Active Directory Authentication Failure when AutoProxyDiscovery or Automatic Proxy Configuration enabled
| Originator: | calum.h | ||
| Number: | rdar://22183105 | Date Originated: | 07-Aug-2015 01:05 PM |
| Status: | Closed as Duplicate of 21986520 | Resolved: | |
| Product: | OS X | Product Version: | 10.11/15A244d |
| Classification: | Serious Bug | Reproducible: | Always |
Summary: When an El Capitan Mac is bound to Active Directory and the Mac is configured to use Auto Proxy Discovery or Automatic Proxy Configuration the Mac is unable to authenticate users to AD. Authentication failure is shown by failed logins via the LoginWindow as well as attempts to login on the command line by using: su <username> Attempts to use dscl to read a user record also fail. (Error: DS Error: -14136 (eDSRecordNotFound) Even when a machine is on a subnet where the DHCP server does not provide a proxy url via DHCP options, having the Auto Proxy Discovery checkbox ticked results in failed AD authentication. This appears to be an issue introduced in Beta 3 and is also present in Beta 4, Beta 5 and Beta 6. It does not occur in Beta 2 however. If a bogus URL is specified when using Automatic Proxy Configuration i.e. http://foo.local:3000/proxy.pac then authentication is successful. The issue is not occurring when specifying Web Proxy (HTTP) and Secure Web Proxy (HTTPS) server addresses Steps to Reproduce: 1. Install El Capitan and update to Beta 6 2. Bind to Active Directory using Directory Utility 3. Reboot machine 4. Login with Active Directory user and confirm authentication is successful. 5. Log out and log in as Local Administrator 6. Enable Auto Proxy Discovery in System Preferences Note:- (It is NOT a requirement to have a DHCP server providing option 252 for this issue to occur, it occurs with and without this option being provided via DHCP) 7. Reboot 8. Attempt to login with Active Directory User via various methods; LoginWindow and CLI utility ‘su’ 9. System will fail to authenticate users. 10. Disable Auto Proxy Discovery 11. Reboot 12. Attempt to authenticate AD users 13. System will authenticate AD users without error. Expected Results: AD User authentication should not be failing when attempting to use Auto Proxy Discovery or Automatic Proxy Configuration Actual Results: User authentication fails with little to no errors - I have attached opendirectoryd debug logs from successful and failed login attempts. Regression: This problem does not occur in El Capitan Beta 2, however it is present in Beta3, Beta4, Beta5 and Beta6 This problem does not occur in 10.10.4 Notes: We are using Bluecoat proxy servers, however tcpdumps and proxy logs indicate that no traffic is ever contacting the proxy server during an AD login attempt.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!