10.8.5 Mac's logging 2 incorrect attempts against Active Directory with one bad try. badPwdCount

ClassicII
Contributor III

Hey guys,

I just wanted to see if you have seen this issue.

Users will type in the password wrong once but it will actually log 2 incorrect attempts to Active directory.

dsAttrTypeNative:badPwdCount: 2

I even found a post from Rich talking about this very issue.

"Mountain Lion can send multiple password attempts for each attempt by the user. I had a case open with AppleCare Enterprise about the same issue and the eventual solution was to raise the lockout level."

Raising the lockout level is not going to be a solution here, even though it may be one for other people.

I guess the real question is why is it logging 2? We are going to try and look at the individual event lock out logs on the AD Server.

8 REPLIES 8

agirardi
New Contributor II

I have been seeing this in our environment as well. I could not reproduce it every time, but now and then we have customers call being locked out, saying they typed it incorrectly 1 time.

We are using AD as well, and our policy is set to lockout after 5 unsuccessful.

dpertschi
Valued Contributor

@agirardi: can you share the URL to Riche's post on this, I can't find it.

this worries me.

thanks, D.

rtrouton
Release Candidate Programs Tester

I'd posted this to Apple's Client Management list:

http://lists.apple.com/archives/client-management/2013/Sep/msg00001.html

armando
New Contributor III

We been having this issue since 10.8 came out and was forced to stay at 10.7.x because of it. They did fix it in Mavericks so maybe I will just skip 10.8 altogether.

ClassicII
Contributor III

Interesting, so its confirmed 1 bad attempt is passed with 10.9 ?

We going to put in a ticket on this. The problem is every one else probably did too and it was not fixed. The answer we will get back will be to upgrade to 10.9 for the fix. :(

mm2270
Legendary Contributor III

Apple's answers to just about anything fixed recently is to upgrade to 10.9. Mavericks *IS[/i] the upgrade to anything from 10.6 through 10.8, didn't ya know? Apparently they don't see what the problem is with this and we're all just crazy.

nkalister
Valued Contributor

yeah, upgrade to 10.9 was apple's response to the 802.1x+wifi issues with the system keychain in 10.8.

ClassicII
Contributor III

Yes this his has been fixed in 10.9

Still though what was changed? I want to have it working on 10.8 but I know I am out of luck on that front.