Authentication problem in Directory Utility (Standard Mode)

Similar Messages

• Directory Utility Crash

  Hi,
  I'm having a problem with Directory Utility. It crashes upon startup. The crash report indicates it can't find an image in GraphKit (see below). Any ideas what's going on? I am getting this on an iMac G5 with X.5.6. Thanks for any insight.
  DC
  Process: Directory Utility 2041
  Path: /Applications/Utilities/Directory Utility.app/Contents/MacOS/Directory Utility
  Identifier: com.apple.DirectoryUtility
  Version: ??? (???)
  Build Info: DirectoryServiceConfig-2940100~7
  Code Type: PPC (Native)
  Parent Process: launchd 1950
  Date/Time: 2009-02-11 14:49:52.715 -0600
  OS Version: Mac OS X 10.5.6 (9G55)
  Report Version: 6
  Exception Type: EXC_BREAKPOINT (SIGTRAP)
  Exception Codes: 0x0000000000000001, 0x000000008fe0105c
  Crashed Thread: 0
  Dyld Error Message:
  Library not loaded: /System/Library/PrivateFrameworks/GraphKit.framework/Versions/A/GraphKit
  Referenced from: /System/Library/PrivateFrameworks/ServerKit.framework/Versions/A/ServerKit
  Reason: image not found

  Have you installed Xcode tools by chance?
  http://discussions.apple.com/thread.jspa?threadID=1734602&tstart=2115
  Carolyn

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Can't login after deleting a standard user on directory utility.

  My laptop was rebooted in an apple service center, they made a user account for me to use. I backed up my old user with migration using time machine. I changed the administrator to my old user account and tried to delete the other user but it kept on returning. After searching on how to delete user, I found a tutorial that promted me to delete that account using the directory utility found in Systems/Library/CoreServices.
  When I tried to log in again, my computer can't find the administrator user. The log in screen is empty and when I type the admin name and password, it would just load and nothing. On the password box, the little circle would just go round and round. Please help!

  Hi RHermann,
  I have some question.
  Does the user use a network account for login and how many users are affected by this problem?
  Did that happened with a local user account on the same PC, too?
  Which OS is running on your PC? Windows 7 64 Bit?
  Which server system do you use for the User server?
  Do you get any problem reports if you login after uninstall DIAdem?
  Can you tell me which HW you use? Dell HP …
  I hope that information will make it possible to detect your problem. :-)

• Directory Utility: "Name and Password you entered... do not match."  ????

  Happy New Year all!
  OS X 10.5 Server I think is slowly trying to kill me. I've had to re-install the system 3 times in as many months because of corruption with user accounts.
  What I am struggling with currently is Directory Utility. All clients have accounts set up on the server. If they are local (plugged into the LAN), Directory Utility works like a champ and configures the desired services as advertised. However, when they are remote from the site, Directory Utility is able to locate and communicate with the server and offers to set up all services (just as when connected to the LAN), but when asked to authenticate an error message states:
  "The name and password you entered for the user account on the server do not match."
  It makes no difference which username (standard user or admin) I try. At the same time those laptops that were configured locally but used remotely continue to work perfectly communicating with the server.
  Reading through the forums, I saw some (related?) suggestions recommending making changes to the options under the "Services" tab within Directory Utility (like unchecking LDAPv3). But I haven't found a combination of changing those options that gives me success. Someone else having a similar problem speculated it might have something to do with being behind an airport or router messing up the authentication. ???
  Does anyone have any thoughts or suggestions about this?
  Thanks!

  Ok Hannah. I have just had a bit of a read of some articles on the net and it seems that getting Hotmail to work with Mail.app is not easy.
  You may find some of the discussion in this thread helpful. https://discussions.apple.com/thread/3193359
  It starts off talking about mail on iPhone but towards the end there are some ideas about getting it going on Lion.
  It seems that an alternative is to try a plug-in for Mail.app that handles the communications with Hotmail. You may want to look at http://www.hawkwings.net/2011/07/26/hotmail-yahoo-and-lions-mail/  for some links. Note that I don't have Hotmail so I can not vouch for any of this.
  Mark

• Authentication on Active Directory using JNDI (A Proffessional Appraoch)

