On October 11th, 2022 Microsoft pushed an update to enforce domain controller validation for Active Directory. The purpose of this update is to shore up a security bypass vulnerability that affects the Kerberos Privilege Attribute Certificate (PAC), allowing hackers to spoof domain controllers. This update had the side effect of preventing new MacOS devices from binding to Active Directory, as well as breaking the binding of currently bound devices after an operation such as a password change.
This was not unprecedented, however. Not by a long shot.
Back in the fall of 2021, network admins around the world were silently suffering from the “Bindpocalypse” as MacOS machines mysteriously stopped being able to communicate with AD. This cascaded into chaos as users were locked out and data was lost. At the root of the many issues were problems with Kerberos.
In response, Microsoft released a security patch and instructions for a manual fix to be applied to each controller. But the writing was on the wall – this fix was temporary, but the ultimate solution would remain unaccommodating to MacOS and third-party OSs. They set a date (and later pushed it back to Oct. 11, 2022) that the controller validation would be mandatorily enforced. At the time of writing, this date has come and passed and Active Directory no longer supports MacOS.
Why is my Mac device failing to bind to AD?
Frustrated admins googling this question will feel both vindicated and exasperated to see that the top results spanning back more than a decade illustrate the long, troubled history of binding Apple devices to Active Directory. This instance of an Active Directory Bindpocalypse is far from the first but, hopefully, it will be the last.
(Because everyone will learn their lesson and stop using deprecated on-premise directories. Right, guys? … Guys???)
How to Fix Audit Event ID 37 (Error 37)
From the Known Issues section on the patch documentation:
After installing Windows updates released November 9, 2021 or later on domain controllers (DCs), some customers might see the new audit Event ID 37 logged after certain password setting or change operations such as:
- Update or Repair failover cluster’s CNO or VCO
- Reset a user’s password from the Active Directory Users and Computers (dsa.msc) console
- Create a new user from the Active Directory Users and Computers (dsa.msc) console
- Change password for third-party, domain-joined devices
The key phrase here is “third party domain-joined devices”. Microsoft doesn’t say it outright, but they acknowledged that the enforcement of this patch has broken the ability to bind MacOS (and presumably other) devices to Active Directory.
Solution for Event ID 37
Microsoft did release potential fixes for Event ID 37. The hotfixes to reenable Mac devices included the installation of a patch and manually adjusting the PacRequestor Enforcement value on each affected switch.
However, this fix was only ever temporary. Microsoft used a multi-phase approach to phase out their patch (and the root vulnerability) over the course of about a year. As of the time of writing, Event ID 37 can’t be “solved” in such a way that reenables Mac devices. For reference, however, here are the patch notes according to Microsoft.
KB5008380—Authentication updates (CVE-2021-42287)
- Initial deployment –
- Introduction of the update, as well as the PacRequestorEnforcement registry key
- Second deployment –
- Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)
- Enforcement phase –
- Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key
A Solution to Bind Mac to AD
Jamf Connect
The first solution experienced admins will come to is likely Jamf Connect. It’s a clear fix for the problem. Jamf is well known as the premier MDM for Apple devices and was built for just this purpose.
Jamf Connect, specifically, allows you to bind a user’s local account on their Mac to their institutional cloud identity, including Azure AD (Microsoft Entra ID). This makes authenticating to the network (and other services) a cinch, changing very little from the end-user’s perspective.
Jamf does reportedly support on-prem Active Directory authentication through its support for legacy protocols like Kerberos and LDAP, but the integration is limited due to the usual cloud/on-premise conflicts.
Replace Active Directory and Transition to Cloud
While Jamf is the best solution to get your MacOS devices managed in the same place as the rest of your network, it’s only a band-aid on the root problem: on-premise networks in the era of cloud computing.
Simply put, cloud isn’t the future – it’s the present. This instance of Windows dropping support for MacOS isn’t a Microsoft vs Apple squabble, it’s a step in the very gradual deprecation of Active Directory – an on-premise system built in the last millennium.
As has been the case for a while now, new software and tools are being built for the cloud. Trying to ground them in order to shoehorn compatibility into on-premise systems weakens functionality and security. The only way to secure your network and futureproof your organization is migrate to the cloud.
SecureW2’s JoinNow suite is the answer. We can bridge your on-prem directory to the cloud while you transition your network to avoid any unnecessary downtime. We provide not just a managed Cloud RADIUS to use as an authentication server, but world-class onboarding software for joining managed devices and to MDMs like Jamf!
As an official Microsoft Partner, SecureW2 can offer many solutions to improve your network security. Click here to see our pricing.
