Sierra AD Account Lockout when setting up iCloud

NowAllTheTime
Contributor III

I have an AppleCare enterprise case open for this, but just curious if anyone here is experiencing the same thing:

When you are logged into a mobile account on an AD bound Mac and go to setup iCloud, the currently logged in network account will get locked out as soon as they attempt to provide a password when prompted to provide an admin password to complete the iCloud setup. The iCloud setup will "fail" but then the services seem to work anyway, but then if you unlock the network account it will lock again shortly after that as long as you stay signed into iCloud.

Been seeing this behavior for a few weeks, but wanted to wait until public release to discuss it here. Behavior has persisted through dev preview 8, and both GM builds (the second of which is the same as the final public build released today).

2 ACCEPTED SOLUTIONS

NowAllTheTime
Contributor III

WE DID IT! Finally! I can't believe they actually included details about this bug in the release notes; I thought for sure the issue would fall under the "improves the stability..." umbrella. Thanks to everyone who opened a case and helped bring attention to it!

https://support.apple.com/en-us/HT207462

View solution in original post

dgreening
Valued Contributor II
210 REPLIES 210

davidmundt
New Contributor III

I've become so jaded over this mess I'm skeptical! lol

but I'm glad Apple finally addressed this debacle...

jhuls
Contributor III

I had a problem on occasion with my iMac and Sierra with a non-mobile account AD config where randomly after logging in it would lock the console on me. I would enter my password and about 10 sec or so would go by and it would lock again. Rinse, lather, repeat. I never knew what was causing it and it would eventually stop after a restart or two. I had forgotten about it until I installed this update...it came back. This time with my apple watch configured to unlock the station it wasn't as annoying to unlock the system but irritating nonetheless. It locks even if I'm in the middle of typing an email and there's no way to stop it. A restart has stopped it again this time but I have no way of knowing if it's really gone for good. I'm not optimistic. This never existed previous to Sierra and occurred immediately after Sierra had been installed.

I've considered just rebuilding this iMac and configuring it with the mobile account setting to see if that improves things. I'm not sure if it's completely related to the issues reported here but figured I would mention it nonetheless.

Njofrekk
New Contributor II

"Enterprise content: Resolves an issue were network or cached user accounts (such as Active Directory accounts) using the maxFailedLoginAttempts password policy were becoming disabled."
https://support.apple.com/en-us/HT207462

Fantastic! Been waiting for this for the longest time. Kudos to the whole group for spamming Apple engineers to finally solve this problem. :)

markdmatthews
Contributor

10.12.3... "And there was much rejoicing (yaaaaaaaay)!"

bwiessner
Contributor II

10.12.3 combo update download - https://support.apple.com/kb/DL1905?locale=en_US

bwiessner
Contributor II

Also, Since we are on the topic of combo updates - what are peoples best practices for deploying a combo update?

Policy to cache packaged and then another policy to install cached?

rtufo
New Contributor

Has anyone tested this to confirm? Installing now but planning to do a bunch of Apple ID/TouchID/Apple Watch unlocks to be sure the AD account isn't locked out. Hoping others can confirm in their AD controller that they are no longer receiving strikes for these logins. Thanks!

Njofrekk
New Contributor II

We have tested the Update in our environment and badpwdcount stays firmly at zero. The usual Sign Out/Sign In of Apple ID in App Store meant immediate lockout, now nothing happens. :)

pcm
New Contributor

Is this the same issue that we are seeing with 10.12.3 clients connecting to macOS Server 5.2 running on Sierra 10.12.3?

When bound to server and logged in as Network User, if the user attempts to open iCloud preferences, System Preferences stops responding and we must force quit. Applications associated with the Apple ID such as Messages and Facetime also stop responding at launch.

We have a case open with Enterprise Support; they were actually able to duplicate the issue, however their OS is a different version.

Thanks

Peter

yrs
New Contributor

I'm seeing a lockout issue with someone on 10.12.4. A newbie question - how to verify a fix has been mapped forward?

NowAllTheTime
Contributor III

@yrs Power the target Mac on, then from another Mac on the network, SSH into it with your management account or any other SSH enabled account. Once you are connected to the target Mac via SSH you are going to periodically run "dscl . -readpl /Users/username accountPolicyData failedLoginCount" (where username is the user that will be physically logging into the target Mac) while the user logs in to the target Mac and performs various actions so you can watch the failedLoginCount value. This will allow you to observe at what point failed password attempts are being logged, and at what point your failed password attempt threshold that causes the lockout is hit. This will help you determine if the issue is caused by the OS, applications, user error, etc.