- Jamf Nation Community
- Products
- Jamf Pro
- M1 Active Directory authentication issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
M1 Active Directory authentication issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β09-03-2021 05:23 AM
We're in the process of configuring multiple new M1 iMacs for deployment to our computer labs. Previously, we had successfully deployed plenty of Intel Macs and they are all bound to Active Directory via configuration profile and they have no trouble logging in with domain accounts. On the new M1 iMacs however, the AD bind appears to be successful, the settings appear correct on the Mac and the object appears in ADUC but no users are able to authenticate. It simply shakes and rejects the password. Interestingly, the domain controller logs show successful logins and do not report any failures. I have tried removing the configuration profile and binding the M1 iMac manually and I get the same results. We set our computers to create mobile account at login without requiring confirmation and we have packet signing and packet encryption both set to require although I have also tried setting them to allow which did not make any difference. We have the search policy set to all domains. Also, I do see the keychain entry for the computer account credentials. I tried the following command which did successfully locate my account in AD and add it to the list of users in system prefs but would not accept the password:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -a <LocalAdminAccount> -U <'LocalAdminPassword'> -n <DomainUserAccount>
dscacheutil -q user -a name <DomainUserAccount>
login <DomainUserAccount>
Anyone else come across anything like this?
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β09-03-2021 07:54 AM
It sounds dumb, but do you have rosetta install on the machines yet? Our machines weren't able to connect to AD at all until we found rosetta to be the culprit. Same thing you were seeing with no errors being thrown at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β09-03-2021 10:12 AM
I was hoping that may have been it but it does seem like our rosetta installation is working. We've been deploying a policy that runs "softwareupdate --install-rosetta --agree-to-license" once per computer. The output does produce a strange error but then claims installation was successful. it says:
"softwareupdate[16792:139581] Package Authoring Error: 071-78710: Package reference com.apple.pkg.RosettaUpdateAuto is missing installKBytes attribute
Install of Rosetta 2 finished successfully"
I ran the command again and confirmed some older apps work and system report shows intel architecture apps so I'm assuming its working correctly. Still can't log in against AD though. Doesn't make any sense.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β10-04-2021 02:07 AM
same here, new iMac's M1 in the Lab. 8021x Profile, Maschine is @the AD. Users cant login. Passwort not acceptet.
After a restart -----> it works
Any Ideas here ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β10-04-2021 06:20 AM
I found a workaround for now but it doesnt make much sense. I normally bind all Macs and PCs to one of our child domains which has global catalog enabled and can search all subsequent child domains as well as the root of the forest and whatever else. On these new Macs, I found that if I bind specifically to the top level, it can search all child domains but when binding to the usual child domain, I can only authenticate upwards. I would like to pin this on the M1 Mac but we dont have any new intel machines coming in anymore and I was thinking it might possibly be a DNS issue either on our end or with Big Sur or some mix of the 2. I have a ticket open with Apple Enterprise support but they seem to be stumped as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β12-23-2021 02:46 AM
Could you please share the ticket number? We have the same issue with all M1 MacBooks no matter if macOS Big Sur or macOS Monterey 12.1 installed. Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β02-11-2022 08:03 AM
I've recently set up both intel and M1 machines, this has only happened on M1 machines.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β02-11-2022 08:08 AM
One work around that we have found is instead of using the users username to log in (ie 'jsmith') we can sometimes get by using the full name of the user (ie 'John Smith'). One other thing to note is sometimes we need to use an old password. I think we are pulling M1's from AD for now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on β02-11-2022 08:14 AM
I have tested with macOS 12.3 Beta 2 the last two days and the issue seems to be fixed with this macOS version.
