How Keychain deal with expired account and proxy (Kerberos)

Media-C
New Contributor II

Hey folks, some technical question to ask, kinda need your guys input on this.

1. What is the expected behavior of Macintosh machine (Joined to domain) when connected to a proxy? In our case is a Blue Coat proxy. PAC file configuration in Network->Proxies->Automatic Proxy Configuration I. Internally connected (In office) a. Observed that kerberos is used when Macintosh is connected from internal b. Observed that the type “Internet password” is created in the Keychain Access. And “AuthBrokerAgent” needs to be allowed access which I’ve read AuthBrokerAgent is responsible for handling proxy credentials. c. Does not cause any issue because client side submit the right credential to proxySG for authentication II. Externally connected (Out of office) a. Observed that Macintosh did not try Kerberos and fall back to NTLM b. Observed from packet capture from 3 browsers; Safari, Chrome, Firefox a. Safari failed with NTLM, no authentication prompt at machine even if proxySG has responded authentication required 407 code b. Firefox and chrome does not submit the credential automatically using domain user logon information and cause the authentication prompt when I am browsing.
2. The saved keychain access for proxy will it prompt for reset password when password expire? If yes, is there a way to not have keychain access saved to prevent locked account?

Really appreciate your answer.

3 REPLIES 3

davidacland
Honored Contributor II

Hi, most of it sounds like normal behaviour, apart from Safari failing NTLM auth. That normally works for us.

You won't get the Macs automatically passing login credentials to the browsers unfortunately but the keychain works as a compromise.

If the password has changed, the browsers will prompt for them again. If the password has expired and not yet been changed, the browsers aren't going to handle that very well.

Hope this helps.

Aaron
Contributor II

This sounds pretty similar to my setup before we moved and switched to load-balanced Cisco Ironport (which is another bucket of issues all together).

Pretty sure you're not going to get Kerberos working outside of the office. NTLM auth will rely on saved credentials in the Keychain.

However I've noticed (especially in El Cap) that a lot of proxy requests are now handed off to the CFNetwork API, and according to Apple, they explicitly state that this will not call on the keychain - https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFProxySupport/index.html

As for saved passwords, if the password has changed, it will not prompt you to re-enter it in the event that it's incorrect (which will cause account lockouts if you have such a policy). Many people have had issues with password changes, and you'll find many posts on here about it. But generally it comes down to developing a script/installing a program that monitors this for you. I've actually got to the point where I've developed a "Change password script" in Self Service, and I encourage all users to change their password that way, as I take into account keychain and proxy passwords.

Additionally, you could develop a logout hook that clears the user keychain of any proxy entries on logout.

Macs in a Windows Domain has always been a bit of a square-peg-in-a-round-hole type situation.

Key1
New Contributor III

I'm pretty sure this mean if you have multiple password instances saved for one AD account(exchange, proxy, web etc) in your keychain that each will cause a bad password attempt. If you have a enough the account could lockout just on password expiry if your bad password count is low enough.

Even if you moved a local account these problems don't go away. Best options i can see is a SSO and maintaining a kerberos ticket OR like Aaron suggested script the password change process to hit the well known entires.