Skip to main content

Hello everyone,

I am running into an interesting issue for quite some time. We have a particular set of macbook carts that are used not often, around once every other week. The issue is that machine is bound to our domain, has wireless connection, is able to communicate to said DC controller but the user cannot get past authentication screen. The only solution I have found is to unbind and re-bind to the domain.
We also have workstations that are used on a daily basis that do NOT have this issue at all.

My theory is that it has something to do with the computers auth token with the domain that expires or something which then causes no account to be able to authenticate to the domain.

Has anyone else run into this issue as well?
Domain controller is Windows Server 2012 and client machines are running macOS Sierra.

If you have ran into this, what was your solution? Would just moving everything to an open directory or LDAP service be the best route? We only need it for user auth and nothing else.

@mccaskill Would you say you're seeing the problem on machines that have been off the network for more than 14 days? The dsconfigad tool has a 14 day default for the -passinterval parameter which is the setting for how often the computer trust account password should be changed. I use DeployStudio for the initial setup of my machines, including Jamf enrollment and AD binding. In the DS AD binding panel I've set a passinterval of 0 so it doesn't expire, and that eliminated a similar problem I ran into (I was deploying Yosemite at the time, but I don't believe that behavior has changed).

Yeah this sounds about right. I will give this a test and see how it reacts. Thanks for the input @sdagley

I also found this article from another post which sounds similar and with the same recommendation. Lost connect to Active Directory

I will test today and let it run and report later.

Terms & ConditionsCookie settingsAccessibility statement