Sierra AD Account Lockout when setting up iCloud

NowAllTheTime
Contributor III

I have an AppleCare enterprise case open for this, but just curious if anyone here is experiencing the same thing:

When you are logged into a mobile account on an AD bound Mac and go to setup iCloud, the currently logged in network account will get locked out as soon as they attempt to provide a password when prompted to provide an admin password to complete the iCloud setup. The iCloud setup will "fail" but then the services seem to work anyway, but then if you unlock the network account it will lock again shortly after that as long as you stay signed into iCloud.

Been seeing this behavior for a few weeks, but wanted to wait until public release to discuss it here. Behavior has persisted through dev preview 8, and both GM builds (the second of which is the same as the final public build released today).

2 ACCEPTED SOLUTIONS

NowAllTheTime
Contributor III

WE DID IT! Finally! I can't believe they actually included details about this bug in the release notes; I thought for sure the issue would fall under the "improves the stability..." umbrella. Thanks to everyone who opened a case and helped bring attention to it!

https://support.apple.com/en-us/HT207462

View solution in original post

dgreening
Valued Contributor II
210 REPLIES 210

eosrebel
New Contributor III

Thanks for opening up the case as I noticed this last night but couldn't pinpoint what the culprit was. I'll be interested to see what their response is.

emax
New Contributor III

I believe I was experiencing something similar with the Sierra GM:

My machine isn't bound to AD or a directory, the account in question is local.

Shortly after setting up iCloud, the user account associated with the iCloud setup would be locked out. First symptom was the wake from sleep screen save lock. All password attempts would fail.

After forcing reboot, the user account no longer appears in the pick list of active users. Logging in as local admin shows the user account is still listed in Users & Groups systems prefs pane.

My only solution was to delete the user account, preserving the home directory, then recreate the account using the same username/password. This enabled me to log back in, but the problem would return.

Eventually, I migrated the user home directory to a new machine, only to have the same problem pop up. Finally, I did the account rebuild dance, but trashed the ~/Library. Problem went away and I was able to configure iCloud without problems.

HTH.

NowAllTheTime
Contributor III

Glad to hear it's not just me @eosrebel (but not glad you are having problems of course).

Hmm, interesting @emax. So, issue may not necessarily be isolated to network accounts, and the network account lockout is just a consequence of a more localized issue.

First response from engineering is that they are in the process of attempting to reproduce the issue, so we'll see where things go from here. If we come up with a non-software update related solution/workaround that Apple is OK with me publishing then I'll definitely share it here.

If anyone else with an AppleCare OS Support account is having this issue I encourage you to also open a case so we can get some extra eyes on this.

eosrebel
New Contributor III

@jasonaswell I dig some more experimenting and found that the issue only pops up if the AD bound machine has an iCloud account logged in at the time of starting the upgrade process. If I log out of iCloud before the upgrade and then log back in to iCloud after the upgrade things go fine.

mconners
Valued Contributor

@eosrebel what happens when you log out of iCloud? Aren't you asked to remove everything on your Mac that was part of the iCloud? I am concerned that there could be a lot of users who lose their files in the process? All those documents, photos and so forth kind of scare me a bit if I were to lose them personally.

eosrebel
New Contributor III

@mconners Yes it does, but it retained copies in iCloud that were resynced to the device when I logged back in. In my org we don't use iCloud a whole lot so this is a minimal impact issue for us, but should honestly be covered by the standard "back up your data before upgrading" boilerplate warning.

mapurcel
Contributor III

I am seeing this as well with the iCloud setup throwing several bad password attempts (AD) when I first attempt to login

NowAllTheTime
Contributor III

--duplicate post--

mconners
Valued Contributor

I've updated last night without disabling iCloud on my rMBP and everything worked fine. There are some typical new release things that I thought would be fine. Wireless constantly struggles from waking up to find a network. My thunderbolt display was recognized by the laptop without a restart. So far so good though.

andyinindy
Contributor II

Just wanted to add a +1 to this thread; we are also seeing the issues with AD lockouts on Sierra with systems that are signed into iCloud. In our case, the systems are locked out automatically after the upgrade, without user interaction.

