updated to OSX 10.12



When i updated
I had iCloud enabled
Keychain is not enabled
iCloud and AD accounts are different passwords.



I am not getting locked out.
But my login window now does not allow me to login as another user. just gives me the option to put in my password for the last account that was logged in. the login window does not look like the normal AD bound login screen.



Not sure if this is related.

@dgreening I realized shortly after I posted my comment that, yes, my account was still getting locked out as well, even with iCloud Keychain disabled. I also tried signing out of my iCloud account and signing back in and the problem persisted.

I think the lockouts have to do with Kerberos Authentications. How do I turn on Kerberos logging so I can test my theory? The commands listed under the MAN page for "heimdal_debug" use syslog, a deprecated command that doesn't work on Sierra anymore due to the new logging system.

"odutil set log debug" and then "/usr/bin/sysdiagnose" after you get locked out, and you will find the SD log in "/tmp".

I found that going into Active Directory on the user getting locked out and on the "Account" tab checking to enable "This account supports Kerberos AES 128 bit encryption" and "This account supports Kerberos AES 256 bit encryption" fixed several of our users. But not all. In once case the user has two machines. One no longer locks the account but the other does.

We are also seeing this (AD shop, with mobile cached accounts) - and have a case open with Apple. It's pretty inconsistent, in that some people haven't had an issue, and some get locked out regularly. Some have iCloud, and some have never logged in. Looking at the splunk logs, we see "Kerberos pre-authentication failed."

We use LDAP (AD) heavily and binding is a mandate for security/auditing reasons.



No mention of Enterprise Connect on this thread.



I wonder if that's going to be AppleCare Enterprise's solution. ¯_(ツ)_/¯



*20 minutes until touchdown...MSP I will soon be in you. #gogo

Log users out of icloud pre upgrade



log out of icloud



#!/bin/bash

# Log out all users from iCloud

ls /Users/ | while read USERS ;

do

if [ -d /Users/$USERS/Library/Preferences/ ];

then

rm /Users/$USERS/Library/Preferences/MobileMeAccounts.plist

fi

done

killall cfprefsd

@tep I have been seeing a lot of "Kerberos pre-authentication failed" messages as well. Is everyone else seeing these as well?

No news from Apple at the moment. This is very frustrating and i thought this was the most stable release.



Apple really have to stop releasing OSes that not 100% ready.

So on the Windows side using Account Lockout Status, I'm seeing 2 bad password attempts when I put my mac to sleep requiring password log in set to immediately. If I restart my Mac I get 1 bad password attempt. Every now and then I get 3 meaning I get locked out. This will depend on your Lockout Policy. This is happening with other Mac users I support. So if they made a typo entering their password for the first time during the log in window or anywhere else, they get locked out. This is with 10.12 and not signing into iCloud.



I tested this out in 10.11.6 and all looks fine. Maybe this has something to do with this thread.

@vyang07 This matches with what I am seeing which is a slight variation on the lockout theme, I frequently use multiple Macs simultaneously and I am sleeping, waking, rebooting them constantly. I have noticed if I use two 10.12 machines simultaneously I get fairly frequent lockouts even without doing anything at all.

@vyang07 @Look I have noticed this pattern too. Putting my Mac to sleep causes at least one bad password attempt.



@vyang07 What you are seeing is definitely caused by this bug.

It looks like their is a new beta build of macOS 10.12.1 out today. Can anyone confirm if the issue is fixed?

Terms & ConditionsCookie settings