  I am using following code for getting authenticated on Active Directory by user logon name.
  Can any one tell me a more proffessional and fool proof appraoch for authenticating a user on Active Dir through my web interface ???
  thanks in advance
  * Created on Nov 10, 2004
  package auth;
  import java.util.Hashtable;
  import javax.naming.AuthenticationException;
  import javax.naming.Context;
  import javax.naming.NamingEnumeration;
  import javax.naming.NamingException;
  import javax.naming.directory.DirContext;
  import javax.naming.directory.InitialDirContext;
  import javax.naming.directory.SearchControls;
  import javax.naming.directory.SearchResult;
  * @author Tushar Agrawal
  * Created On Nov 10, 2004
  public class UserAuthentication {
       public UserAuthentication() {
            super();
       public NamingEnumeration loginToActiveDirectory(
            String logonName,
            String password,
            String domain) {
            boolean success = false;
            NamingEnumeration attrs = null;
            Hashtable env = new Hashtable(11);
            env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
            env.put(Context.SECURITY_AUTHENTICATION, "simple");
            env.put(Context.PROVIDER_URL, "ldap://domain:389/dc=SECLORE,dc=com");
            env.put(Context.SECURITY_PRINCIPAL, logonName + "@" + domain);
            env.put(Context.SECURITY_CREDENTIALS, password);
            //env.put(Context.SECURITY_PROTOCOL, "ssl");
            env.put("java.naming.ldap.version", "3");
            env.put(Context.REFERRAL, "follow");
            try {
                 String base = "";
                 DirContext ctx = new InitialDirContext(env);
                 SearchControls controls = new SearchControls();
                 controls.setSearchScope(SearchControls.SUBTREE_SCOPE);
                 controls.setReturningAttributes(
                      new String[] {
                           "sAMAccountName",
                           "userPrincipalName",
                           "displayName",
                           "memberOf",
                           "objectSid",
                           "title" });
                 NamingEnumeration e =
                      ctx.search(base, "sAMAccountName=" + logonName, controls);
                 if (e.hasMore()) {
                      SearchResult r = (SearchResult) e.next();
                      attrs = r.getAttributes().getAll();
                      /*while (attrs.hasMore()) {
                           System.out.println(attrs.next());
                      ctx.close();
            } catch (AuthenticationException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            } catch (NamingException e) {
                 System.err.println("Problem getting attribute: " + e);
                 success = false;
            return attrs;
  tushar agrawal

  You''l find more info at :
  http://jakarta.apache.org/tomcat/tomcat-5.5-doc/catalina/funcspecs/fs-jndi-realm.html
  http://jakarta.apache.org/tomcat/tomcat-4.0-doc/realm-howto.html
  That's the right way to do it.

• Macbook Wireless Authentication Problem

  I am having a strange issue that I haven't seen much information in either the Leopard forum or the Snow Leopard forums. This issue started with the 10.5.8 upgrade. When I migrated to 10.5.8 the campus network wireless stopped working. The Campus Network runs on WPA Enterprise. I have no issues connecting to my WPA Personal network at home. Neither network broadcasts the SSID and both require authentication to access. The home network requires just a password to connect while the campus network requires both Username and Password authenticated via Active Directory. When connecting to the campus network opening the Network preferences pane shows Airport flashing Authenticating then Authenticated repeatedly. Eventually after 10-20 minutes of flashing the wireless will finally connect to the network. Console shows the following:
  Sep 14 07:35:31 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:35 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:35 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:36 ***** configd[15]: network configuration changed.
  Following the instructions here:
  http://www.viewfromthedock.com/2009/08/temp-fix-for-10-5-8-airport-bug/
  Which has you replace the following 2 files fixes the issue:
  AppleAirport.kext
  IO80211Family.kext
  Now that I have upgraded to Snow Leopard the problem is back again. This is a completely fresh loaded laptop. I erased and formatted the hard drive before installing Snow Leopard. I'm running an older Macbook that uses the Atheros card. A guy I work with has a slightly newer Macbook running a Broadcom card that doesn't have this issue.
  I do have a log file I generated from this post:
  http://discussions.apple.com/messageview.jspa?messageID=10123194
  If that would be helpful in getting the problem resolved.
  Thanks in advance.

