Keychain and Active Directory users

DanJ_LRSFC
Contributor III

I'm sure this is a scenario that a lot of you will have encountered before. Consider the following:

  1. Mac is bound to Active Directory
  2. An Active Directory user has previously successfully logged on to the Mac
  3. The user changes/has their password changed elsewhere (most commonly because they forgot it or it expired)
  4. The user tries to log on to the Mac
  5. The user receives a cryptic dialogue box about not being able to unlock the keychain. Not being familiar with what a keychain is or why they should care, the user clicks Continue Log In
  6. The user then receives constant requests for a "keychain password" which they have no idea what it is and they just want to get on with their work

For reference, we are mainly using OS X 10.10.5 although we do still have some 10.9 and 10.8 machines which we are hoping to update to 10.10 during the summer. We are also on Casper 9.82 with plans to update to 9.92 at or before summer.

I've seen the following workarounds/solutions to this problem:

  1. Simply telling the users to delete their login keychain. While this does get the messages to go away (as the login keychain is recreated using the new user password) it's a heck of a lot of faff for users to go through.
  2. Keychain Minder. I tried installing this for testing purposes, but it did not seem to activate when confronted with a test version of the scenario described above. Reading the documentation it seems like it's only used for screensaver unlocking and preference pane unlocking? Is there a version that works for the regular login screen? I uninstalled it after this test
  3. ADPassMon. I tried installing this for testing purposes and setting its Preferences to be added to the login items and to check the keychain at launch. It did load on login, but didn't activate its password update dialog automatically; if I then went into the Preferences and clicked Test Settings it worked, but obviously I'd want it to do it automatically.

It's also worth noting that none of these solutions seem to be able to replace the original system-generated dialogue that has the message about keychains and the three buttons. I appreciate it might not be possible to disable that but if it is possible I'd definitely want to do it.

What solution do you use? Is there some extra configuration that I have missed?

21 REPLIES 21

AVmcclint
Honored Contributor

Once you get ADPassMon working for you, you can hammer into users' heads to "NOT LET THE PASSWORD EXPIRE!" Sometimes a social solution is needed for a technical problem.

That being said, I use ADPassMon with a Launchdaemon and pre-defined preferences for the expiration period etc. to make sure it is there for every user. Even with ADPassMon in place, users still forget... OR they DO change their passwords correctly and for some unknown reason, the keychain still goes kablooey. For those instances, I have a Self Service policy that just deletes the entire /Users/<currentuser>/Library/Keychains/ folder and forces a reboot. It's not an elegant solution but it gets the job done.

millersc
Valued Contributor

+1 with @AVmcclint

stevewood
Honored Contributor II
Honored Contributor II

@DanJ_LRSFC unfortunately, what you describe is one of the pain points to Macs integrated into AD environments. Especially when passwords are changed outside of the Mac. We use a web site that was written internally to have users change their AD passwords, but because there is no way to script the updating of the Keychain password, we have the same problems.

Our solution is education. We have hammered into our user's heads that the process is to change the password on the web site, and then use Keychain Access to update their keychain password immediately. We tried the "log out of your account" route, but could never reliably get the OS X keychain minder to open and ask the user to update their keychain password.

For those that do not remember to do this, or cannot remember their keychain password, I have a Self Service policy that does as @AVmcclint has done, and deletes the Keychain file and re-creates it. The downside to my solution (not deleting the entire folder contents) is that if the user has signed in to iCloud they could have a Local Items folder that they then get alerted to. I may have to use Clint's method of nuking the entire folder.

AVmcclint
Honored Contributor

Things get a little more complicated when you're dealing with FileVault enabled systems. Usually in those cases, once you can unlock the computer with a valid password (usually via local admin account), the filevault password should sync up after a few minutes.

AVmcclint
Honored Contributor

I nuke the whole Keychains folder because there are separate keychains or certificates that relate to Microsoft Lync and if those aren't deleted, the user still has problems with logging in to Lync. Instead of spending a lot of time trying to single out the numerous individual issues that will be affected, I just blow the whole thing out and gently remind the user that if they don't want to lose their saved (non-AD) passwords, it is important that they heed the NUMEROUS warnings ADPassMon gives them. Before I implemented ADPassMon here, password expirations were probably the #1 Mac issue the helpdesk had to deal with. Now I can say that I've only had to deal with 3 instances of the passwords expiring or getting changed in a different location in the past year... and one of those was someone who was out on maternity leave when her password expired.

You have to educate the users. It really is the best way, but the importance has to be stressed repeatedly until it sinks in. The very first thing I tell new hires (after introducing myself) is the password expiration policy and ADPassMon.

If you want to proactively assist users, you can even make an Extensions Attribute in Casper to read the user's com.pmbuko.ADPassMon.plist preference file to look for the menu_title key and report the value (which is the number of days until expiration). Then you can display that EA in your All Computers view in JSS or create a smart group or whatever you want so you can alert users when you see that their passwords will expire soon. Nudge them until they get the picture that they need to take action before it's too late.

Jens_Mansson
New Contributor

To add security to ADPassmon for your users and specially for those always-remote-users on vpn etc, add Kerbminder as you can choose to integrate it with latest version of ADPassmon

KerbMinder is a tool for Mac OS X that keeps a logged-in user's Kerberos ticket current by attempting to renew or refresh it automatically any time the network state changes

DanJ_LRSFC
Contributor III

So I guess the two main questions I have now then are:

  1. Is there any way to disable or not show the system prompt regarding the keychain?
  2. What do I need to do to get ADPassMon working in such a way that it will immediately activate after logon if there's a keychain issue?

