Apr 15, 2020 The Mail application that ships with macOS and OS X is solid, feature-rich and spam-eliminating software that is also an easy-to-use email client. Optimized to work on the Mac, the Mail app is trouble free and full featured. It can handle all your email accounts in one place. Oct 12, 2018 Hi, I have upgraded Mac Book PRO to Sierra 10.12.3 and also have upgraded Citrix receiver to 12.4.0, and using safari can not access my company desktop application. I have only managed to launch it only once by doing the following: uninstalled Citrix receiver 12.4.0.
Home > Articles > Apple > Operating Systems
␡
Page 1 of 6Next >
It's easy to integrate Mac OS X into an Active Directory environment. This chapter shows you how.
This chapter is from the book
Apple Training Series: Mac OS X Directory Services v10.5
This chapter is from the bookThis chapter is from the book
Apple Training Series: Mac OS X Directory Services v10.5
Active Directory is Microsoft’s directory services solution that provides LDAP and Kerberos services for identification and authentication. Many organizations with Windows computers use Active Directory because it provides these features:
It is easy to integrate Mac OS X into an Active Directory environment. Although Mac OS X computers can access directory information provided by Active Directory via the LDAPv3 plug-in, you should use the Active Directory plug-in, which provides the following capabilities:
In this chapter you will learn how to use both Directory Utility and the command line to bind to Active Directory, and to modify the default settings for the Active Directory plug-in to enable login and access to a network home folder. You will learn how to overcome problems with your initial bind to Active Directory, and you will learn troubleshooting techniques for login problems with an Active Directory user account.
Configuring Mac OS X to Log In Using Active Directory
You can either use Directory Utility or dsconfigad to bind a Mac OS X client computer to an Active Directory domain. dsconfigad allows you to configure some features that Directory Utility does not expose, but if you use dsconfigad you need to take some additional steps (such as enabling the Active Directory plug-in and adding the Active Directory node to your search paths). Before you can bind with either method, however, you need to know a few things about your Active Directory service.
Understanding Active Directory Terms
When you bind to Active Directory, you need to know the domain name and you must have the credentials of a user who has authorization to join computers to Active Directory.
A domain is the building block of Active Directory; it is a collection of directory objects such as users, groups, and computers. Microsoft paint for mac. An Active Directory domain requires a domain controller, which can be a computer running any version of Windows Server 2000 through Windows Server 2008. A domain is identified by its DNS namespace; in this book the example server windows-server.pretendco.com hosts the domain pretendco.com. Active Directory relies on DNS records generated by a DNS service that is tightly integrated with Active Directory, so you should configure Mac OS X to use the DNS service associated with the Active Directory domain before attempting to bind.
A tree is one or more domains in a contiguous name space. A forest is a set of domain trees that have a common schema and global catalog, which is used to describe a best-effort collection of all the resources in a domain. The global catalog is commonly used for email address lookups.
Like standard Windows clients, Mac OS X binds to only one Active Directory domain at a time.
Understanding the Active Directory Computer Object
When you bind a Mac OS X client computer to Active Directory, you use or create a computer object for Mac OS X. Just like user objects, computer objects are used for identification, authentication, and authorization. The computer object has rights to do certain things, such as to bind and update its own DNS record.
When you bind a Mac OS X computer to Active Directory, Mac OS X uses the user credentials you supply to set up a computer account and password. This password is a shared secret between your Mac OS X computer and the Active Directory service. Your Mac OS X computer uses this password to authenticate to Active Directory and set up a secure channel to enable your Mac OS X computer to communicate with Active Directory. The password is randomly generated, and is unrelated to the user account you use to perform the bind. For more information, see “Confirming Your Active Directory Plug-in and the Samba Service Are Using the Same Active Directory Computer Password” in Chapter 8.
If you delete the computer object or reset the computer object password in Active Directory, you need to rebind Mac OS X to Active Directory in order for Mac OS X to access Active Directory.
When you use Directory Utility to bind to Active Directory, Directory Utility suggests a computer ID to use for the name of the Active Directory computer object. This computer ID is based on the computer name or Bonjour name that you set in the Sharing pane of System Preferences. If your computer name is longer than 15 characters, you may experience errors when binding to Active Directory. Also note that Directory Utility may replace any instance of a dash (-) with an underscore (_) and change capital letters to lowercase in the suggested computer ID. You should use the same Mac OS X computer name and Active Directory computer name to help keep track of computer names, unless you have a good reason not to do so.