  Here:
  Card Type: AirPort Extreme (0x14E4, 0x8D)
  Firmware Version: Broadcom BCM43xx 1.0 (5.10.91.19)
  Locale: ETSI
  Country Code: TW
  Supported PHY Modes: 802.11 a/b/g/n
  Supported Channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165
  Country code may vary, according to base stations in the vicinity. When I'm at home in the UK, code is TW. At work in the UK, code is US. Verbose startup of the OS reveals variety long before authentication, so I guess that the country code sometimes reflects the characteristics of a nearest capable base station.
  I have different issues in different environments. One of the issues is summarised at <http://discussions.apple.com/thread.jspa?messageID=10159356&#10159356> and in this area of Apple Discussions, I watch just a few other threads.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Directory Utility wont connect to Open Directory Server on Xserv 10.5.1

  I am trying to set up the ical service on the xserve, I have the server set up as the OD master when I went into the directory utility app it would not located the server until I changed the search policy to custom which included LDAPv3. Once I did that the server popped up in the directory utility list but it says "server is not responding"
  Any one else having this issue or know what might be the solution?

  Have you tried adding the server to the client using 'servername.local' instead of its DNS name? I have had flaky problems adding clients to the directory server using the DNS name and found using 'servername.local' to be much more reliable.

• Firefox 3.6.13 will not load gmail standard mode under Mac OS 10.6.5. Must go to basic HTML mode. Why?

  No problem with gmail basic HTML mode. But standard gmail standard mode hangs with the progress bar just short of the end. No problem loading standard mode in Safari 5.0.3.

  This is '''still ''' happening routinely in Firefox 3.6.16 with Snow Leopard and 10.6.7 latest versions.
  Have disabled all addons and the settings are as they should be (found many mentions of clearing cache and checking settings -- I'm in line w/ the rest).
  This is happening on all 4 macs that I use.

• Authentication problem - solved, but maybe a bug in Mac OS X?

  Hi,
  I've a rather small installation with only a handful of users configured on a Mac mini (Mac OS X Server, 10.6.8). All of them use the mail, calendar and addressbook server on the Mac, nothing more. They use it with Mac, iPhone and iPad. Everything worked fine for months but suddenly all of them were faced authentication problems: it was not possible to login on the imap server, the calendar server, the addressbook server. It was possible to login using the admin account on the server directly. Moreover, all users disappeared from the workgroup manager, however they still were available on the servers LDAP server and findable using ldapsearch.
  First, I used to completely restart the server to solve the problem, but it reappeared after only few hours again.
  Second, after understanding more about the authentication process, I found the "killall DirectoryService" was sufficient to solve the problem, but it still reappeared after few hours.
  Then I found the, once the problem occured, there was nearly no more communication to the local LDAP server on port 389 on localhost. When everything was working fine, the was a lot of such communication, including queries for usernames, when a login attempt was made. I started a "tcpdump -n -i lo0 port 389" and waited for the problem again. After the problem occured, I found in the pcap files that there were a few final query attempts, actually attempts the open a port 389 TCP connection to the slapd running on localhost, which were answered with a TCP RST. Then, no more attempts were made until l restarted the DirectoryService. Using the logfile of the slapd I found that this happened exactly at the time the slapd was stopped and restarted. And - surprisingly for me - stopping and restarting the slapd happened exactly once an hour.
  I then found that it happened exactly at the time the time machine backup process was started and indeed it was possible to trigger the event of restarting the slapd by manually starting a time machine backup.
  (Indeed, I switched my backup strategy from SuperDuper to time machine the other day and maybe that was the time the problem occured for the first time. I know that time machine is not considered as the best backup strategy for a server but I wanted to try on my own.)
  Google helped my to find a hint that time machine will actually stop and restart slapd - which is a generally a good idea, since otherwise a backup from some open database files would be made, which could work but may fail. So, I thing, someone of the developers thought about that problem too and has considered time machine for backups of a server.
  However, a not running slapd can not answer queries from a DirectoryService and a stopping or starting process might indeed end up with TCP SYNs answered with TCP RST.
  My solution was to disable time machine again and from that time the problem does not occur again.
  I'm wondering why the DirectoryService process isn't starting to query the slapd again after a failed connection. Isn't this a bug? After this experience I consider time machine as not only the not preferred backup solution for a server but as completely incompatible with Mac OS X server - although, as I said, it seems that someone thought about backing up the LDAP database using time machine.
  (On a Lion server this problem does not occur, the slapd will not be stopped and restarted when time machine is running. Moreover, I saw a com.apple.slapd.start notification in the slapd.log ... maybe this tells DirectoryService to try again.)
  Cheers,
  Wolfgang

