- Jamf Nation Community
- Products
- Jamf Pro
- Active Directory Bind setting userPrincipalName? (...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Active Directory Bind setting userPrincipalName? (dsconfig AD behavior?)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2013 04:06 PM
This appears to be the behavior of dsconfigad on OS X, but I'm not sure. I'm trying to figure out what is causing this as it's causing me headaches for 802.1X authentication.
The issue is the Mac's computer object in Active Directory has userPrincipalName set. Looking at my Windows computers, most of them do not have this attribute set in Active Directory, though I have found a few that do. The problem is when requesting a certificate from Active Directory Certificate Services the userPrincipalName should be in the format of computername$@contoso.com. The Macs that have userPrincipalName set have "host/computername.contoso.com@CONTOSO.COM" set as userPrincipalName. This appears to be the valid format for a Service Principal Name (SPN).
To quickly find computers with this issue you can use some PowerShell:
import-module activedirectory
Get-ADComputer -filter {userPrincipalName -like "host*"} | flOr if you want to see computers that don't have a userPrincipalName set to host/...
import-module activedirectory
Get-ADComputer -filter {-not (userPrincipalName -like "host*")} | flI haven't seen any other unknown values for userPrincipalName in my Active Directory, so at least it's an easy issue to search for (so far) though I'm not sure if changing the userPrincipalName for an Active Directory computer is going to cause trouble or not. Anyone know?
I'm still in pre-production with rolling out Active Directory binding and 802.1X certificates to the Macs, so I don't yet have a large sample. If anyone is willing to check their own domains with the PowerShell above I'd appreciate it.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2013 08:30 PM
What if you used something else, like %COMPUTERNAME%
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-06-2013 10:56 PM
@azbikowski: Out of about 30,000 computers in our AD, 7 came back matching with a UPN of host/computer@CONTOSO.COM (none were Macs). This is quite different from your example. It leads me to ask how the heck are you binding your Macs to AD? I typically use the binding in Casper Imaging but on a few occasions have had to use the CLI. Perhaps you can use the DNS name in the SAN field when you request the certificate.
For my own (albeit somewhat selfish reasons) edification, are you using an MS PKI? Is it setup for NDES and are you using a dynamic CA with a dynamic challenge? If so, I'd like to talk to you about how you're getting SCEP to automatically issue device certificates. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-07-2013 05:57 AM
Thanks for the info @evarona. Today I'm going to figure out how to reproduce the issue (if I can.) All the Macs that I have bound to AD at the moment are test computers that have been bound, unbound, and rebound multiple times. I'm really hoping this is the cause. Depending on the test case the Mac was blound with Directory Utility, dsconfigad, or Casper.
I am using Active Directory Certificate Services, but I'm not using SCEP. I tried getting SCEP working for Lion but never had any luck. Mountain Lion and up can acquire certificates using DCE/RPC (the same as Windows) and from there it's just configuring a certificate template to add the Macs UPN (Server 2008 Enterprise or higher required) and deploying a mobileconfig file to an AD bound Mac.