Specifying a User to Create the Computer Object
When binding to Active Directory, you need to supply the credentials of an Active Directory administrator or user who is authorized to create computer objects. By default, you can use a regular active directory user to bind to Active Directory ten times, but after that you will encounter an error. “Troubleshooting Binding Issues,” later in this chapter, offers some solutions for this problem.
Binding to Active Directory with Directory Utility
The simplest way to bind Mac OS X to Active Directory is to use Directory Utility with all the default settings in place. The steps are as follows:
Mac OS X attempts to bind to Active Directory with the default settings.
Logging In as an Active Directory User on Mac OS X
Once you bind your Mac OS X computer to Active Directory, you can log in with your Active Directory user account at your Mac OS X login window.
The following figure shows the default desktop for an Active Directory that logs in to a Mac OS X computer. Note that the home folder is located on the startup disk (Option-clicking the name of a folder in the title bar of a Finder window reveals the path to the folder). The user launched the Kerberos application (in /System/Library/CoreServices), which shows that Mac OS X obtained a Kerberos ticket-granting ticket (TGT) for the user as part of the login process.
Specifying a User Name at the Login Screen
By default the Mac OS X login window displays the names of local user accounts and Other to allow you to specify a user name from a different directory node, as shown in this figure.
When you choose Other, the login window reveals a field for Name and Password.
At the Mac OS X login window, you can use many combinations of the user identifiers “Full name,” “User login name,” or “User login name (Pre-Windows 2000)” from Active Directory, along with other elements of the domain name. Consider the figure at left, which shows a user created with Active Directory tools.
You can log in with any of the following names in the Name field in Mac OS X’s login window:
Understanding the Home Folder Default Behavior
When you log in with a user account for Active Directory, by default Mac OS X creates a home folder for the user on the startup disk in /Users/usershortname.
If a directory already exists with that name, Mac OS X will not create a new home folder. You may experience unexpected results because the Active Directory user does not have write permissions to the home folder.
See “Transitioning from a Local User to an Active Directory User,” later in this chapter, if that is appropriate for your situation.
Understanding Home Folder Synchronization
The default settings do not configure Mac OS X to synchronize the local home folder with a network home folder. If you log in as the same Active Directory user on multiple Mac OS X computers that are configured with the default settings for the Active Directory plug-in, you will have a different home folder on each computer, and the contents will not be synchronized. To prevent this situation you can do the following:
Changing the Active Directory Plug-in Default Settings
The Active Directory plug-in’s default settings might not meet your needs. For instance, you may want to not force local home folders on the startup disk, or you may want to use custom mappings or to specify Active Directory groups to members that have local administrative access on your Mac OS X computer. In this section you will learn how to use Directory Utility and the command line to configure some of the advanced options of the Active Directory plug-in.
Follow these steps to use Directory Utility to access Active Directory Advanced Options:
Exploring the “User Experience” Advanced Options Pane
The default pane for Directory Utility’s Advanced Options is the User Experience pane, shown in the figure to the left.
The first option, “Create mobile account at login,” is disabled by default. A mobile account caches user credentials locally so they can be used when the computer is not connected to the directory node. See “Understanding Mobile Accounts” for more details about mobile accounts and synchronized home folders.
The “Force local home directory on startup disk” option is enabled by default. If you deselect this option, and an Active Directory user who does not have a network home folder defined logs in, Mac OS X creates a local home folder in /Users/username for the user when the user logs in (unless a local home folder already exists).
Specifying a Network Home Folder
There are two possible ways to specify a network home folder:
You must specify which file-sharing protocol to use: SMB or AFP (Apple Filing Protocol). SMB is the default setting, so it is easy to use Windows file services to host home folders for Active Directory users who log in to a Mac OS X computer.
New in Mac OS X v10.5 is full support for SMB packet signing, a security feature designed to prevent man-in-the-middle attacks, which is required by default on Windows Server 2003 SP1 and later. Many Windows Server administrators require client computers to use this option, which makes it impossible for computers using earlier versions of Mac OS X to access their SMB share points without installing third-party SMB client software.
AFP offers some advantages over SMB as a file service protocol for Mac OS X client computers: It is faster, native to Mac OS X, supports Time Machine and network Spotlight searching, has better auto-reconnect, and handles a wider range of file names in a mixed environment. Unfortunately, Windows servers do not offer AFP by default.
Although Windows Server 2000 and Windows Server 2003 can offer AFP via Services for Macintosh (SFM), the SFM version of AFP is not current. For example, SFM supports only 31 characters in a file name, which causes a problem when Mac OS X uses a long file name, such as ~/Library/Preferences/ByHost/com.apple.iCal.helper.0017f3e00523.plist. SFM is not recommended for Mac OS X network home folders. If you must use your Windows server for network home directories, consider running a third-party AFP file service, such as GroupLogic’s ExtremeZ-IP, on your Windows server.