  Another problem I found with the MacOS X key bindings: the 6 key doesn't work!
  In the config that ships with SQL Developer, I found this:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">6</Item>
  </data>
  </second>
  </Item>
  which should be:
  <Item class="oracle.javatools.util.Pair">
  <first class="java.lang.String">DOCUMENT_6_CMD_ID</first>
  <second class="oracle.ide.keyboard.KeyStrokes">
  <data>
  <Item class="javax.swing.KeyStroke">meta 6</Item>
  </data>
  </second>
  </Item>

• Where is Directory Utility

  I have a problem with permissions after migrating from an older macbook pro to a new one running snow leopard. I wanted to check on some user groups using the directory utility, but it is no longer in the Utility folder. Looking for help online suggests that in Snow Leopard it is in the Accounts preferences, but I can not see it - the preference window looks just the same as it did before and there is nothing to indicate where the Directory utility functions - setting root, for example - might be. Am I missing something?

  Barney-15E wrote:
  You can get to it via the Accounts prefpane. Click on the Network Account Server: Join… button.
  On my Snow Leopard installation, in the Accounts preference pane, I have to click on the Login Options box before the Network Account Server appears.

• Directory Utility keeps telling me the name and password do not match

  Installed Leopard Server on my Mini a few days ago, and I enabled Open Directory server.
  Added the server in my home network with directory utility on my laptop, and it works perfect both when I'm on the local network, and when I'm elsewhere.
  Tried doing the same at my Leopard iMac at work today. Finds the server just fine, but when trying to configure my machine locally I get an error message during Authentication that simply says "The name and password you entered for the user account on the server do not match".
  Now. I KNOW the username and password is correct. And I have the same username and password on this machine (both the long name, and the short one).
  So what am I doing wrong here?

  Christian,
  I've experienced similar issue recently. The most likely solution will be to delete the user and recreate it using same uid and username. I'm going to look for other solutions prior to that.