We're not using FileVault at the moment so that would not be an issue.

I have seen KerbMinder before (and that it integrates with ADPassMon) but I didn't quite grasp what it was for? If it's for VPNs, that's not a usage scenario that we have at the moment.

Jens_Mansson
New Contributor

I have just recently added ADPassmon to our environment but this is what we have running.

To avoid that expiration is not checked by OS X we edit /Library/Preferences/com.apple.loginwindow.plist
Add this key :
<key>PasswordExpirationDays</key>
<integer>0</integer>

For configuration of ADPassmon i run a script in the policy for ADPassmon that runs after package is done.

#!/bin/bash

    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon enableNotifications -bool true
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedMethod -int 1
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon warningDays -int 14
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon pwPolicy "Your password needs to be at least 8 characters long and cannot be a password you've used previously."
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon selectedBehaviour -int 2
    defaults write /Users/$3/Library/Preferences/org.pmbuko.ADPassMon prefsLocked -bool true
    chown $3 /Users/$3/Library/Preferences/org.pmbuko.ADPassMon.plist

For ADPassmon to be persistent, use this Launch Agent settings.

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>Label</key>
    <string>org.pmbuko.ADPassMon</string>
    <key>LimitLoadToSessionType</key>
    <string>Aqua</string>
    <key>Program</key>
    <string>/Applications/ADPassMon.app/Contents/MacOS/ADPassMon</string>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>

dmw3
Contributor III

Has anyone have ADPassMon working with 10.11.5?

Logs show that it launches but then does nothing, version 2.20.19 of ADPassMon, noticed this now on a number of 10.11.5 computers, both Laptops and Desktops.

Jens_Mansson
New Contributor

You need to update ADPassmon to 2.20.20, we had same issue as it shows values that are way off reality. If you have the ADPassmon as persistent then it works with a silent installation but the Mac needs to be restarted for the new version to take effect.
v.2.20.20

betty02
New Contributor II

I tried ADPassMon installed from Autopkgr - I haven't sent it further then my test base at the moment, ran the package and it sent fine, but they asked for admin credentials to open the app, which was the first annoyance, then I have never been able to get it to update keychain!

Maybe thats because I thought it was automatic so when they reset through ADPass it would update the keychain? Possibly where I've gone wrong! Still need to get it past the admin credentials first!

itupshot
Contributor II

The one that always gives us a problem is that darned "Local Items" keychain. We have been testing ADPassMon with settings similar to @Jens.Mansson, and it seems to be working.

But, as everyone else has said, education is key.

ericbenfer
Contributor III

The Apple Professional Services team has developed a tool called Enterprise Connect.
It can help to prevent Keychain challenges.
It is verbosely discussed in this JAMF Nation post. https://jamfnation.jamfsoftware.com/discussion.html?id=17757

An Enterprise Connect Demo is scheduled for next week.
Thursday, June 2, 2016
2:00 pm | Eastern Daylight Time (New York, GMT-04:00) | 1 hr

Register
After your request has been approved, you'll receive instructions for joining the meeting. Note: if the Registration site asks for a meeting #, use: 740 248 728

Jens_Mansson
New Contributor

@ericbenfer so this is where you advertise a product that should be standard but cost 5500$ ? .....

dprakash
New Contributor III

@itupshot as far as I'm aware ADPassMon won't help with the local items keychain. You should join the #adpassmon Slack channel.

ooshnoo
Valued Contributor

We use ADPassMon as well, but users are stupid. So if all else fails, I have a policy in Self Service that runs a script to delete their keychain files and automatically reboot. Yes, this may delete all their saved passwords, but that's what they get for being stupid enough to not manage their password correctly.

Maxalot
New Contributor III

ADPassMon is no longer maintained on GitHub. Is there a .dmg file for it?

Update: This was buried pretty deep but I found a dmg...

https://github.com/macmule/ADPassMon/releases/tag/2.20.19

mm2270
Legendary Contributor III

@Maxalot You may want to look at some newer tools like NoMAD, which is more or less a replacement for ADPassMon, among other things. NoMAD has additional functionality that you may or may not need to use, but I would at least take a look at it rather than using something that isn't being updated anymore. As far as I know, ADPassMon is EOL'd so come new OSes it may stop working. That likely won't happen with NoMAD.

Maxalot
New Contributor III

Thanks @mm2270 I would love to use NoMAD but that's not my decision. So I have to use what I can wrangle together on my own. Sometimes when people see things going well and then suddenly an app breaks and they have no choice but to replace the broken app, that's when they make a favorable choice. Sad but true.

LovelessinSEA
Contributor II

We were constantly having issues with our AD bound macs and mobile accounts in our mixed macOS and Windows environment. - Filevault/keychain/user passwords would get out of sync when a user changed their passwords, especially if they changed their network password on their windows machine, if they have one.

We went the Enterprise Connect route and now use local accounts, the switch has been incredibly smooth and we've not seen near as many issues with passwords.

I agree that $5500 is pricey for what the product is, but realistically, you're not paying for the software, you're paying for the 2 day onsite jumpstart for EC. We went with EC because they have enterprise support.

chris_miller
Contributor

@LovelessinSEA Have you guys had your users passwords expire yet. We use local accounts w/ EC and are about to hit that time. Wondering how this will work. Most users will change on their Macs at work. That seems to go well. Its the users who change via our portal and then try to log in to the Mac before it can connect to our DCs in our Org. Using the old password might confuse them.