Keychain password and AD lockout

Aaron
Contributor II

Hi guys,

I have an issue which I'm sure is not a first, but I have so far been unable to find a suitable workaround.

I have a bunch of Macs bound to AD, and a network proxy configured via PAC file. When users try to access the internet, they get asked for their AD credentials, it gets saved to their keychain and away they go.

The problem occurs when their password expires (every 90 days) and when they change their password, the password saved in the keychain is still the old one. And instead of trying, failing, and asking to re-enter it, it just keeps trying and constantly locking the user out of AD.

I can think of two methods to get around this, but no idea how to implement it:

1) Force the proxy to use the currently logged in credentials at all times (this would be perfect) - although I see this as impossible, as we'd need to pass the password used on the login screen to a script to update the keychain

2) Make it so at login/logout, the proxy entry in the keychain get zapped. When the user next logs in, they are prompted for their credentials, which are essentially saved until the user reboots/logs out. The downside to this is they would get prompted to access the keychain to remove the proxy entry, and then prompted for each application to access it all over again.

Does anyone have any experience with this kind of thing? Any ideas?

4 REPLIES 4

jarednichols
Honored Contributor

Check out ADPassMon. It is a little menubar item that can help remind users to change their password before it expires. Not really a solution, but it might help.

Aaron
Contributor II

Thanks for the suggestion, but I don't think it's really applicable here. I've noticed (at least with Lion) when logging in with an AD account it will actually tell you your password is expiring and offer the option to change it then and there.

My problem is application passwords that uses the same credentials, but saved separately in the keychain.

tkimpton
Valued Contributor II

I think you need to look at your network set up and proxy server. I think you are always going to have this problem if you are using ntlm authentication instead of kerberos.

For other apps there is no getting around saved passwords and the lock out problem. What I do is have a self service AppleScript that asks the user if the want to delete their keychain but to save work first. If the click ok then their keychain get deleted and automatically they get logged out

I've given up try to explain to a creative what a keychain password is and what they are doing wrong. I can see in their eyes they have switched off immediately when they hear keychain.

This is sad but true. All they need to know is if they have problems they use delete keychain in self service.

bentoms
Release Candidate Programs Tester

I run keychain Minder @ login, if the users keychain is locked it will prompt them to enter their old password therefore updating it.

http://derflounder.wordpress.com/2012/07/06/keychain-minder/