Logging into term serve via remote desktop from a non-binded mac resets AD password and locks account

Posted on 2015-01-24
Last Modified: 2015-01-29
I have a user connecting to a windows 2012 R2 TermServ from a MacBook, non VPN non server bind, mac is not in active directory and is logged into as a local account. But as soon as RDP connection is established, OWA kicks out that pw has been changed and account has to be unlocked. As long as mac then stays on, account is fine but once rebooted and RDP established again, same thing.

Does the mac rdp have some kind of caching pseudo-binding from a long ago password change?
Question by:acdevadmin
  • 4
  • 3
LVL 17

Accepted Solution

bigeven2002 earned 500 total points
ID: 40568525

It sounds like there may be a stale password in the mac keychain.  You can try opening the Keychain Access app on the mac under Utilities to see if there is an RDP entry for your windows server.  If not, you can try resetting the keychain which generates a new one.  This will likely clear out any other passwords stored in it as well though.

But if you want to proceed with keychain reset from apple support:

    Open Keychain Access, which is in the Utilities folder within the Applications folder.
    From the Keychain Access menu, choose Preferences.
    Click General, then click Reset My Default Keychain.
    Authenticate with your account login password.
    Quit Keychain Access.
    Restart your computer.

Author Comment

ID: 40568678
What would be pushing the info to AD though and making it require an unlock? A failed login attempt with the bad pw in the keychain? It's not set to do that with 1 failed attempt.
LVL 17

Expert Comment

ID: 40568728
My thought is that it may be trying 3 times back to back with RDP.  Since the RDP program is made by Microsoft, it could be trying multiple logins behind the scenes.  I have seen this happen with Lync so I figured that the RDP program may be trying it too.

Another thing that comes to mind, have you tried logging in with RDP using a different user account?  Setup another domain account that has remote access to the server and see if that account gets locked out.
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Author Comment

ID: 40568749
Thanks. The challenge is I wont have oft access to this mac. So I need to prepare a bevy of possible solutions for the small window of opportunity I will have access to it. I in fact haven't had access to it yet at all, just a report of the issue. Will hopefully get in front of it this week. I did also think and hoped that maybe there was a rapid fire retry causing the issue, not being to familiar with mac rdp clients. I will be looking at that first with the alternate account login and take it from there. Will report back, Thanks.
LVL 17

Expert Comment

ID: 40568834
Sounds good, thanks for the update.

Author Comment

ID: 40576857
OK  I was able to get in front of the MacBook today.
The issue was in fact stale passwords in the keychain. But theres a little more to it to clarify the situation, if not only for curiosity sake, but also because what I found out may have implications in similar and even non similar situations for others.

First the issue was a little different than I first reported. The lockout wasn't occurring when logging into RDP but rather as soon as you logged into the mac itself. Again it was not bound to AD so were talking about logging into the local mac account.  We watched in AD as seconds after login, the account would show as needing to be unlocked.

I first checked all the startup services to see if there was anything creating some kind of AD bind, whether it be VPN, outlook, a mapped network drive or any other network based service. There was nothing. I then checked the outlook/exchange keychain entry and it was blank, therefore triggering the outlook storage I suppose.

Poking around some more I came across 3 entries for browser based OWA keychain items. This fit with the 3 attempts and you're locked GP rule and sure enough all 3 had stale passwords. I updated the PW and sure enough no more lockouts.

So what is really strange and noteworthy here then is the fact that logging into the profile, triggers these and I guess other(all?) keychain item authentication attempts at startup??? This seems really odd to me but that is what was clearly happening. I don't know mac under the hood enough to decide whether to call this a feature, a bug or a bad idea. Additionally new keychain items appear to not overwrite the old ones in this case, which is creating 3 failed attempts instead of 1 which would at least be easy to overcome, albeit transparently, without discovering this. Maybe someone can shed some light on what this process looks like behind the scenes because I would imagine this could be the source of many troubles related to similar situations with domain logins that could go unnoticed. Could even be exploited I suppose as a pseudo denial of login type of thing. Though I suppose if you know someone's OWA link and username you could do this from any machine.
LVL 17

Expert Comment

ID: 40577769
Great, glad you found the issue in keychain.  I agree that the setup is a bit odd, I couldnt even begin to explain how apple configures there stuff so you might be right on all 3 - feature, bug and bad idea.  What I do know is there is a long history of complications with Mac and AD accounts.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The /etc/authorization file in Mac OS X 10.x can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only adm…
Syslogd is a utility that traps and logs messages sent by running processes. It is configured with the syslog.conf file, which consists of lines containing a pair of fields: "the selector field which specifies the types of messages and priorities to…
Delivering innovative fully-managed cloud services for mission-critical applications requires expertise in multiple areas plus vision and commitment. Meet a few of the people behind the quality services of Concerto.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now