You can use a Mac OS X Server to host network home folders for Active Directory users, whether they log in to Mac OS X computers or Windows computers. You can use Mac OS X Server’s AFP service for users who log in to Mac OS X computers, and Mac OS X Server’s SMB service for users who log in to Windows computers. Discourage users from simultaneously logging in as the same user simultaneously on Mac OS X and Windows computers, because if they edit the same file over two different protocols simultaneously, this could corrupt the file.
For more information about offering file services from a Mac OS X Server, see Chapter 10 of Mac OS X Advanced System Administration v10.5.
Logging In with a Windows Home Folder
If you use Active Directory tools to define a network home folder (dsAttrTypeNative:SMBHome) for the user, as shown in the figure to the left, Mac OS X mounts the network volume that contains that Active Directory home folder. Unless you specify otherwise, by default the Active Directory plug-in creates a local home folder on the startup disk, so Mac OS X mounts the Windows home folder but does not use it as the user’s home folder.
The network folder appears in the Dock, but the volume does not appear on the user’s desktop by default. The default preference for the Finder in Mac OS X v10.5 is to not display mounted network volumes on the desktop. To change this in the Finder, select Finder > Preferences and select the checkbox for “Connected servers.”
The next figure illustrates what the standard desktop looks like for an Active Directory user who has an Active Directory home folder defined. The user opened Finder preferences and enabled “Connected servers” so that the Windows share point appears on the desktop. Note also that the user’s home folder is located on the startup disk, which is the default setting for the Active Directory plug-in.
The figure below shows the desktop of an Active Directory user who has a Windows home folder set (dsAttrTypeStandard:SMBHome) and logs in to a Mac OS X computer that does not have the “force local home directory on startup disk” option enabled in the User Experience pane of the Active Directory plug-in.
Some things to note:
Changing User and Group Mappings
By default, the Active Directory plug-in generates a dsAttrTypeStandard:UniqueID for an Active Directory user record based on that user’s GUID attribute. The calculated UniqueID is unique across the domain, yet consistent across every Mac OS X computer in the domain. Likewise, the Active Directory plug-in generates a unique integer for each Active Directory group record as well. If you have extended your Active Directory schema, you can use the Mappings pane to access the appropriate attributes from the Active Directory user and group records.
Be forewarned that if you change the mappings, users may lose access to files that they previously owned or could access.
The Mappings pane, shown below, allows you to change the mappings for the following:
If the Active Directory schema were extended with Microsoft’s Services for UNIX, the following would hold:
If the Active Directory schema were extended with RFC2307 or Apple object classes and attributes:
Exploring the “Administrative” Advanced Options Pane
The “Prefer this domain server” option shown in the figure below specifies a domain controller to use for the initial bind.
Use the “Allow administration by” option to enable any user of the Active Directory groups that you specify to be in the group of local administrators for this Mac OS X computer. This is useful if you create an Active Directory group and populate it with users who should have the authority to administer the Mac OS X computers in your organization.
When you add Active Directory to your search path, Directory Utility adds the node Active Directory/All Domains to your search path by default. If you want to restrict the authentication search path to use specific domains only in your forest, follow these steps:
Creating the Computer Account in a Custom Location
Unless you specify otherwise, the Active Directory plug-in creates computer objects in CN=Computers with the domain that you specified to join. Depending on the configuration of your Domain Controller, this may not be correct. For example, some administrators have a special container (CN) for all Mac OS X computers, while others use organizational units (OU).
Follow the steps listed below to tell the Active Directory plug-in to add the computer to the container CN=MacComputers,DC=pretendco,DC=com. Rather than binding from the default pane in Directory Utility, you will bind from within the Active Directory services pane, which offers different binding options.
Binding to Active Directory with dsconfigad
The dsconfigad command is particularly useful for scripting the process of binding to Active Directory, and it offers a way to bind with custom settings in one step. This command has drawbacks, however: It does not enable the plug-in, nor does it add the Active Directory node to the search paths. You must also use the defaults and dscl commands to accomplish those tasks.
