Slow User Account Login on AD bound Macs w/ Wifi on, not connected to AD network.

ArthurZ
New Contributor II

Hi jamf Nation friends,

I've been seeing slow user account logins, even local admin user accounts, on AD bound Macs with wifi on and not connected to the AD network. Logins can take up to 3 minutes. With wifi off, no ethernet connection, user accounts login under 25 seconds.
I tried all manner of troubleshooting including deleting wifi network entries, creating a new location, etc...
This anomaly started happening after upgrading Macs to macOS 10.12.2.
Anybody else seeing this issue?
Please let me know.

Thanks in advance, az

15 REPLIES 15

scentsy
Contributor

on your troubleshooting have you tried remove it from AD, remove the Jamf binary, reboot, and re-enroll the device?
also what version of JSS do you have?

ArthurZ
New Contributor II

Hi scentsy,

No Jamf binary is deployed.
I unbound from AD, ensured there is no computer record in AD, rebooted, bound to AD again. No change.
I also tried adding a different network location to no avail.

az

scentsy
Contributor

got it.
my bad, I assumed you were using "Casper Suite" (Jamf Pro) to manage your mac devices.

I'm no expert in this area, but make sure your ntp server is correct on your mac devices.
Also when you go to User&Groups->Login Options->Edit (Network Account Server)->can you see your Active Directory Domain (without any issues)?
and inside "Directory Utility" ->Search Policy->Authentication->Do you see your Active Directory Domain? (along with "All Domains")

Unfortunately our macs it takes about 40-55 seconds to communicate with our Domain, if its outside the Domain after 40-55 seconds it uses the cached credentials.

ArthurZ
New Contributor II

Hi scentsy,

NTP Server: using the default, apple.time.com in System Preferences/Date & Time/Date & Time.
Active Directory Domain is green.
Search policy is visible, All Domains.

Problem is with latency (up to 3 minutes) when logging in to local accounts with an AD, domain joined Mac not connected to the Active Directory network.

az

jared_f
Valued Contributor

@arthurmzee We haven't seen any slow logins. Have you tried wiping and re-imaging the machines? Has anything changed inside your environment? When having issues binding to our OD server, we ran Maintenance scripts and re-booted which seemed to fix our issues. This is the software we used -- we had all boxes checked--.

http://www.titanium.free.fr/maintenance.html

Jared

jared_f
Valued Contributor

Also, make sure that you wipe out any old network account home folders. You can do this by going to Go > Computer > Macintosh HD > Users and delete any that aren't needed.

ArthurZ
New Contributor II

Hi jared_f,

I tried all your suggestions to no avail.
If I turn off the wifi before shutting down or restarting, logging in to local user accounts on AD bound Macs happens quickly.
However, if the wifi is on, not connected to the AD network, it takes a couple of minutes to login to a local user account on an AD bound Mac.

Thank you for your suggestions, az

millersc
Valued Contributor

Are these first time logins to the device or recurring logins that are slow?

We see slow login on first time login for any AD bound mac and mobile accounts. Any login afterwards is usually under 30 seconds.

Josh_Smith
Contributor III

ArthurZ
New Contributor II

Hi millers, These are recurring logins.

Hi Josh.Smith, Lowering timeout didn't change anything.

Thanks for your help though,
az

jamestoher
New Contributor III

Hi az

Try changing time server to whatever is being used by the AD service, so they match.

Does the login delay also happen when wifi is off, but connected to the network via a patch cable?

Maybe SSH into a 10.12.2 Mac connected via patch cable and watch the system log during login – IIRC:
tail -f /var/log/system.log

Can you reach all the IP addresses of your AD service, not just some of them – is there a firewall which might block access until failover to another domain controller?

Do you see the same problem with a clean install of 10.12.2?

Alter the bind configuration so it doesn't mount network home for domain accounts. Same issue?

Try a single DNS entry in your network configuration, or two from the same range.

Regards
James

ArthurZ
New Contributor II

Hi James,

The login delay does NOT happen when wifi of off, regardless if connected to the network via ethernet.

I can reach all IP addresses of the AD service.

Same problem with clean install of macOS 10.12.2.

I don't mount network home for domain accounts.

This all happened after updating Macs to macOS 10.12.2,

Anybody else having the same issue?

Thanks in advance, az

ArthurZ
New Contributor II

Hi Friends,

Any body else have any clues here? The problem persists with the macOS 10.12.3 update.

Thanks in advance, az

BenL
New Contributor III

If it's happening when wifi is on, check to see if it's trying to connect to a network buried down in our wifi preferences. We sometimes have an issue with our bound accounts if the wifi is last as it will scan for the other networks. If you remove all the other wifi networks or move the wifi network you want to the top, that might fix the issue.

ArthurZ
New Contributor II

Hi BenL,

I'll try that and report back.
Thanks for the tip, az