MSAD Login 3.0
for Macintosh OS X 10.4 (or greater) Universal Binary
© 2012 Pa-software
1. Welcome to MSAD Login
MSAD Login is a system that connects to a Windows server running Active Directory. This way of connecting to a Windows server allows OS X users to mount their home drive and get notifications when passwords are about to expire.
This method of logging-in is very different from the specified method documented by Apple in that accounts are not tied to the server, this means that when you are not connected to the network you can still login to your computer, which is of particular use for Powerbooks. It also has the benefit that no changes are needed in the Active Directory schema.
The login procedure also allows passwords to be changed on both the server and the Macintosh, as well as having different user names for both the Macintosh and the Windows network. If the Macintosh user is different to the network user only the network user's password will checked and changed using MSAD Login.
MSAD Login also gives the option to pause the connection when you are not connected to the Windows network for example when a laptop is taken out, so that you do not get connection errors.
The trial version has the following limitations:
1. The application will expire after 30 days or 20 mounted shares (whichever comes first).
2. A notification is displayed when the helper is run.
To purchase, visit: http://www.pa-software.com/products/
3. How do I use MSAD Login?
MSAD Login requires some knowledge of the Windows network and the Active Directory server details, as one of the requirements when you configure the system is that you need to know the Windows domain. Once the system is configured apart from changing your password when it expires, there is little need to change any of the default settings.
It is recommended that you confirm the settings with the network administrator.
Please note: A user guide is available that gives a step-by-step guide to configuring the system.
Visit: http://www.pa-software.com/documentation/ for more information.
3.1 Running the Setup Assistant
After installation the Setup Assistant is run so that you can configure the system. The information required to configure MSAD Login is a domain for the Windows server running Active Directory e.g. for a local server hosting Active Directory with a computer address of 'home.headquarters.local', the domain would be 'headquarters.local'.
The next step is to set a home drive share address, for example: '$username$ home' (where $username$ is automatically replaced with your user name).
The last step allows you to select the users that will use MSAD Login.
3.2 Running MSAD Login
By default MSAD Login is run each time you log-in, but if you chose not to run MSAD Login after the set-up had finished, you can run it by either directly clicking on the helper (located in 'Library/Application Support/Pa-software/MSAD Login/Login helper.app') or logging out and logging back in.
The menu can also be shown by selecting 'Show server menu' in the MSAD Login system preferences.
This can be changed in the system preferences under 'Run when logging in'.
If this is the first time you have run MSAD Login you will be required to create a network password key. The required password is the one given to you by your network administrator or the one you are currently using to log-in to your Windows server account.
3.3 Possible connection problems
For Windows 2003 and 2008 server it is recommended to use TLS to connect as unencrypted connections are normally disabled by network administrators. TLS is required for Windows 2012 server.
Under OS X 10.4 and 10.5, if you are connecting to a Windows 2003 or 2008 server, by default the network communications are encrypted which are not supported (this is supported under 10.6 onwards). To use the standard SMB communications, you will need to change the server's domain group policy (or get your network administrator to make the changes):
In the Active Directory Users and Computers, right-click on the domain icon and select Properties.
In the Properties window, select the Group Policy tab, select the Default Group Policy and click on Edit.
In the Policy Editor, navigate to Computer Configuration->Windows Settings->Local Polices->Security Options, find the entry Digitally sign communications and disable.
By default the network firewall is turned off on a Macintosh running OS X 10.4 or higher. If the firewall has been turned on, then it must be set to allow Windows sharing.
For 10.4 or higher, if the connection still fails, try un-checking the 'Enable stealth mode' option under the advanced firewall settings.
The firewall can be found in the sharing section of the system preferences.
The home location should be in the form $username$ for smb://server/user, server/home/$username$ for smb://server/home/user, '$username$ home' for 'smb://server/user home'. For home shares not on the logon server the location should include the server e.g. server2/$username$ for smb://server2/user (where server2 is not the logon server). For home shares within folders the full share including the location is required e.g. for smb://10.0.0.44/Home/bob use 10.0.0.44/Home/$username$.
For Organizational Units i.e. when your network account is not in the Users section of Active Directory, you only need to enter the root OU when connection to the logon server.
4. How do I remove MSAD Login?
Run the Uninstall application that is included with the installer or put the folder 'Library/Application Support/Pa-software/MSAD Login' in the trash, delete the file 'MSAD Login.prefPane' in the folder 'Library/PreferencePanes/' and delete the 'MSAD Login Setup Assistant.app' from '/Applications/Utilities/'.
If you have chosen to run MSAD Login at login, you should also remove MSAD Login from your login items in the accounts system preference.
5. What's new?
Changed the main helper to use a newer Samba for improved connections.
Fixed issues under Mountain Lion and Gatekeeper.
Added support for true Kerberos ticket support.
Added support for clustered shares.
Fixed a TLS issue and provided optional support.
Added support for listing shares not part of the logon server.
Added support for pausing connections in the menu.
Added starting and stopping in the preferences.
Fixed a Unicode share name issue.
Added support for multi-server share listing.
Fixed a problem with multi-server mounting.
Fixed an issue resolving IP addresses.
Added x64 support for 10.6.
Added an auto-mount option which mounts shares when logging in.
Fixed a problem setting the password hint under 10.6.
Added multi-server mounting support.
Added 10.6 support.
New setup assistant with more feedback and better connection tests.
Fixed issues connecting to a Windows 2003 server with service pack 2.
Added the ability to authenticate with Organizational Units in the setup assistant.
Fixed an issue mounting under 10.5.
Added the option to open the mounted share and add to the sidebar (under devices in 10.5 or newer).
Added a progress bar when mounting.
Change password alert now disappears after 30 seconds if not selected and does not aggressively stay on top.
6. How to contact us
THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
MSAD Login is Copyright © 2004 - 2012 Pa-software
Apple, the Apple logo, Power Mac, Power Macintosh, and QuickTime are trademarks of Apple Computer, Inc. Microsoft, Windows and Active Directory are trademarks of Microsoft corporation.
Update December 2012