Mac Authentication Issues

This page is for Local IT and more advanced users.  It details how StudioCDN Mac Authentication works and how to troubleshoot issues.

If Mac users has problems authenticating they will see the HTTP /1.1 401 Authorization Required error below:

 

 

 

Requirements

The following requirements must be met for StudioCDN to work on a Mac:

 

1.

StudioCDN has been tested and works on OS X 10.6.8 (Snow Leopard) and above.

2.

The Mac must be bound to UMG Active Directory.  This can be a problem if a user has brought in their own machine.  To check see below:

3.

The user must login with their AD user name and password.  When they do this their machine will automatically create a Kerberos ticket.

4.

We strongly recommend users set a password unlock on their screen saver. This automatically refreshes their Kerberos ticket and avoids login issues if users don't boot up or login every day.

Some machines have still failed to work after following these instructions.  In these cases re-binding the Mac to AD has solved the problem.

 

How it works

Authentication on the Mac picks up the AD users credentials from the desktop, as on Windows.  The client and portal pick up the users current valid Kerberos ticket.

Recommendation - Screen Saver with Password Unlock

Some users have had issues with renewing Kerberos tickets on machines that are not logged out or shutdown everyday.  Setting a Screen Saver with a Password Unlock avoids this issue as unlocking your machine will automatically refresh your Kerberos ticket.  It also makes your machine more secure.

 

1.

Open System Preferences and select Desktop & Screen Saver:

 

2.

Choose the Screen Saver tab, select your desired saver and set the time to something like 20 minutes.

 

3.

Click on the back space to return to System Preferences and then choose Security & Privacy

 

4.

Choose the General tab and tick Require password and set the time to immediately

 

 

Check if Mac is AD Bound

All UMG built Macs will be AD Bound (and if not, will be brought into AD as part of the Casper project.)  However some machines are not and others have been brought into the office by users themselves.  To check:

 

1.

Click on the Apple logo and select System Preferences.

 

2.

In the System section select Users & Groups

 

3.

Click on Login Options.

4.

The Network Account Server should be GLOBAL.

 

If these conditions are not met please ask local Mac support to look at this machine.

         

Return to the StudioCDN Support Page