We are also going to open an AppleCare case for this issue; I'd suggest that anyone else who is experience the issue do the same.

petewann
New Contributor

I do not have AppleCare, but I'll +1 this as well. On my AD-bound MBP, I did an in-place upgrade while signed into my iCloud account (I never would have thought to sign out), and I started experiencing AD lockouts. I don't remember even one of those happening on El Capitan except when I messed up my password.

mconners
Valued Contributor

The only experience I had was the following day after my update to Sierra. I had some strange log in issues with Outlook. Since I sit in the client services area, I asked a fellow helpdesk colleague. I was locked out of my account, but after resetting the account in AD, I have had no further issue. Very strange indeed. This indeed is an issue.

NowAllTheTime
Contributor III

Engineering has confirmed the issue exists with local accounts, and consequently mobile accounts are affected, and since mobile accounts are affected the respective AD account will be locked as well. They don't currently have any suggested workarounds or a concrete timetable for a fix, but they are aware of the problem and are actively working on a solution.

Unfortunately not any additional info to offer at this point, but this at least confirms that it's a known issues, and that there are a growing number of cases being logged against this (thanks to all here who have done so!). Hopefully those cases create a greater since of urgency to push a fix.

dgreening
Valued Contributor II

<kicks the Sierra can down the road>

camsoft2000
New Contributor

I'm glad I found this post as I thought it was just me with this issue. I have exactly the same issue, after trying to login to iCloud account on Sierra on a machine with AD accounts it asks for system password which it rejects, on cancelling the dialog the machine no longer accepts my AD or Keychain passwords, rebooting does not fix this issue, though oddly leaving the machine idle for around 1 hour and my login works again, trying iCloud login again and the problem repeats.

mbezzo
Contributor III

Yep, I'm seeing this as well, as are the few users I have currently testing. It seems to no longer be an issue after the first or second AD account lock.

Super weird.

dpodgors
Contributor

Any updates? We are batting 1000 on this one. My pilot group are all running (begrudgingly) w/o being logged into the iCloud.

NowAllTheTime
Contributor III

No updates at this point. Engineering requested some logs and an EDC and said they'd reach back out if they arrive at any solutions or workarounds. That was on 9/29 and haven't heard anything further :(

Pascal_Sherman
New Contributor

I'm on 10.12.1 Beta (16B2338c) and haven't experienced this issue at all. Maybe they've fixed it for the next release. Would be curious for someone else to try who had the issue to see if the 10.12.1 beta fixes it.

dpodgors
Contributor

One of my engineers has had the same success with 10.12.1 Beta. He was also able to do the watch unlock too (which he couldn't). We are still testing, but it does look promising.

NowAllTheTime
Contributor III

Just a follow up, beta 10.12.1 (build 16B2338c) still causes this issue in our environment. So, I'm unfortunately not having the same positive outcomes with the beta yet.

Kaltsas
Contributor III

@jasonaswell do you have replication instructions. I have only done limited sierra testing (currently held back by our ancient versions of mcafee software in production) but if I can replicate I will open a case with AppleCare.

NowAllTheTime
Contributor III

@Kaltsas Here are the steps from our current case:

"When logged into an AD bound Mac running Sierra with a mobile account with a local home folder, the AD account of the logged in user will lockout when attempting to setup iCloud in System Preferences. This occurs at the step of the iCloud setup process where it prompts for the local admin credentials (those credentials being the current user if they have admin privileges).
It immediately rejects the network password, and then the network account is locked due to multiple failed password attempts, even if user has only made one actual attempt in the GUI (often when no attempts have been made yet). iCloud setup says that it has failed, but seems to work anyway. But even after getting the network account unlocked, it is quickly locked again from failed password attempts coming from the IP of the Mac being used."

davidmundt
New Contributor III

We are having the same issues with beta 10.12.1 build 16B2333a

I have not tested theory but since iCloud is causing this would it make sense to logout of iCloud and leave it logged out?

dgreening
Valued Contributor II

Interesting thought: with the new iCloud Configuration Profile options in 9.96, there is an option for "Allow use of iCloud password for local accounts". It looks like the preference domain for this is "com.apple.preferences.users". I have this profile applied (with this setting and docs/data disabled) on my primary machine, and have yet to see an iCloud lockout of my AD account since having this on my machine.

