User profile for user: justinrseng
justinrseng Author
User level: Level 1
5 points

MacOS bound to Active Directory will not allow AD account to login after reboot

I have an office that we have just recently converted to Mac Minis, and are up to date with the latest code: Ventura 13.3.1 (a). Ever since we started using them, we have had consistent issues where neither the AD user, or an AD admin can unlock the machine after it reboots. Yes, we have FileVault enabled, and therefore, it is only allowing it to authenticate by using the local administrator account on the machine BEFORE allowing AD staff to login. I have attempted to add myself and other users to the Users and Groups settings to allow at login, but still does not help. I am being stonewalled by the local admin prompt every time it reboots.


I also have found that, when using VPN (remote), I cannot login to the machine remotely (even if I use/send the local admin credentials) with ARD if the computer has rebooted. It will outright refuse the connection until someone has authenticated with the local admin account on the machine itself. I have to either breach security by giving my staff member the local admin account passwords OR I have to drive down to the office myself, and login and log out of the local admin account in order for them to access it via AD.


I am aware that there have been many forums with issues similar to (or the same as) this over the years, and am wondering if anyone has found a functional workaround.

Mac mini (M1, 2020)

Posted on May 8, 2023 10:21 AM

Reply
Question marked as Top-ranking reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,686 points

Posted on May 8, 2023 11:06 AM

Things have changed considerably. Current best practices are below:


  1. First user created on macOS receives a SecureToken. Only accounts that have a SecureToken can boot macOS. All subsequent accounts created by the 1st initial admin account will inherit a SecureToken. When creating accounts in System Settings -> Users & Groups this is handled automatically. Any command line / script based account creation has to be performed by the local 1st admin user account using sudo. The command line fdesetup command can list the accounts authorized to boot macOS and you can add existing accounts to be allowed to boot providing they have the SecureToken.
  2. Mobile accounts (Active Directory cached accounts) are problematic with keeping the FileVault pre-boot authentication password in sync. It is best to not bind to Active Directory and to instead use a Kerberos App to handle authentication and password sync for the local account. The most popular tool is called NoMAD.
  3. If you have an MDM (Mobile Device Management) server you can use Apple's Kerberos SSO tool (formerly Enterprise Connect) as you can push the configurations via the MDM server. NoMAD can also be pushed but the MDM is not required for it to work like the Apple Kerberos SSO tool.
  4. Most MDM solutions include the ability to redirect the FileVault Recovery Key to be escrowed by the MDM server and there are options to rotate the recovery key after it's been used, etc.


The most popular MDM for macOS is https://jamf.com and they bought out the company behind NoMAD and still offer the open source NoMAD tool. But they also offer JAMF Connect which adds many features and can work with SAML, cloud authentication, Identity Providers, AzureAD, etc., etc., etc.


https://github.com/jamf/NoMAD


You can actually convert the mobile AD accounts on the Mac to being a local account and maintain all data, etc.

https://derflounder.wordpress.com/2016/12/21/migrating-ad-mobile-accounts-to-local-user-accounts/


You can keep the macOS AD binding intact and it will still work. But since it's only really used for Kerberos and DFS mappings it's now optional.


Apple Intel w/T2 or Silicon Mac's are always encrypted from the factory. When you turn on FileVault you are merely generating a public / private key pair and the private key is written to the SecureEnclave in the CPU System on Chip and the public key is used to create the recovery key. Turning on FileVault merely gives you an additional way to recover the Mac if the user forgets their password. Even if FileVault is OFF, the disk is still encrypted and you still see the pre-boot authentication login screen. This is confusing because that login screen will appear visually just like the real login screen but it's OFFLINE, not connected to the network yet. After login, you see a progress bar indicating the operating system is booting. If the account used to boot the system has the same login password it will single-sign-on at the second login after the boot. If the passwords were out of sync it might boot past the pre-boot authentication but stop at the macOS login so you can enter the correct password or choose another account that isn't authorized to boot the Mac.


In order to remotely access an Apple Silicon Mac you need to ensure it has been logged on past the pre-boot authentication. Or you need some sort of remote KVM computer. Another computer, like a RaspberryPI or other small form-factor computer that is networked and connected to the Mac's KB/Mouse and Display so you can remotely login to the KVM computer and remotely control the offline Mac sign on.


