Logging into term serve via remote desktop from a non-binded mac resets AD password and locks account

Posted on 2015-01-24
Last Modified: 2015-01-29
I have a user connecting to a windows 2012 R2 TermServ from a MacBook, non VPN non server bind, mac is not in active directory and is logged into as a local account. But as soon as RDP connection is established, OWA kicks out that pw has been changed and account has to be unlocked. As long as mac then stays on, account is fine but once rebooted and RDP established again, same thing.

Does the mac rdp have some kind of caching pseudo-binding from a long ago password change?
Question by:acdevadmin
  • 4
  • 3
LVL 17

Accepted Solution

bigeven2002 earned 500 total points
ID: 40568525

It sounds like there may be a stale password in the mac keychain.  You can try opening the Keychain Access app on the mac under Utilities to see if there is an RDP entry for your windows server.  If not, you can try resetting the keychain which generates a new one.  This will likely clear out any other passwords stored in it as well though.

But if you want to proceed with keychain reset from apple support:

    Open Keychain Access, which is in the Utilities folder within the Applications folder.
    From the Keychain Access menu, choose Preferences.
    Click General, then click Reset My Default Keychain.
    Authenticate with your account login password.
    Quit Keychain Access.
    Restart your computer.

Author Comment

ID: 40568678
What would be pushing the info to AD though and making it require an unlock? A failed login attempt with the bad pw in the keychain? It's not set to do that with 1 failed attempt.
LVL 17

Expert Comment

ID: 40568728
My thought is that it may be trying 3 times back to back with RDP.  Since the RDP program is made by Microsoft, it could be trying multiple logins behind the scenes.  I have seen this happen with Lync so I figured that the RDP program may be trying it too.

Another thing that comes to mind, have you tried logging in with RDP using a different user account?  Setup another domain account that has remote access to the server and see if that account gets locked out.
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 40568749
Thanks. The challenge is I wont have oft access to this mac. So I need to prepare a bevy of possible solutions for the small window of opportunity I will have access to it. I in fact haven't had access to it yet at all, just a report of the issue. Will hopefully get in front of it this week. I did also think and hoped that maybe there was a rapid fire retry causing the issue, not being to familiar with mac rdp clients. I will be looking at that first with the alternate account login and take it from there. Will report back, Thanks.
LVL 17

Expert Comment

ID: 40568834
Sounds good, thanks for the update.

Author Comment

ID: 40576857
OK  I was able to get in front of the MacBook today.
The issue was in fact stale passwords in the keychain. But theres a little more to it to clarify the situation, if not only for curiosity sake, but also because what I found out may have implications in similar and even non similar situations for others.

First the issue was a little different than I first reported. The lockout wasn't occurring when logging into RDP but rather as soon as you logged into the mac itself. Again it was not bound to AD so were talking about logging into the local mac account.  We watched in AD as seconds after login, the account would show as needing to be unlocked.

I first checked all the startup services to see if there was anything creating some kind of AD bind, whether it be VPN, outlook, a mapped network drive or any other network based service. There was nothing. I then checked the outlook/exchange keychain entry and it was blank, therefore triggering the outlook storage I suppose.

Poking around some more I came across 3 entries for browser based OWA keychain items. This fit with the 3 attempts and you're locked GP rule and sure enough all 3 had stale passwords. I updated the PW and sure enough no more lockouts.

So what is really strange and noteworthy here then is the fact that logging into the profile, triggers these and I guess other(all?) keychain item authentication attempts at startup??? This seems really odd to me but that is what was clearly happening. I don't know mac under the hood enough to decide whether to call this a feature, a bug or a bad idea. Additionally new keychain items appear to not overwrite the old ones in this case, which is creating 3 failed attempts instead of 1 which would at least be easy to overcome, albeit transparently, without discovering this. Maybe someone can shed some light on what this process looks like behind the scenes because I would imagine this could be the source of many troubles related to similar situations with domain logins that could go unnoticed. Could even be exploited I suppose as a pseudo denial of login type of thing. Though I suppose if you know someone's OWA link and username you could do this from any machine.
LVL 17

Expert Comment

ID: 40577769
Great, glad you found the issue in keychain.  I agree that the setup is a bit odd, I couldnt even begin to explain how apple configures there stuff so you might be right on all 3 - feature, bug and bad idea.  What I do know is there is a long history of complications with Mac and AD accounts.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover some tips for successfully installing the new update to OS X; 10.5.7. Although the information contained within could be used for any OS X point release.  Please note that this information applies to point releases to a parti…
Are you new to OS X?  This helpful advice could get you quickly up to speed if you are making the transition from windows or totally new to OS X. Finder gives you the visual connection between you and the files located on the hard drive of your A…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question