Logging into term serve via remote desktop from a non-binded mac resets AD password and locks account

Posted on 2015-01-24
Last Modified: 2015-01-29
I have a user connecting to a windows 2012 R2 TermServ from a MacBook, non VPN non server bind, mac is not in active directory and is logged into as a local account. But as soon as RDP connection is established, OWA kicks out that pw has been changed and account has to be unlocked. As long as mac then stays on, account is fine but once rebooted and RDP established again, same thing.

Does the mac rdp have some kind of caching pseudo-binding from a long ago password change?
Question by:acdevadmin
  • 4
  • 3
LVL 17

Accepted Solution

bigeven2002 earned 500 total points
ID: 40568525

It sounds like there may be a stale password in the mac keychain.  You can try opening the Keychain Access app on the mac under Utilities to see if there is an RDP entry for your windows server.  If not, you can try resetting the keychain which generates a new one.  This will likely clear out any other passwords stored in it as well though.

But if you want to proceed with keychain reset from apple support:

    Open Keychain Access, which is in the Utilities folder within the Applications folder.
    From the Keychain Access menu, choose Preferences.
    Click General, then click Reset My Default Keychain.
    Authenticate with your account login password.
    Quit Keychain Access.
    Restart your computer.

Author Comment

ID: 40568678
What would be pushing the info to AD though and making it require an unlock? A failed login attempt with the bad pw in the keychain? It's not set to do that with 1 failed attempt.
LVL 17

Expert Comment

ID: 40568728
My thought is that it may be trying 3 times back to back with RDP.  Since the RDP program is made by Microsoft, it could be trying multiple logins behind the scenes.  I have seen this happen with Lync so I figured that the RDP program may be trying it too.

Another thing that comes to mind, have you tried logging in with RDP using a different user account?  Setup another domain account that has remote access to the server and see if that account gets locked out.
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.


Author Comment

ID: 40568749
Thanks. The challenge is I wont have oft access to this mac. So I need to prepare a bevy of possible solutions for the small window of opportunity I will have access to it. I in fact haven't had access to it yet at all, just a report of the issue. Will hopefully get in front of it this week. I did also think and hoped that maybe there was a rapid fire retry causing the issue, not being to familiar with mac rdp clients. I will be looking at that first with the alternate account login and take it from there. Will report back, Thanks.
LVL 17

Expert Comment

ID: 40568834
Sounds good, thanks for the update.

Author Comment

ID: 40576857
OK  I was able to get in front of the MacBook today.
The issue was in fact stale passwords in the keychain. But theres a little more to it to clarify the situation, if not only for curiosity sake, but also because what I found out may have implications in similar and even non similar situations for others.

First the issue was a little different than I first reported. The lockout wasn't occurring when logging into RDP but rather as soon as you logged into the mac itself. Again it was not bound to AD so were talking about logging into the local mac account.  We watched in AD as seconds after login, the account would show as needing to be unlocked.

I first checked all the startup services to see if there was anything creating some kind of AD bind, whether it be VPN, outlook, a mapped network drive or any other network based service. There was nothing. I then checked the outlook/exchange keychain entry and it was blank, therefore triggering the outlook storage I suppose.

Poking around some more I came across 3 entries for browser based OWA keychain items. This fit with the 3 attempts and you're locked GP rule and sure enough all 3 had stale passwords. I updated the PW and sure enough no more lockouts.

So what is really strange and noteworthy here then is the fact that logging into the profile, triggers these and I guess other(all?) keychain item authentication attempts at startup??? This seems really odd to me but that is what was clearly happening. I don't know mac under the hood enough to decide whether to call this a feature, a bug or a bad idea. Additionally new keychain items appear to not overwrite the old ones in this case, which is creating 3 failed attempts instead of 1 which would at least be easy to overcome, albeit transparently, without discovering this. Maybe someone can shed some light on what this process looks like behind the scenes because I would imagine this could be the source of many troubles related to similar situations with domain logins that could go unnoticed. Could even be exploited I suppose as a pseudo denial of login type of thing. Though I suppose if you know someone's OWA link and username you could do this from any machine.
LVL 17

Expert Comment

ID: 40577769
Great, glad you found the issue in keychain.  I agree that the setup is a bit odd, I couldnt even begin to explain how apple configures there stuff so you might be right on all 3 - feature, bug and bad idea.  What I do know is there is a long history of complications with Mac and AD accounts.

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Deploystudio is a system which can be used to deploy OSX clients and servers within the small/medium or large business environments. The system is built onto of the OSX Server NetBoot system and uses images & workflows as its core assets. While work…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now