If you need to reboot one of these Mac's and remotely reconnect you'll need to open Terminal and issue this command 'sudo fdesetup authrestart'. It will prompt for the username and password to auto-login past the pre-boot authentication so the Mac comes back online. You need to do that every time it reboots or you will be stuck unable to login to the Mac remotely as it will be offline waiting at the pre-boot authentication login screen. This is like what Apple uses after installing an update that might require additional reboots.


Yes this is painful but without some sort of KVM solution you will at some point have a Mac that needs to manually log on at the physical console. If you need to have Macs remotely accessible, may I suggest going to MacStadium and leasing some hardware or virtual machines in their data center / cloud. They have implemented all the magic to make it work successfully.





View in context

Similar questions

1 reply
Question marked as Top-ranking reply
User profile for user: James Brickley
James Brickley
User level: Level 5
5,686 points

May 8, 2023 11:06 AM in response to justinrseng

Things have changed considerably. Current best practices are below:


  1. First user created on macOS receives a SecureToken. Only accounts that have a SecureToken can boot macOS. All subsequent accounts created by the 1st initial admin account will inherit a SecureToken. When creating accounts in System Settings -> Users & Groups this is handled automatically. Any command line / script based account creation has to be performed by the local 1st admin user account using sudo. The command line fdesetup command can list the accounts authorized to boot macOS and you can add existing accounts to be allowed to boot providing they have the SecureToken.
  2. Mobile accounts (Active Directory cached accounts) are problematic with keeping the FileVault pre-boot authentication password in sync. It is best to not bind to Active Directory and to instead use a Kerberos App to handle authentication and password sync for the local account. The most popular tool is called NoMAD.
  3. If you have an MDM (Mobile Device Management) server you can use Apple's Kerberos SSO tool (formerly Enterprise Connect) as you can push the configurations via the MDM server. NoMAD can also be pushed but the MDM is not required for it to work like the Apple Kerberos SSO tool.
  4. Most MDM solutions include the ability to redirect the FileVault Recovery Key to be escrowed by the MDM server and there are options to rotate the recovery key after it's been used, etc.


The most popular MDM for macOS is https://jamf.com and they bought out the company behind NoMAD and still offer the open source NoMAD tool. But they also offer JAMF Connect which adds many features and can work with SAML, cloud authentication, Identity Providers, AzureAD, etc., etc., etc.


https://github.com/jamf/NoMAD


You can actually convert the mobile AD accounts on the Mac to being a local account and maintain all data, etc.

https://derflounder.wordpress.com/2016/12/21/migrating-ad-mobile-accounts-to-local-user-accounts/


You can keep the macOS AD binding intact and it will still work. But since it's only really used for Kerberos and DFS mappings it's now optional.


Apple Intel w/T2 or Silicon Mac's are always encrypted from the factory. When you turn on FileVault you are merely generating a public / private key pair and the private key is written to the SecureEnclave in the CPU System on Chip and the public key is used to create the recovery key. Turning on FileVault merely gives you an additional way to recover the Mac if the user forgets their password. Even if FileVault is OFF, the disk is still encrypted and you still see the pre-boot authentication login screen. This is confusing because that login screen will appear visually just like the real login screen but it's OFFLINE, not connected to the network yet. After login, you see a progress bar indicating the operating system is booting. If the account used to boot the system has the same login password it will single-sign-on at the second login after the boot. If the passwords were out of sync it might boot past the pre-boot authentication but stop at the macOS login so you can enter the correct password or choose another account that isn't authorized to boot the Mac.


In order to remotely access an Apple Silicon Mac you need to ensure it has been logged on past the pre-boot authentication. Or you need some sort of remote KVM computer. Another computer, like a RaspberryPI or other small form-factor computer that is networked and connected to the Mac's KB/Mouse and Display so you can remotely login to the KVM computer and remotely control the offline Mac sign on.


If you need to reboot one of these Mac's and remotely reconnect you'll need to open Terminal and issue this command 'sudo fdesetup authrestart'. It will prompt for the username and password to auto-login past the pre-boot authentication so the Mac comes back online. You need to do that every time it reboots or you will be stuck unable to login to the Mac remotely as it will be offline waiting at the pre-boot authentication login screen. This is like what Apple uses after installing an update that might require additional reboots.


Yes this is painful but without some sort of KVM solution you will at some point have a Mac that needs to manually log on at the physical console. If you need to have Macs remotely accessible, may I suggest going to MacStadium and leasing some hardware or virtual machines in their data center / cloud. They have implemented all the magic to make it work successfully.





Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

MacOS bound to Active Directory will not allow AD account to login after reboot

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up