March 2, 2009

Safari 4 on OS X and Windows AD authentication

After a frustrating couple of days, I think I've figured out what bit me. Safari 4, or rather, a feature therein.

Background: At work, I use my iMac on our corporate network. This network uses Active Directory for all manner of tasks. At the time, my Mac was using local account authentication; however, I was running MS Office with Entourage, which was of course authenticating to our Exchange server. Our network had recently installed a web proxy filter, which required periodic (once per session, or less frequently) authentication to access the outside world. I'm also doing sub-rosa stuff with corkscrew to get SSH access out through the proxy server. So far, so good; all this stuff has been working for months.

Then I started getting locked out of my AD account. At first, this was hard to pin down, because everything I was using would cache credentials, so I would discover the next morning or after coming back from a system upgrade restart that I couldn't get mail. Highly annoying.

The AD server logs claimed that the auth request was coming from my machine's IP address, and was coming from MICROSOFT_AUTHENTICATION_PACKAGE or something close to that. Also, there would seem to be a string of failures in a row, resulting in a lockout - something between five and twenty tries, sometimes all within a second.

After a few days of fruitless troubleshooting (not using Entourage, not using my corkscrew hack, etc. etc.) I gave up and tried for a clean slate.

I switched my iMac over to authenticating against the AD domain, and as a result (because my local account had a different username than my domain account) I ended up with a new, clean account. All my work data was living in a fileserver folder anyway. I moved over a few plists in order to retain configs and license from some apps (BBEdit, Terminal, yadda). Just to be sure, I created a brand new Entourage profile (not copying over any office prefs) and put only my work email (not my personal accounts) on it.

Nope. I kept getting locked out. This was more annoying, because usually I'd figure this out when trying to get out of my (locked) screen saver - and it wouldn't exit, because the password had locked down.

Aha. I tried turning off the screen saver. Nope.

I went through my Apple keychain and deleted every entry that was from before the 'new account' switchover, and all entries with 'Microsoft' anywhere on them.

Nope. Still locked me out.

Then I thought really hard about what had changed on my computer. Yep. I'd installed the Safari 4 Beta.

So I downloaded the uninstaller (it comes with the installer) and backed out to Safari 3.

A couple of hours later, no lockouts.

Here's what I think was going on. Safari 4 had dutifully built me one of those 'Top Sites' walls, even though I told it I didn't want to see it unless I asked. However, I think Safari was still updating my various (ten to twenty) URLs from my Top Sites wall. And to do that, it needed to get through my corporate proxy authentication. As far as I could tell, it had not stuffed that credential anywhere into my main keychain - so it's possible it was storing it locally somewhere in the Safari app prefs.

It trying to update twenty 'Top Sites' would explain why sometimes the stupid lockout logs showed twenty password failures in close succession.

I can't prove this is what's going on. However, after dumping back to Safari 3, the problem seems to have gone away.

I would suggest, on the incredibly long chance anyone from Apple reads this, that Safari be smart enough to update its Top Sites in serial if there is an auth credential stored, and if it fails, to not try to update each site - because it will definitely lock you out. My AD server is set to five tries before lockout, within a short timeframe, I think.

Posted by jbz at March 2, 2009 5:40 PM | TrackBack

Post a comment

Remember personal info?