Some (but not all) AD-joined Mavericks computers will not unlock after screensaver or display sleep
Posted on 2014-09-09
We have a global network with a Windows Server 2008 R2 functional level Active Directory environment. Root domain controllers are in a USA datacenter and local domain controllers are installed at our corporate office and our branch offices. Authentication for all the Windows clients and most of the Mac clients works fine.
We have about 25 Mac clients. All are running OS-X 10.9.x (mostly 10.9.4) and all are joined to the AD domain. This is the process we are using to join them to the domain:
System Preferences > Users & Groups > Login Options > Network Account Server
Leave server name blank and click 'Open Directory Utility'
Double-click 'Active Directory' to join the computer to the proper OU
'ActiveDirectory Domain': avoxi.int
Enter the appropriate OU information:
Expand the advanced settings (Directory Utility > Active Directory > Advanced):
Go to 'User Experience' tab
Select “Create mobile account at login”
Leave unselected: “Require confirmation…”
Unselect 'Use UNC path from Active Directory...'
Check 'Allow administration by:'
Leave checked 'Allow authentication from any domain in the forest'
The login window is set to "Name and password"
I am having continual authentication problems with 2 of the Mac clients. The end user can log in without any trouble but if sleep or screen saver begins then the user is unable to unlock the computer. (Computers are set to require a password 5 seconds after sleep or screen saver begins.) Usually the user gets the "screen shake" after entering the password but occasionally it simply does not respond. Either way, the computer must be powered off/on for the user to authenticate. I think that if one chooses "switch user" then one is able to unlock, but this hasn't been tried often enough to know if this always works.
When the password is rejected, I do not see a corresponding event on the domain controller nor does the bad password count increment.
I have not had either user try logging onto any other Mac clients to see if the problem follows the user.
Both users are in the same office. That office does not have a local domain controller, so clients authenticate across the WAN link. That office is separated from me by 6 time zones, so I am unable to physically log on to the clients but I am able to use Apple Remote Desktop. Unfortunately ARD is extremely slow when connecting to that office because of the Internet connection speed into that location. The clients were configured here in Atlanta and then shipped. I did not notice the trouble when configuring them, but I cannot say for sure that I ever actually let them go to sleep and then unlocked them. There are 4 other Mac clients in that office and they do not exhibit the same symptoms.