Some Active Directory Users cant sign into Macs - AuthenticationAuthority

NiclausDutter
New Contributor III

Hello All,

I am having a very weird issue where all of a sudden, out of nowhere, all users that have the AuthoritzationAuthory attribute on their account within Directory Utility are having issues logging in. It just doesn't want to authenticate. users without this attribute work just fine.

Here is a photo of the Attribute:
Attribute.png

Here is a photo of the account not allowing us to login:
WithAttribute.png

Here is a photo of a user without the attribute. When we log in it prompts us to enter a password:WithoutAttribute.png

  • We are connected to the AD domain using the native Active Directory tool on MacOS
  • None of these accounts are locally cached/built on this machine
  • I am able to create mobile accounts via terminal for both of the accounts but I am still unable to log into the account that has that AuthenticationAuthority attribute


Has anyone seen anything like this? I feel like something changed on our Active Directory side and how accounts authenticate to it since we have accounts from 2018 with this same attribute and they don't work.

 

Any guidance or suggestions on where to begin to look will be greatly appreciated! I would love to see any error message for the "Login incorrect" but I am not sure.

 

Thank you!

1 ACCEPTED SOLUTION

NiclausDutter
New Contributor III

Not sure how I can remove this post but in case a lone wanderer sees this post, looking for a solution, this is how I found my solution:

When I joined the Macs to the domain I specified to use custom mappings using AD Attributes. The accounts that couldn't log in didn't have one of the specific attributes I was looking for causing them to fail. After adding the attribute manually (I am sure I can remove the custom attribute as well) it allowed the account to sign in instantly.

Problem.png

View solution in original post

1 REPLY 1

NiclausDutter
New Contributor III

Not sure how I can remove this post but in case a lone wanderer sees this post, looking for a solution, this is how I found my solution:

When I joined the Macs to the domain I specified to use custom mappings using AD Attributes. The accounts that couldn't log in didn't have one of the specific attributes I was looking for causing them to fail. After adding the attribute manually (I am sure I can remove the custom attribute as well) it allowed the account to sign in instantly.

Problem.png