M1 AD Binding Woes

New Contributor

We are needing to bind some M1 Mac Mini's as well as some iMac's we purchased that will be delivered soon.

We're already seeing issues even just binding the Mac Mini's.

I realize the baked-in AD integration isn't the best. We've fought with it in the past, but it's always worked.

I'm barely able to bind a test computer. 

I'm reading some people think that something about the M1's is where the problem with AD binding lies:


I get 5200 errors that it couldn't contact the authentication server.

If I look through the console the specific error is 'KDC is unreachable - 'unable to reach any KDC in realm __our AD domain__, tried 0 KDCs'

Time is synced. 

I've read of this workaround - 'Configuring KDC in krb5.conf' - https://github.com/Microsoft/vscode-mssql/wiki/How-to-enable-Integrated-Authentication-on-macOS-and-...

But it appears Big Sur doesn't have a krb5.conf file, it has a 'krb5.keytab' file which is different.

I was briefly able to get it bound at some point but it didn't stay bound.

We are using JAMF Connect for some use cases, but binding would be a better option for us in shared lab settings.


Contributor II


In another thread, I read that "using NoMAD Login or even Jamf Connect as a solution to AD for shared devices/labs could work."

Maybe this will help you: https://community.jamf.com/t5/jamf-pro/pros-cons-of-going-local-vs-using-a-mobile-account/td-p/23320...

They discuss the pros and cons. But to me, if your looking for a shared workflow for a lab situation NoMAD and Jamf connects will help you achieve success.


New Contributor III

This is likely of limited help, but we've been binding macOS Big Sur to Active Directory without issue since launch (both on Intel and Apple Silicon).  I know Microsoft had some mandatory security updates last year related to signing or LDAPS I believe, although I'm not on the team that manages AD so I'm trying to recall what specifically that was or if it could be related.  Either way though, I suspect your issue is related to something in AD / DNS, and not Apple Silicon or the krb5.conf file (we don't have that either on our devices).