For anyone who has administered Macs with Active Directory (AD), it’s clear that Apple has struggled with properly supporting AD integration which has given rise to various products and vendors addressing the many issues relating to this. Apple has even released it's own improved AD client for OS X called "Apple's Enterprise Connect" in an attempt to improve its AD integration (this product does not come with the OS X software). Issues ranging from internal dead locks, file system corruptions, security system failures, authentication failures, login failures, system stability issues, kerberos ticket expiration, kerberos timing issues, and kerberos renewal lapses may occur with the existing AD client in OS X for some customers and users.
Aqua Connect continues to work internally and with our partners to support as many AD configurations with Mac OS as possible. While we don’t support every configuration just yet, there are a few that have been thoroughly tested that we support. At this time, here are the AD configurations that Aqua Connect currently supports with our products:
- Mac server bound to AD in cached mode and there are no remote home folders.
- Using Centrify’s Server Suite: Mac server is bound to AD in mapped mode and assigned to a local account with local home folders.
- Using Centrify’s Server Suite: Mac server is bound to AD in mapped mode and assigned to a local account with remote home folders over a Windows file share (SMB or CIFS).
* Please keep in mind that if AD is not bound correctly to the Mac server or does not consistently operate correctly with the Mac server, then Aqua Connect users will not be able to connect or consistently connect regardless of any method they try. The easiest way to test that AD is bound correctly and operating correctly is to login into the console of the server directly then with fast user switching switch directly to the AD user account without going through the Apple Login Window. This will put a strain on the AD client similar to having a 2nd user login at the same time to the server. If the user can not log in at the console, then they will not be able to log in through the server or the client. If the user can not be switched to through the described method then most of the time the user will not be able to log in through the server.
Another solution is to use Apple’s Enterprise Connect, an Active Directory professional services solution directly from Apple. If you are currently using Apple’s Enterprise Connect successfully in your environment, Aqua Connect users should be able to login without issue, however it should be noted this is not tested in every possible combination at this time.