UPDATE: Applied that setting to my test Mac and still got locked out when siging into iCloud...

davidmundt
New Contributor III

I have the same password for iCloud and AD so on my Mac AD does not lockout... I updated a test mac to Sierra and upon seeing the 'Change iCloud Password' box I typed a new iCloud password and AD was locked out...

I noticed that even when entering a new iCloud password my iCloud password was not changed in iCloud.

dgreening
Valued Contributor II

I heartily encourage those of you seeing this issue and have AppleCare agreements to submit a ticket and an impact statement.

Kaltsas
Contributor III

I was able to replicate and filed a case @dgreening @jasonaswell

mlavine
Contributor

I have encountered this issue as well.

dgreening
Valued Contributor II

Doubts are rising that a fix for this is going to make it into 10.12.1...

Those of us going to the Apple Enterprise event at JNUC, please keep this issue (and the Sierra auto-download fiasco) in mind for talking points.

mrice
New Contributor II

anybody been able to replicate the issue on 16B2548a that came out today?

NowAllTheTime
Contributor III

Issue persists in 16B2548a. I've reported that up through our case as well. Engineering expects this to be addressed in "an" update, but can't say which one yet :/

CGundersen
Contributor III

I can confirm I'm seeing this issue on my Sierra machines (16A323). Luckily we have generally moved away from AD binding here with only few hold-outs (myself included, AD I just can't quit you). Luckily Nomad is looking pretty nifty. We don't have Enterprise support anymore ...

I dealt with AD issues through the entire Yosemite release cycle ... Enterprise support checked back in with me when El Capitan was out to see if that OS fixed issue (it did).

dgreening
Valued Contributor II

Unfortunately AD is here to stay in many many MANY enterprise environments, so Apple needs to get with it if they want businesses to keep buying their computers. While I appreciate that things tend to work better WITHOUT AD, its just not acceptable for Apple to consistently not thoroughly test AD integration in macOS/X.

mlavine
Contributor

Is the problem still occuring for you guys when you have iCloud Keychain turned off?

I noticed that disabling iCloud Keychain would get me 2 bad password attempts and re-enabling would get me 1 more, thus locking me out, but disabling and re-enabling other services wouldn't cause bad password attempts on my AD account.

I also think the the issue has stopped with iCloud Keychain disabled. I hope I'm not speaking too soon when I say that.

dgreening
Valued Contributor II

I just scoped a config profile set to not allow iCloud Keychain to my test box which I am reimaging currently. I'll see if that does away with the lockout.

Update: even with iCloud Keychain disallowed via Config Profile my account still got locked out when I signed in to a reimaged Sierra Mac with my Apple ID.

PAC
Contributor

I updated to OSX 10.12

When i updated
I had iCloud enabled
Keychain is not enabled
iCloud and AD accounts are different passwords.

I am not getting locked out.
But my login window now does not allow me to login as another user. just gives me the option to put in my password for the last account that was logged in. the login window does not look like the normal AD bound login screen.

Not sure if this is related.

mlavine
Contributor

@dgreening I realized shortly after I posted my comment that, yes, my account was still getting locked out as well, even with iCloud Keychain disabled. I also tried signing out of my iCloud account and signing back in and the problem persisted.

mlavine
Contributor

I think the lockouts have to do with Kerberos Authentications. How do I turn on Kerberos logging so I can test my theory? The commands listed under the MAN page for "heimdal_debug" use syslog, a deprecated command that doesn't work on Sierra anymore due to the new logging system.