Cross-platform functionality is a must in the current digital climate. While Windows easily has the largest market share at the moment, the fact of the matter is this – users will be working on both Windows and Mac operating systems. That is the truth of the digital world, as it exists today.iii

The struggles that this multi-platform landscape engenders are real, and they often create problems in corporate infrastructure when there is not a single method of proving and managing user identity.

Luckily, Active Directoryis built to handle and support an environment that sees extensive use of both Windows and Macintosh OS X.

Microsoft Active Directory works inherently with the Microsoft Windows suite of Operating Systems, ever since the development and release of Windows 2000. With the simplicity inherent in the existing hierarchy, Active Directory is an obvious solution for organizations of any size, in virtually any business vector. Even personal networks may find Active Directory as a viable choice, simply for the many doors that may be opened when AD is at the heart.

Notably, Active Directory has built-in support for the Kerberos authentication protocol(for more information see our Kerberos section below). This allows for a wide array of Single Sign-on and secure access control methods right out of the box.

For networks of any size, Active Directory has an answer.

To add a Windows Machine to your Active Directory Domain Controller, you need three (3) main things:

  • Knowledge of the appropriate DNS settings to point to the Domain.
  • Administrator credentials for the Active Directory Domain.
  • A recognizable machine name.

For more detailed instructions on adding a Windows machine to the Active Directory Domain, see Appendix1.

Once the machine has been appropriately joined to the Active Directory domain, configuration for login type may be adjusted as necessary for your environment. Login methods that can be configured natively in windows include changing the login type to show a list of users,to specifically request a username and password, or event through other services like the use of a Smart Card.iv

It’s no secret that Apple has their own unique way of doing things – far afield from the typical processes that many users with Windows machines are accustomed to. For authentication and identity management, Apple even developed and implements its own User Repository - termedOpen Directory(OD).However,that does not mean that an environment has to implement both AD and OD, nor should it shun users of the various Mac operating systems when a much simpler solution is available.

Mac OS X has out-of-the-box support for a variety of directory-service technologies including Active Directory.

Mac OS X uses Kerberos as its default authentication, much the same as Windows 2000 and up. With this protocol in place, Mac OS X is primed and inherently capable of supporting many beneficial Active Directory functions, such as password policies, restrictions and enforcement. A simple to manage configuration within the Mac preferences will allow you to ‘Bind’ the machine to the Directory and configure the necessary Domain components from there. For more information on managing this configuration,see Appendix 1, Section B.

As any Mac user will know, Mac OS X has a somewhat unique manner of handling multiple passwords – the keychain. OS X creates a unique keychain for each individual user, as well as the machine, and encrypts passwords therein. In order to access the contents of the keychain, you need the appropriate master password.

As many users of both Mac and Windows machines have undoubtedly found – this functionality is not without its owncurses and bumps in the road.

When a Mac machine is bound to an Active Directory domain, the machine creates a unique system password and saves it to the System Keychain for validation against Active Directory whenever a user logs in. By default, the Mac sets the expiration of this Keychain Password to 14-days, but it can be configured by use of the dsconfigad Terminal commands. For specifics, see Appendixes– dsconfigad Terminal Commands.

Important Note: The System Keychain is different from the Login Keychain, which is unique to each individual useraccount.

The Login Keychain acts as a secure storage vault for additional user passwords. Upon first login to the bound Macintosh machine, the Login Keychain will be created and the Password will be synchronized with the set Active Directory password.

For Macintosh users, the Active Directory password must be changed, prior to its expiration, within the Users & Groups section of System Preferences.In this manner, the OS automatically updates the Keychain credentials without any additional effort on behalf of the user.

One of the drawbacks to the Mac Keychain is the likelihood of forgetting your Keychain master password, or resetting the Active Directory password on another machine/in another location. If either of these events were to occur – the user would typically berequired to create a new keychain and destroy the existing one.

One of the capabilities of proper integration with Active Directory is the use of password recovery to retrieve the forgotten/changed password in order to update it on the machine.vThis route requires an extra step on behalf of the end user, but prevents loss of any important/necessary credentials.

OS X Desktop Password Reset

Desktop password reset is nothing new for Windows users – simply use the CTRL + ALT + DEL key combination to open up a window, which enables you to change your password as needed. It’s quite simple, but a feature that does not exist within Macintosh OS X by default. As noted above – the appropriate (and necessary) method of natively resetting yourpassword in OS X is through the System & Users section of the System Preferences. In addition to synchronizing the Login Keychain, this process also updates the password directly in ActiveDirectory – prepping the account for access in all other locations using the new credentials.

Another lacking feature in the native Active Directory setup, however, is that there is no way to reset a forgotten Active Directory password at the login screen of a Macintosh machine.

Fortunately, Active Directory Identity Management solutions do exist that will enable password recovery and self-service password reset directly from the Mac login screen to prevent any decrease in productivity and progress.