AD bind apocalypse

When you bind your Macs to AD, you probably heard or read that AD bind was going to break when Microsoft was releasing a security patch.

Jamf had an excellent blog post explaining what was going on:

https://www.jamf.com/blog/advisory-macos-ad-cve/

This of course  started the discussions (On Slack in #activedirectory) why to bind to AD? In my (and most my other fellow edu lab admins) opinion binding Macs to AD for labs is still the best way for shared macOS devices. We also use 802.1x wifi login profiles for example.

A lot of Macadmins (including myself) started to create tickets with Apple (Feedback assistant!) and Microsoft to bring this problem to their attention.

Microsoft did postpone the definitive enforcement phase to October. https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 

But there’s better news: They released a patch that fixes the binding problem for macOS and Linux with de AD PacRequestorEnforcement set to “2” key.

For example this url, the fix isn’t explicitly mentioned: https://support.microsoft.com/en-au/topic/april-12-2022-kb5012647-os-build-17763-2803-9a10c5c9-e65f-4ae1-a9c4-2db9a8eca4fc 

With the help of my Windows colleague we could run the fix on the AD server and successfully bind with PacRequestorEnforcement set to “2”! We used Win 2019 build 17763.2803. Build that didn’t work: 17763.2300

On Slack in the #activedirectory channel more admins had the same results.

Big thank you to Jaap for your help and everybody in #activedirectory in Slack. We can breath again!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s