ACTIVE DIRECTORY INTEGRATION & USER PASSWORD MANAGEMENT

Stay away from OD and the golden triangle. Even Apple doesn't recommend it anymore. Casper and AD can handle anything.

That said, we are able to change passwords over wireless or VPN straight to Active Directory, as well as perform initial logins.

I think you need to take a look at your network setup (possibly DNS on your wireless, maybe the Mac can't find a domain controller), what you want to do should be working.

We have a similar issue as you describe except our authenticated users are able to change their password from their Mac wirelessly. We do have the issue with a first time user needing to be hardwired, and additionally when a user changes their password from another system Windows, Mac, Virtual, etc. they need to be hardwired to be prompted to update their keychain on logon to sync the new password.

It is my understanding that we have this issue due to our wireless infrastructure being setup with a user based authentication. This would make sense as they would not be able to connect to wireless until they were logged on. I am not sure if your wireless is setup the same way or not.

We are looking at implementing machine based authentication for our wireless network but so far have not gotten far enough along to actually test the behavior to see it addresses these issues. If you are using a machine based wireless authentication system and have these issues, I would be very interested to see what others are doing.

I know this isn't an answer to your question but hopefully it is of some help.

@alexjdale][/url We have several VLANS, none of which cross, so perhaps we need to move to a more "flat" network.

@FritzsCorner][/url Our infrastructure is also user based, so it does make sense that this wouldn't work, but that doesn't make it any less frustrating... Machine based authentication may be an option, but that is not necessarily my call to make, setting up a test environment sounds like our best bet.

I'm finding the Casper manual to be very "dry" and not that informative, so any assistance is greatly appreciated! :)

@bigdaddybesbris,

The password issue you're seeing may be less about your management solution (Casper, in this case) and more about how Active Directory is set up in your shop. Would you mind answering a few questions? It may help with better figuring out a solution to your issue:

1. Are your Macs bound to your Active Directory domain?

2. Are your Active Directory domain controllers accessible over your wireless network? By this, I'm asking if you can connect to your WiFi using either a WEP or WAP password and then have the same access to your domain controllers that you have when you're connected via a wired connection.

3. Are you using 802.11x to authenticate connections to your wireless network? If you are using 802.11x, is it machine-level authentication (where a user's account is not being used to authenticate the connection) or does it use user-based authentication? Based on your previous answer to @FritzsCorner, it sounds like it may be user-based but I'm not certain.

The reason for these questions is that it sounds like your Macs can communicate with your Active Directory domain controllers only when plugged into your wired network. I don't want to make that assumption though, which is why I'm asking the questions.

@rtrouton][/url][/url][/url][/url][/url][/url

1. Yes, they are.

2. I'm not sure I understand the question. Our Domain Controllers are available across the whole network. They need to be or authentication wouldn't work properly.

3. We are encrypting with 802.1x. Wireless clients are required to authenticate with an Active Directory username/password (via LDAP using Microsoft IAS as a RADIUS server) to gain network access.

In theory, after starting up a Macbook, a user would first somehow have to authenticate to the wireless network with AD credentials, and then they would be able to login to the computer with AD credentials.

They need a network connection to login to the Mac with their AD credentials so it can contact the RADIUS server, so they'd need to authenticate for wireless first.

@bigdaddybesbris

I see this setup at a lot of sites I visit. The wireless network is either not available at the login window (in most cases), or for some, wifi is there but the domain controllers are not reachable to let users change their passwords.

Can you change your AD password from the system preferences while on the wireless network? That might confirm if the DC is at least reachable from the WLAN.

802.1x machine based authentication is quite easy, as long as you have your certificate authority admin and your wireless network admin helping you. You should look at the settings in configuration profiles for "AD Certificate" and "Network" with the "Use as a Login Window configuration" option enabled. Those two combined will set up a nice automated connection for the devices.

I wouldn't expect it to be a completely straight-forward setup though. I have had different issues at each client I have visit, Cisco ISE being particularly difficult.

Regarding Open Directory, I would also say you should stay clear of it. With AD and Casper you really don't need anything else, at least for this part of Mac management.

@davidacland][/url][/url

Users are able to change their passwords wirelessly, but if they do, the new password does not set in Active Directory. We discourage Mac users from changing their password unless they are hardwired and following a written guide which we have provided.

Certain criteria must be met prior to doing this:

1. They MUST be on campus.
2. The Mac users machine MUST be hardwired.
3. They CANNOT change their password via OWA. It MUST be changed via System Preferences.
4. After changing their password, they MUST update it in Outlook 2011 or their email ceases to function.

Occasionally, their 802.1x and Outlook keychains must be deleted prior to doing this. However these instances are quite rare.

Is that at the login window? It sounds like its changing the password on the local cached copy of the account.

Another way to tell if you can access AD on wireless is to use dscl from the Terminal:

1. Type: "dscl" and press enter
2. At the prompt type: "cd Active Directory/NETBIOSNAME/All Domains/Users" and press enter, replacing NETBIOSNAME with your actual short domain name (the path might be a bit different if you've unticked "allow authentication form any domain in the forest in the AD binding options)
3. Type: "ls" and press enter. This should give you a list of users from AD. If it doesn't, you're not connected to the domain

@davidacland][/url

No, not at the login Window, only if the user is already on their machine.