• Authentication Delays / Slow Authentication for Open Directory Users

  I'm experiencing delays when authenticating Open Directory users and it absolutely has me at my wit's end.
  The problem is quite simple: any time an Open Directory user authenticates his password there is a delay of at least 5-10 seconds. This goes for clients that are bound to the directory server and also authenticating locally on the server. Here are some examples:
  * On the server, there is a several second delay on the Login Window screen when trying to log in using an Open Directory account. Logging in as a local user is instantaneous.
  * In Workgroup manager, authenticating as the Directory Administrator takes several seconds.
  * On a remote computer, sharing the screen using an Open Directory user take several seconds and again, a local user is instantaneous. Screen sharing takes particularly long and often temporarily shows a sheet saying it has lost the connection with the server while authenticating.
  * Connecting with AFP takes several seconds when using an Open Directory login
  * On a client computer, unlocking the screen after sleep or screen saver takes several seconds for Open Directory users
  * Connecting with SSH does NOT exhibit the behavior
  In addition to all of this, I've seen periodic random unexplainable freezes for several seconds on client computers that are bound to the directory even when logged in as a local user account (and with no other users logged in.) For example, launching applications often results in a freeze. After unbinding the computer from the directory the problem goes away entirely.
  The history of the problem:
  Used Tiger Server for over a year = no problems
  Clean install of Leopard Server 10.5.0 back in October = no problems
  Update to Leopard Server 10.5.1 = no problems
  Then, all of the sudden one day several weeks back I started having problems. The server had been up for a few weeks. I didn't install any updates. I didn't change any configuration. Literally the only thing that I had done recently was unplug the Apple Cinema Display and keyboard+mouse that was connected to the server. Then I started having problems so I plugged the display, keyboard and mouse back in to troubleshoot it. I cleared the directory services caches on my server and clients and rebooted the Airport Base Station that's serving as my router and eventually the problem went away. I wish I could tell you which of those things resolved the problem but I have no idea. It was fine for a couple more weeks (and incidentally I once again unplugged the display, keyboard and mouse from the server). Then last week I started having problems again and this time no amount of rebooting, cache clearing, rebinding, troubleshooting using information in these forums or anything else will fix the problem. I only mention the display/keyboard/mouse thing because it's literally the only thing I changed around the time the problems started happening. I truly don't think it has anything to do with it.
  So in desperation I backed up and did a clean install today. Here's the process I used:
  0. Erase the disk
  1. Install Leopard Server 10.5.0 from the install DVD
  2. In the setup assistant, use the Advanced Configuration option but I didn't enable any services. Set up network settings and host name of myserver.mydomain.private.
  3. Reboot
  4. Use Software Update to update to 10.5.1 and Security Update 2007-009 v1.1
  5. Reboot
  6. Configure DNS (see below for detailed configuration)
  7. Reboot
  8. Change role to Open Directory Master
  9. Reboot
  ... and the problem is still there. Simply logging into the server GUI with the Directory Administrator account has the delay. Authenticating in Workgroup Manager has the delay. I haven't even bothered to set up AFP or any other users yet. I'm truly at my wit's end and I'm ready to chuck the server out the window.
  I've done a lot of googling and searching of these forums looking for answers. All of the responses seem to point to a problem with DNS or with the Kerberos realm. I believe all of my setup is correct. Here it is:
  == Basic Configuration ==
  OS: Mac OS X Server 10.5.1 (9B18) with Security Update 2007-009 v.1.1
  Services Enabled:
  DNS
  Open Directory
  (All other services are not yet enabled)
  == DNS Setup ==
  Primary Zone: mydomain.private.
  Allows zone transfer: no
  Nameservers: ns.mydomain.private.
  myserver (Machine) 10.0.22.201
  ns (Alias) myserver.mydomain.private.
  Reverse Zone: 22.0.10.in-addr.arpa.
  10.0.22.201 (Reverse Mapping) myserver.mydomain.private.
  Accept recursive queries from the following networks:
  localnets
  Forwarder IP Addresses:
  208.67.222.222
  208.67.220.220
  == Open Directory Setup ==
  Role: Open Directory Master
  LDAP Search Base: dc=myserver,dc=mydomain,dc=private
  Kerberos Realm: myserver.mydomain.private
  == Network Configuration ==
  Configure: Manually
  IP Address: 10.0.22.201
  Subnet Mask: 255.255.255.0
  Router: 10.0.22.1
  DNS Server: 127.0.0.1
  Search Domains: mydomain.private
  == Other Stuff ==
  Using 'changeip -checkhostname' verifies that the hostname and DNS hostname are both myserver.mydomain.private.
  I set the realm to myserver.mydomain.private (though the default was myserver.local) based on the advice of another poster to this forum. Kerberos.app reveals something interesting: the kdc and admin servers are both myserver.local and the domains are .local and local. I tried changing all instances of 'local' to 'mydomain.private' to see if that would solve the problem. No luck.
  I verified on a client that 'host myserver' and 'host 10.0.22.201' return proper DNS and reverse DNS resolutions.
  Hopefully one of the gurus out there will be able to help me out.
  Thanks,
  jeff

  I gathered together some log information for when I try to authenticate user 'diradmin' in Workgroup Manager. You can see from the log messages that this authentication took 4 seconds. There's an interesting error message in slapd.log (see below) but it doesn't say what it's looking for in the keytab that it's not finding. Grr! I've provided a listing of the principles in my keytab. I haven't monkeyed around with it at all -- this is just what resulted from promoting the server to an Open Directory Master.
  == kdc.log ==
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): handling authdata
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](debug): .. .. ok
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:48 myserver.mydomain.private krb5kdc[79](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for krbtgt/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  Dec 30 18:21:52 myserver.mydomain.private krb5kdc[79](info): TGS_REQ (7 etypes {18 17 16 23 1 3 2}) fe80::216:cbff:fea5:f3ce: ISSUE: authtime 1199060508, etypes {rep=16 tkt=16 ses=16}, [email protected] for ldap/[email protected]
  == slapd.log ==
  Dec 30 18:21:48 myserver slapd[36]: <= bdbsubstringcandidates: (authAuthority) index_param failed (18)
  Dec 30 18:21:52 myserver slapd[36]: SASL [conn=20] Failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
  == sudo klist -k ==
  Keytab name: FILE:/etc/krb5.keytab
  KVNO Principal
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 afpserver/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4 D0DDB570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 cifs/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB 570D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 vnc/LKDC:SHA1.D711BEA4D0DDB570D64ED88C5D06A78A34B7167C@LKDC:SHA1.D711BEA4D0DDB5 70D64ED88C5D06A78A34B7167C
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 cifs/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 ldap/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 xgrid/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 vpn/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 ipp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 xmpp/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 XMPP/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 host/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 smtp/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 nfs/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 http/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 HTTP/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 pop/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 imap/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 ftp/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]
  3 afpserver/[email protected]

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)