Sierra AD Account Lockout when setting up iCloud

NowAllTheTime
Contributor III

I have an AppleCare enterprise case open for this, but just curious if anyone here is experiencing the same thing:

When you are logged into a mobile account on an AD bound Mac and go to setup iCloud, the currently logged in network account will get locked out as soon as they attempt to provide a password when prompted to provide an admin password to complete the iCloud setup. The iCloud setup will "fail" but then the services seem to work anyway, but then if you unlock the network account it will lock again shortly after that as long as you stay signed into iCloud.

Been seeing this behavior for a few weeks, but wanted to wait until public release to discuss it here. Behavior has persisted through dev preview 8, and both GM builds (the second of which is the same as the final public build released today).

2 ACCEPTED SOLUTIONS

NowAllTheTime
Contributor III

WE DID IT! Finally! I can't believe they actually included details about this bug in the release notes; I thought for sure the issue would fall under the "improves the stability..." umbrella. Thanks to everyone who opened a case and helped bring attention to it!

https://support.apple.com/en-us/HT207462

View solution in original post

dgreening
Valued Contributor II
210 REPLIES 210

perrycj
Contributor III

Received this update this morning on my open case with Apple:

Our Product Engineering team is currently working on the fix of this issue and once I receive the confirmation from them and the beta version is available for testing, I will followup with you and let you know as soon as possible.

So hopefully soon.

tkimpton
Valued Contributor II

Got the same response yesterday from Apple

donmontalvo
Esteemed Contributor III

Opened a bug report a couple weeks ago and included this Apple forum thread that many of us posted to.

--
https://donmontalvo.com

hkabik
Valued Contributor

Using Touch ID and "allow to unlock your mac" with the new Machines seems to trigger the same event...

https://www.jamf.com/jamf-nation/discussions/22372/new-mbp-with-touch-id-ad-lockouts

perrycj
Contributor III

Beta 6 has been released. I will test as soon as it shows up as an available update.

perrycj
Contributor III

Problem seems to persist in Beta 6 as well. Unfortunate.

Kaltsas
Contributor III

Beta 6 locked during the upgrade, locks tickling iCloud. Screen Locks still slowly increment unsuccessful login attempts. No change in behavior. Sent a note off to Applecare.

mrice
New Contributor II

Apple suggested to me that it would be fixed in 10.12.3, but no guarantee. My guess would be late Jan.

tep
Contributor II

I had a call with Apple on Friday, and they all but confirmed that 10.12.3 fixes it.

donmontalvo
Esteemed Contributor III

Hmmm...see first line item on the 10.12.2 Combo Update...

  • Improves setup and reliability of Auto Unlock
  • Allows addition of a Chinese Trackpad Handwriting button to the Touch Bar Control Strip
  • Adds support for taking screenshots of the Touch Bar using the Grab app or Cmd-Shift-6 shortcut
  • Fixes an issue that caused the Touch Bar emoji picker to appear on the display
  • Resolves graphics issues on MacBook Pro (October 2016) computers
  • Fixes an issue where System Integrity Protection was disabled on some MacBook Pro (October 2016) computers
  • Improves setup and opt-out experience for iCloud Desktop and Documents
  • Fixes an issue with the delivery of Optimized Storage alerts
  • Improves audio quality when using Siri and FaceTime with Bluetooth headphones
  • Improves the stability of Photos when creating and ordering books
  • Fixes an issue where incoming Mail messages did not appear when using a Microsoft Exchange account
  • Fixes an issue that prevented installation of Safari Extensions downloaded outside the Safari Extensions Gallery
  • Adds support for new installations of Windows 8 and Windows 7 using Boot Camp on supported Macs
--
https://donmontalvo.com

Njofrekk
New Contributor II

Yup, they've made improvements alright. I got my AD account locked right after 10.12.2 update. This is the first time this kind of lockout has happened to my Mac after an OS update.

perrycj
Contributor III

The fix isn't in 10.12.2. I've been told January and most likely 10.12.3.

Speaking of 10.12.3, the first beta is out now. I'll see if I can test it today for the lockout issue.

jhuls
Contributor III

@Njofrekk Yup, same here! I had the problem when Sierra first came out and then it mysteriously stopped. I really don't know why it had stopped but just after this update, it came back again. I restarted and it seems to have stopped again for now. Apple really needs to get this figured out...it's maddening to deal with.

Kaltsas
Contributor III

macOS 10.12.3 Beta 1 (16D12b) did not lock my test account during the upgrade and I have been rebooting and fiddling with iCloud for 10 minutes with no lockout. There is hope! Also this beta dropped fast after 10.12.2 so maybe it's fast tracked for quick release.

NowAllTheTime
Contributor III

Apple recommended I try this build shortly after it dropped, and now I can also confirm based on my testing that the issue seems to be resolved in 10.12.3 beta build 16D12b. No failed password attempts thrown at login, iCloud Preference Pane sign in, or display lock and unlock. After so many previous beta builds from 10.12.1 through 10.12.2 not making any difference I have to say that I was shocked to see my badPwdCount finally stay at 0.

