Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Logging into term serve via remote desktop from a non-binded mac resets AD password and locks account

Posted on 2015-01-24
Medium Priority
Last Modified: 2015-01-29
I have a user connecting to a windows 2012 R2 TermServ from a MacBook, non VPN non server bind, mac is not in active directory and is logged into as a local account. But as soon as RDP connection is established, OWA kicks out that pw has been changed and account has to be unlocked. As long as mac then stays on, account is fine but once rebooted and RDP established again, same thing.

Does the mac rdp have some kind of caching pseudo-binding from a long ago password change?
Question by:acdevadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 17

Accepted Solution

bigeven2002 earned 2000 total points
ID: 40568525

It sounds like there may be a stale password in the mac keychain.  You can try opening the Keychain Access app on the mac under Utilities to see if there is an RDP entry for your windows server.  If not, you can try resetting the keychain which generates a new one.  This will likely clear out any other passwords stored in it as well though.

But if you want to proceed with keychain reset from apple support:

    Open Keychain Access, which is in the Utilities folder within the Applications folder.
    From the Keychain Access menu, choose Preferences.
    Click General, then click Reset My Default Keychain.
    Authenticate with your account login password.
    Quit Keychain Access.
    Restart your computer.

Author Comment

ID: 40568678
What would be pushing the info to AD though and making it require an unlock? A failed login attempt with the bad pw in the keychain? It's not set to do that with 1 failed attempt.
LVL 17

Expert Comment

ID: 40568728
My thought is that it may be trying 3 times back to back with RDP.  Since the RDP program is made by Microsoft, it could be trying multiple logins behind the scenes.  I have seen this happen with Lync so I figured that the RDP program may be trying it too.

Another thing that comes to mind, have you tried logging in with RDP using a different user account?  Setup another domain account that has remote access to the server and see if that account gets locked out.
How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.


Author Comment

ID: 40568749
Thanks. The challenge is I wont have oft access to this mac. So I need to prepare a bevy of possible solutions for the small window of opportunity I will have access to it. I in fact haven't had access to it yet at all, just a report of the issue. Will hopefully get in front of it this week. I did also think and hoped that maybe there was a rapid fire retry causing the issue, not being to familiar with mac rdp clients. I will be looking at that first with the alternate account login and take it from there. Will report back, Thanks.
LVL 17

Expert Comment

ID: 40568834
Sounds good, thanks for the update.

Author Comment

ID: 40576857
OK  I was able to get in front of the MacBook today.
The issue was in fact stale passwords in the keychain. But theres a little more to it to clarify the situation, if not only for curiosity sake, but also because what I found out may have implications in similar and even non similar situations for others.

First the issue was a little different than I first reported. The lockout wasn't occurring when logging into RDP but rather as soon as you logged into the mac itself. Again it was not bound to AD so were talking about logging into the local mac account.  We watched in AD as seconds after login, the account would show as needing to be unlocked.

I first checked all the startup services to see if there was anything creating some kind of AD bind, whether it be VPN, outlook, a mapped network drive or any other network based service. There was nothing. I then checked the outlook/exchange keychain entry and it was blank, therefore triggering the outlook storage I suppose.

Poking around some more I came across 3 entries for browser based OWA keychain items. This fit with the 3 attempts and you're locked GP rule and sure enough all 3 had stale passwords. I updated the PW and sure enough no more lockouts.

So what is really strange and noteworthy here then is the fact that logging into the profile, triggers these and I guess other(all?) keychain item authentication attempts at startup??? This seems really odd to me but that is what was clearly happening. I don't know mac under the hood enough to decide whether to call this a feature, a bug or a bad idea. Additionally new keychain items appear to not overwrite the old ones in this case, which is creating 3 failed attempts instead of 1 which would at least be easy to overcome, albeit transparently, without discovering this. Maybe someone can shed some light on what this process looks like behind the scenes because I would imagine this could be the source of many troubles related to similar situations with domain logins that could go unnoticed. Could even be exploited I suppose as a pseudo denial of login type of thing. Though I suppose if you know someone's OWA link and username you could do this from any machine.
LVL 17

Expert Comment

ID: 40577769
Great, glad you found the issue in keychain.  I agree that the setup is a bit odd, I couldnt even begin to explain how apple configures there stuff so you might be right on all 3 - feature, bug and bad idea.  What I do know is there is a long history of complications with Mac and AD accounts.

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are using Mac OS X and have a large number of login items set up in accounts, under system preferences, you may find that your computer is sluggish and unresponsive during startup until everything is done launching. Another problem that a…
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question