How to get Mac users authenticated with BCCA
search cancel

How to get Mac users authenticated with BCCA

book

Article ID: 166421

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

I have macOS users that are not being authenticated with Cloud SWG (formerly known as WSS), but my Windows users are being authenticated.

How do I get Mac users authenticated with Cloud SWG via the Auth Connector (BCCA)?

Resolution

 
 
BACKGROUND:
 
For Mac users to be authenticated (identified) for Cloud SWG (formerly known as WSS) reporting and policy enforcement: 
 
1. the Mac computers must be joined to the Active Directory Domain, and 
 
2. the Mac computers must MAP a DRIVE to the Active Directory Domain Controller server (see details below); the AD server must be a Domain Controller (a Member Server is not enough).
 
 
"Windows SSO" authentication is designed for Windows OS's.  Mac computers do not join/login to the Active Directory Domain using the same protocol methods as Windows computers, so the "Windows SSO" authentication doesn't work natively with Mac computers.
 
Mac computers join/login to AD using LDAP, whereas Windows will login using SMB and netlogon.
 
BCCA (WindowsSSO) is looking for "netlogon" events (triggered by SMB logins).  When a Mac computer logs in to the Active Directory Domain, "netlogon" is not used (LDAP is used instead).  And this means that BCCA will NOT see the login event.
 
 
To work around this issue, you want to configure the Mac computers to MAP a NETWORK DRIVE as part of their AD login.  This will cause the Mac to use SMB (and netlogon), and BCCA will see the "netlogon" event.
 
 
 
 
CONFIGURATION SETUP
 
Create a "home" directory for the Mac users: http://support.microsoft.com/kb/816313
 
Then, in Active Directory, modify the Mac AD user by: 
 
- right-click on the user object and select "Properties"
 
- go to the "Profile" tab
 
- in the "Home folder" section select the "Connect" radio-button, and select a drive letter
 
- in the "To:" field, enter an SMB share, such as: 
\\server\Home\%username%  (you can literally type %username%)
 
   NOTE: for "server" you can enter an IP address (IP addr of your AD server), so that the SMB share would look like: 
\\192.168.1.104\Home\%username%
 
CASE IS IMPORTANT: for the SMB share path, case IS important ("Home" is different than "home").
 
 
- You also need to make sure on the Mac OSX system, go into the "Directory Utility" and ENABLE the option: 
 
  "Use UNC path from Active Directory to derive network home location"
  ...and select "SMB" (for "Network protocol to be used").
 
 
 
Once the above is properly configured, now attempt to login from the Mac again.
 
 
 
LOGIN NOTE
 
When logging in at the logon screen, the login format you need to use is: 

user@domain

 
For example: 
 - username: user1
 - domain: domain2.lab.local
 - login is: [email protected]
 
 
If you do an incorrect logon (use "username" only, and not "user@domain" format) then even if you fix the name and type in the correct name (after the login failure), it may still not work.  You may have to reboot the workstation, and enter the correct "user@domain" format during the initial login.
 
This time, during login, the Mac should automatically establish a mapping to its own home directory.  This causes SMB network traffic and generates a login to the AD servers (via netlogon), and the BCCA should then register the user login event from the Mac user.
 
 
 
Powered by Wolken Software