Users are required to change their password every 120 days (4 months). If they are on a Mac that is hardwired, they receive periodic notifications stating that their password will expire in 'x' days. ONLY if they are hardwired.

Users are able to change their password at the login window, but only if the above criteria is met.

If the Mac is wireless, they are never prompted or even reminded that their password will expire.

@davidacland

I wouldn't expect it to be a completely straight-forward setup though. I have had different issues at each client I have visit, Cisco ISE being particularly difficult.

I guess I will be in for a good time considering we are using Cisco ISE. ;)

Aaron

@FritzsCorner

It seems ISE needs "host/fqdn", as in the word "host" and a forward slash before the fqdn when the network connection request is made. Windows does this as standard and works ok. Using a profile only "fqdn" is sent and the connection is rejected. Actually ISE thinks it needs to look for a user and searches for an AD user named by the computer fqdn and fails.

You can still deploy the AD cert part of the profile and then connect manually (or at least thats the case for EAP-TLS).

Have fun!

@bigdaddybesbris, sounds like the DC's are not accessible or are only partially accessible from the wireless.

FWIW, we can create new accounts via wireless & can reset passwords.

@davidacland

It seems ISE needs "host/fqdn", as in the word "host" and a forward slash before the fqdn when the network connection request is made. Windows does this as standard and works ok. Using a profile only "fqdn" is sent and the connection is rejected. Actually ISE thinks it needs to look for a user and searches for an AD user named by the computer fqdn and fails. You can still deploy the AD cert part of the profile and then connect manually (or at least thats the case for EAP-TLS).

Interesting.. this is good to know and I appreciate the info!

Aaron

I'm very concerned that your configuration allows users to change their passwords in System Preferences and it somehow does not take effect on the domain. If the OS cannot negotiate a password change with a domain controller, the Change Password action should fail and throw an error to the user, without changing the local password (with mobile Active Directory-based accounts).

@alexjdale

What is the easiest way to implement AD integration into Casper? Are there any clear benefits using Casper over OD? I'm looking to acquire as much data as possible prior to approaching my supervisor. It seems as though there is a really nice GUI in place for setting up AD as an LDAP connection, so that helps. I don't mean to pester, and I certainly appreciate the time, I am a novice in regards to JAMF and Casper.

@alexjdale

Password changes work fine when hard-wired, but not via wireless. I don't mean to sound like a broken record, however, this is not something that I am in control of.

We are really trying to accomplish two (maybe 3) things:

1. Allowing users to change their passwords wirelessly
2. Ensuring that password expiration notices are distributed to users appropriately, regardless of network connection type.
3. Allowing new users to log in to a machine for the first time w/o the need of a Thunderbolt to Ethernet adapter.

Hi,

The method I normally use is a directory binding created in the computer management screen of the JSS. This can then be added to a policy. You can do it via a config profile but it sounds like people are having issues with this method at the moment.

OD is just an alternative to managed preferences and, in the case of profile manager, configuration profiles. It doesn't offer any of the other Casper features such as software deployment, inventory (detailed), smart groups, policies etc.

@bigdaddybesbris

For point 2, you may want to look into ADPassMon:

https://yourmacguy.wordpress.com/adpassmon/

Oops, overlapped on our responses.

For all three points, you will need input from your wireless network admin as they are all related to the same core problem, which is that the necessary traffic isn't allowed between the clients and the AD on wireless.

Casper wouldn't be able to get around this unfortunately.

Yes, what @davidacland said.

If your wireless admin needs input, you should be using computer certificate authentication so the laptop will join the wireless network at the login screen and not after the user is logged in.

@adamcodega

Adam,

In reading this: https://discussions.apple.com/thread/6763950, it seems that getting a Mac to preauthenticate is a bit of a challenge? I spoke to one of our network engineers, and we use machine and user auth for PCs and user auth for mobile devices.

Wireless access at the login window will depending on the authentication type. If its WPA Pre-shared key there isn't anything special to do. If its WPA-Enterprise then you would need a machine certificate and to use a form of EAP authentication.

There is still an underlying issue reaching AD when connected to wifi which might be related. A lot of enterprise sites I visit restrict access to network resources when using WPA-PSK or PEAP.

I am the Apple Systems admin at a school and we have AD on our backend. I have been trying to figure out a viable solution for reseting passwords on mac and from everywhere I read AdPassMon and KerbMinder are two great tools. There will never be a seamless integration between AD,Mac,Outlook,Mail client. Window ect... From our environment we have macs bound to AD, using a Radius 802.1x PEAP authentication and the issue we have is if the password expires and we need to reset it - then the keychain gets messed up. So after reading multiple discussions it comes down to the more notices and reminders we can give out users to change their passwords (the right way- however that maybe in your environment) before expiration the better.

Hey Ethan R. Besbris, did you ever get this task working in your environment?