To bind a computer to Active Directory with dsconfigad, collect the following information for the following dsconfigad options:
The commands listed below enable the Active Directory plug-in, bind to Active Directory, and add the Active Directory node to the authentication and contacts search paths:
Using Configuration Options Available Only with dsconfigad
dsconfigad offers much of the same functionality that Directory Utility offers: You can bind, unbind, set configuration options, and show the status of a bind. In addition, dsconfigad offers some functionality that Directory Utility does not offer, such as the following:
Providing Managed Preferences to Active Directory Users
Using Active Directory Group Policy Objects is the traditional method for managing users, groups, and computers, but Mac OS X is not compatible with Group Policy Objects. If you want to apply Managed Preferences to Mac OS X users, you could do any of the following:
Related Resources
NOTE: Between mid October 2019 and mid February 2020 everyone in the Army was migrated to use their PIV Authentication certificate for Email access. You no longer use the Email certificate for Enterprise Email. Mac users who choose to upgrade (or already have upgraded) to Mac OS Catalina (10.15.x) will need to uninstall all 3rd Party CAC enablers per https://militarycac.com/macuninstall.htm AND reenable the built in smart card ability (very bottom of macuninstall link above) If you purchased your Mac with OS Catalina (10.15.x) already installed, you can skip the uninstall part above and follow the instructions below. 6 'high level' steps needed, follow down the page to make this a painless systematic process
Step 1: Is your CAC reader Mac friendly?
Visit the USB Readers page to verify the CAC reader you have is Mac friendly.
Visit the USB-C Readers page to verify the CAC reader you have is Mac friendly.
'Some, not all' CAC readers may need to have a driver installed to make it work.
NOTE: Readers such as: SCR-331 & SCR-3500A may need a firmware update (NO OTHER Readers need firmware updates).
Information about these specific readers are in Step 2
Step 2: Can your Mac 'see' the reader?
Plug the CAC reader into an open USB port before proceeding, give it a few moments to install
Step 2a: Click the Apple Icon in the upper left corner of the desktop, select 'About This Mac'
Step 2b: Click the 'More Info' (button) (Mac OS 10.6.x and older), Mac OS 10.7.x (and newer) proceed to step 2c
Step 2c: Click 'System Report..' (button) (Only shown in 10.7.x and newer)
Step 2d: Verify the CAC reader shows in Hardware, USB, under USB Device Tree. Different readers will show differently, most readers have no problem in this step. See Step 2d1 for specific reader issues.
Step 2d1: Verify firmware version on your SCR-331 or GSR-202, 202V, 203 CAC, or SCR-3500a reader. If you have a reader other than these 5, Proceed directly to step 3
Step 2d1a-SCR-331 reader
If your reader does not look like this, go to the next step.
In the 'Hardware' drop down, click 'USB.' On the right side of the screen under 'USB Device Tree' the window will display all hardware plugged into the USB ports on your Mac. Look for “SCRx31 USB Smart Card Reader.” If the Smart Card reader is present, look at 'Version' in the lower right corner of this box: If you have a number below 5.18, you need to update your firmware to 5.25. If you are already at 5.18 or 5.25, your reader is installed on your system, and no further hardware changes are required. You can now Quit System Profiler and continue to Step 3.
Step 2d1b-SCR-3500A reader
If you have the SCR3500A P/N:905430-1 CAC reader,you may need to install this driver, as the one that installs automatically will not work on most Macs. Hold the control key [on your keyboard] when clicking the .pkg file [with your mouse], select [the word] Open
Step 3: Verify which version of MacOS do you have?
(You need to know this information for step 6)
Step 3a: Click the Apple Icon in the upper left corner of your desktop and select 'About This Mac'
Step 3b: Look below Mac OS X for: Example: Version 10.X.X.
Step 4: Figure out which CAC (ID Card) you have
(You need to know this information for step 6)
Look at the top back of your ID card for these card types. If you have any version other than the six shown below, you need to visit an ID card office and have it replaced. All CACs [other than these six] were supposed to be replaced prior to 1 October 2012.
Find out how to flip card over video
Step 5: Install the DoD certificates (for Safari and Chrome Users)
Go to Keychain Access
Click: Go (top of screen), Utilities, double click Keychain Access.app
(You can also type: keychain access using Spotlight (this is my preferred method))
Select login (under Keychains),and All Items (under Category).
