Jamf Nation Community

themacit · a week ago

anyone had an issue at some point where users would get locked out of their accounts even though the password is correct, i've been investigating this for quite some time now and even though the user is a standard Account not mobile it still get's locked out at certain point, right now i have a user whose getting locked out every other day, i tried reading the logs but nothing helpful there.

we are using Kerberos Extension for password Syncs, Default passcode policy, Filvault without institutional key , i read online that it's an issue with FV but i can't replicate the lock, because most of the time the lock happens after a restart or shutdown (sometimes it happens after a device is locked)

anyone with a similar exp?

Edward357J · a week ago

Hello!

You might be facing lockout issues due to password sync problems with Kerberos, restrictive account lockout policies, or FileVault configurations. Ensure passwords are properly synced, review your AD lockout policies, and check FileVault settings. Also, look into detailed diagnostics for more insights.

Edward357J · a week ago

@Edward357J wrote:

Hello!

You might be facing lockout issues due to password sync problems with Kerberos, restrictive account lockout policies, or FileVault configurations. Ensure My Results ATT passwords are properly synced, review your AD lockout policies, and check FileVault settings. Also, look into detailed diagnostics for more insights.

I hope this helps!

themacit · a week ago

Thank you for the info, the problem is there is no one way to check diagnostics and the logs are too big and I'm not even sure where to start, the password is usually synced using the Kerberos SSO extension and it syncs correctly but at some point the sync drops and the user locks out, to make things worst not everyone have the issue

mschlosser · a week ago

I've had some issues similar to this; due to related kerberos tickets; in my experience kinit <username> can help to issue new tickets and may clear the issue.

themacit · a week ago

the local account is being locked out, we can't renew the Kerberos without logging in to the account and that only works if we reset the password (unlock the account)

AJPinto · a week ago

What is getting locked out? The users IDP or AD identity or the macOS local account?

themacit · a week ago

Ther user's local account is getting locked out

mvu · a week ago

Come to think of it, I've seen something similar recently. It was around the 14.7.2 and 15.2 updates. Sounds like we are in a similar environment. My understanding is that our engineers are in the process of updating our Kerberos environment as well, so maybe that'll help?

One question: Are you using Microsoft Platform SSO? When I applied this to the user who had lockout issues, it seemed to resolve everything. The user would get locked out after a reboot or if the screen fell asleep. When we registered with PSSO, the experience improved so far.

themacit · Monday

I'm currently testing PSSO, and soo far it's not bad but i still need to do a lot of things before deployment in production environment, but what you said describes what's happening to us, account locked out after simple restart, or even if the screen falls asleep, the funny thing is it's not a universal thing, and I can't blame the users anymore (lol) but from what I debugged it's something to do with the Kerberos SSO and the account password lockout i couldn't find the culprit exacty.

mvu · Monday

Can you test PSSO with this user/s?

Jamf Nation Community

user lockouts on random times