Nice job Apple; hopefully this stays fixed through production release (fingers crossed emoji).

ehemmete
New Contributor II

I can also report the beta seems to have solved my related issue with local password policies. I too was very happy to see failedLoginCount: 0 when I rebooted after the update! Will continue to test, but looking good.

Bhughes
Contributor

I too can confirm that 10.12.3 beta seems to have fixed the account lockout issues.

tep
Contributor II

10.12.3 seems to fix the issue in my shop too!

dgreening
Valued Contributor II

10.12.3b1 appears to have fixed this in our environment as well! w00t w00t!

philburk
New Contributor III

I just want to pile on with the confirmations. I installed 12.3 Beta 1 yesterday afternoon and ever since I have failedLoginCount has displayed zero. I dump it every minute to a log file. Looks good.

Hopefully we won't have to wait too long for tis update to go live.

sjit
New Contributor

Does any know where I can get 10.12.3 beta? Two of my users are having the same issues. Thanks.

Kaltsas
Contributor III

You need to have a registered developer account or be in the AppleSeed program.

dgreening
Valued Contributor II

@sjit I would not apply beta builds to general population users... for IT eyes only!

donmontalvo
Esteemed Contributor III

Pretty sure sure Apple's NDA prohibits non participants from installing the Beta. However Apple Enterprise have blessed applying a Beta build on an effected user, for troubleshooting purposes. The caveat was to clone effected computer so it isn't a production/business use computer.

--
https://donmontalvo.com

sjit
New Contributor

So it looks like even after I signed out of icloud services, one of my users still keep on getting locked out. I do noticed imessage is still signed on even after I signed out of icloud. Should I sign out of that as well? Other than this, I really get figure out what is triggering the lock out.

vyang07
New Contributor

Also ran 10.12.3 beta. It is working. No bad password counts. Can't wait for the update. :-)

jalcorn
Contributor II

When is this update coming out?

NowAllTheTime
Contributor III

@jalcorn most of us with open cases have been told we will probably see the update in January, but even with that I've been told that's not a guarantee. I imagine (this is pure speculation based on past experiences, not inside knowledge, so I could be entirely wrong) that we'll see at least 1 or 2 more beta builds before a GM public release of 10.12.3.

bret_martin
New Contributor

While we wait for a public 10.12.3 release, has anyone found an effective workaround for this problem? I've tried the "Do not require Kerberos preauthentication" setting on AD accounts without luck.

Thanks to everyone who has contributed to this thread, to help work through a frustrating issue!

hkabik
Valued Contributor

Honestly I just created an "Un-bind" item in Self Service and am having users unbind until the issue is resolved. No AD connectivity, no lock outs. There is an existing "AD Re-Bind" option so they can hop back on at the drop of a hat if needed for any purpose.

davidmundt
New Contributor III

How did you create the "un-bind"?

hkabik
Valued Contributor
#!/bin/sh

dsconfigad -force -remove -u notarealuser -p notarealpassword

mscottblake
Valued Contributor

We created a fine-grained password policy for users in an AD security group that raises the lockout limit to 15.

bwiessner
Contributor II

A little light at the end of the tunnel?

As of 01/13/2017 - 10.12.3 will be available to users "in the coming weeks" - Consumer Reports

This update will also address the 2016 macbook pro battery issues.

Hold your breath a little longer !

osxadmin
Contributor II

@hkabik could you provide your script on "AD Re-Bind" that you have in self service?

thank you in advance!

hkabik
Valued Contributor

You could use the built in bind function of the JSS for the policy but I do use a script (altered to remove private info, if you're unfamiliar the first half of the script is providing the username and password of the bind account with encrypted strings):

#!/bin/sh

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
USERNAME=$(DecryptString $4 'numberstring' 'numberstring') 

function DecryptString() {
    echo "${1}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${2}" -k "${3}"
}
PASS=$(DecryptString $5 'numberstring' 'numberstring') 

dsconfigad -f -add DOMAIN.COMPANY.local -username $USERNAME -password $PASS -computer $(scutil --get ComputerName) -mobile enable -mobileconfirm disable -useuncpath disable -protocol smb -groups "domain admins,enterprise admins,DOMAINCOMPANY IT Workstation Admins" -alldomains disable

dscl /Search -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"
dscl /Search/Contacts -delete / CSPSearchPath "/Active Directory/DOMAIN/All Domains"
dscl /Search/Contacts -append / CSPSearchPath "/Active Directory/DOMAIN/DOMAIN.COMPANY.local"

NowAllTheTime
Contributor III

WE DID IT! Finally! I can't believe they actually included details about this bug in the release notes; I thought for sure the issue would fall under the "improves the stability..." umbrella. Thanks to everyone who opened a case and helped bring attention to it!

https://support.apple.com/en-us/HT207462

dgreening
Valued Contributor II

bwiessner
Contributor II

@dgreening

Any link to the combo update?

AVmcclint
Honored Contributor

I just confirmed that the AD account lockouts caused by putting the computer to sleep and waking up have stopped after installing 10.12.3. YAY!