Download the 5 files via links below (you may need to <ctrl> click, select Download Linked File As.. on each link) Save to your downloads folder
Please know.. IF You have any DoD certificates already located in your keychain access, you will need to delete them prior to running the AllCerts.p7b file below.
https://militarycac.com/maccerts/AllCerts.p7b,
https://militarycac.com/maccerts/RootCert2.cer,
https://militarycac.com/maccerts/RootCert3.cer,
https://militarycac.com/maccerts/RootCert4.cer, and
Double click each of the files to install certificates into the login section of keychain
Select the Kind column, verify the arrow is pointing up, scroll down to certificate, look for all of the following certificates:
DOD EMAIL CA-33 through DOD EMAIL CA-34,
DOD EMAIL CA-39 through DOD EMAIL CA-44,
DOD EMAIL CA-49 through DOD EMAIL CA-52,
DOD EMAIL CA-59,
DOD ID CA-33 through DOD ID CA-34,
Active Client For Mac Sierra Download
DOD ID CA-39 through DOD ID CA-44,
DOD ID CA-49 through DOD ID CA-52,
DOD ID CA-59
DOD ID SW CA-35 through DOD ID SW CA-38,
DOD ID SW CA-45 through DOD ID SW CA-48,
DoD Root CA 2 through DoD Root CA 5,
DOD SW CA-53 through DOD SW CA-58, and
DOD SW CA-60 through DOD SW CA-61
NOTE: If you are missing any of the above certificates, you have 2 choices,
1. Delete all of them, and re-run the 5 files above, or
2. Download the allcerts.zip file and install each of the certificates you are missing individually.
![]()
Errors:
Error 100001 Solution
Error 100013 Solution
You may notice some of the certificates will have a red circle with a white X . This means your computer does not trust those certificates
You need to manually trust the DoD Root CA 2, 3, 4, & 5 certificates
Double click each of the DoD Root CA certificates, select the triangle next to Trust, in the When using this certificate: select Always Trust, repeat until all 4 do not have the red circle with a white X.
You may be prompted to enter computer password when you close the window
Once you select Always Trust, your icon will have a light blue circle with a white + on it.
The 'bad certs' that have caused problems for Windows users now show up in the keychain access section on some Macs. These need to be deleted / moved to trash.
The DoD Root CA 2 & 3 you are removing has a light blue frame, leave the yellow frame version. The icons may or may not have a red circle with the white x
If you have tried accessing CAC enabled sites prior to following these instructions, please go through this page before proceeding
Clearing the keychain (opens a new page)
Please come back to this page to continue installation instructions.
Step 5a: DoD certificate installation instructions for Firefox users
NOTE: Firefox will not work on Catalina, or last 4 versions of Mac OS if using the native Apple smartcard ability
Download AllCerts.zip, [remember where you save it].
double click the allcerts.zip file (it'll automatically extract into a new folder)
Option 1 to install the certificates (semi automated):
From inside the AllCerts extracted folder, select all of the certificates
<control> click (or Right click) the selected certificates, select Open With, Other..
In the Enable (selection box), change to All Applications
Active Client For Mac Sierra Mac
Select Firefox, then Open
Maxtor onetouch iii drivers for mac os sierra. You will see several dozen browser tabs open up, let it open as many as it wants.
You will eventually start seeing either of the 2 messages shown next
If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
or
'Alert This certificate is already installed as a certificate authority.' Click OK
Once you've added all of the certificates..
• Click Firefox (word) (upper left of your screen) • Preferences • Advanced (tab) • Press Network under the Advanced Tab • In the Cached Web Content section, click Clear Now (button). • Quit Firefox and restart it
Option 2 to install the certificates (very tedious manual):
Click Firefox (word) (upper left of your screen)
Preferences
Advanced (tab on left side of screen)
Certificates (tab)
View Certificates (button)
Authorities (tab)
Import (button)
Browse to the DoD certificates (AllCerts) extracted folder you downloaded and extracted above.
Active Client Cac For Mac
Note: You have to do this step for every single certificate
Note2: If the certificate is already in Firefox, a window will pop up stating: 'Alert This certificate is already installed as a certificate authority (CA).' Click OK
Note3: If the certificate is not already in Firefox, a window will pop up stating 'You have been asked to trust a new Certificate Authority (CA).'
Check all three boxes to allow the certificate to: identify websites, identify email users, and identify software developers
Once you've added all of the certificates..
• Click Firefox (word) (upper left of your screen) • Preferences • Advanced (tab) • Press Network under the Advanced Tab • In the Cached Web Content section, click Clear Now (button). • Quit Firefox and restart it
Step 6: Decide which CAC enabler you can / want to use
Only for Mac El Capitan (10.11.x or older)
After installing the CAC enabler, restart the computer and go to a CAC enabled website
NOTE: Mac OS Sierra (10.12.x), High Sierra (10.13.x), Mojave (10.14.x) or Catalina (10.15.x) computers do not need a CAC Enabler.
Try to access the CAC enabled site you need to access now
Mac support provided by: Michael Danberry
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |