Troubleshooting Mac-AD Domain Binding: Resolving “eDSAuthFailed (-14090)” and Unknown Errors


8 views

Many sysadmins hit this frustrating scenario when trying to join macOS devices to Windows Active Directory domains. The typical workflow looks like this:

1. Open Directory Utility → Services → Active Directory
2. Enter Domain (e.g., corp.example.com) and Computer ID
3. Click Bind → Watch progress (1/5 to 5/5) 
4. Encounter either:
   - "Unknown error" after step 5
   - eDSAuthFailed (-14090) when manually adding domain

From debugging numerous enterprise environments, these are the most common culprits:

  • Time Synchronization Issues - Kerberos requires <5 minute time difference
  • DNS Resolution Problems - Missing SRV records or forward/reverse mismatch
  • SSL Certificate Trust - Especially with internal CAs
  • Pre-existing Computer Object - Duplicate SIDs or stale records
  • Password Policies - Complex requirements failing machine account rotation

First, verify basic connectivity:

# Check time sync
ntpdate -u time.apple.com

# Verify DNS resolution
dig -t SRV _ldap._tcp.dc._msdcs.YOURDOMAIN.COM

# Test basic connectivity
ping dc01.yourdomain.com

For certificate issues:

# Export your CA cert
security add-trusted-cert -d -k /Library/Keychains/System.keychain /path/to/your-ca.cer

# Alternatively for testing
defaults write /Library/Preferences/com.apple.security allow_sha1_certificates -bool true

For computer object conflicts:

# Remove any existing binding
sudo dsconfigad -remove -force

# Delete local plist
sudo rm /Library/Preferences/OpenDirectory/Config/Active*

# Clean keychain entries
sudo security delete-internet-password -l "Active Directory"

When basic binding fails, these dsconfigad flags often help:

sudo dsconfigad -add "corp.example.com" \
  -computer "MAC-COMPUTER" \
  -username "adadmin" \
  -password "P@ssw0rd" \
  -force \
  -mobile enable \
  -mobileconfirm disable \
  -localhome enable \
  -useuncpath enable \
  -protocol smb \
  -shell '/bin/bash' \
  -preferred "dc01.corp.example.com" \
  -groups "DOMAIN\MacAdmins"

Enable verbose logging before attempting binding:

# Enable full debug logging
sudo defaults write /Library/Preferences/com.apple.opendirectoryd \
  ODLogLevel -int 65535

# Watch real-time logs
log stream --predicate 'sender == "opendirectoryd"' --debug

Key log entries to monitor:

  • "ODNodeCustomCall: failed with error 14090" → Auth failure
  • "NSURLErrorDomain" → Certificate/SSL issue
  • "kDCNotAvailable" → DNS/connectivity problem

If GUI methods fail consistently, consider:

1. Jamf's AD Binding Method:

#!/bin/bash
DOMAIN="corp.example.com"
COMPUTER_ID=$(hostname -s)
ADMIN_USER="binduser"
ADMIN_PASS="securepassword"

dsconfigad -force -add "$DOMAIN" \
  -computer "$COMPUTER_ID" \
  -username "$ADMIN_USER" \
  -password "$ADMIN_PASS" \
  -mobile enable \
  -mobileconfirm disable

2. Using NoMAD for AD-like functionality:

# Via Homebrew
brew install --cask nomad

# Basic config
defaults write com.trusourcelabs.NoMAD ADDomain "corp.example.com"
defaults write com.trusourcelabs.NoMAD KerberosRealm "CORP.EXAMPLE.COM"

When attempting to bind a macOS device to a Windows Active Directory domain using Directory Utility, you might encounter the cryptic error eDSAuthFailed (-14090). This typically indicates authentication failure during the binding process, but the root causes can vary.

Before diving into troubleshooting, verify these essentials:

# Verify network connectivity to domain controllers
ping your.domain.controller
nslookup your.ad.domain

# Check time synchronization (critical for Kerberos)
sudo systemsetup -getnetworktimeserver
sudo sntp -sS time.apple.com

1. Advanced Binding Options

Try binding with these additional parameters:

dsconfigad -add your.ad.domain \
           -computer "COMPUTERNAME" \
           -username "DOMAIN\\adminuser" \
           -password adminpass \
           -force \
           -mobile enable \
           -mobileconfirm disable \
           -localhome enable \
           -useuncpath enable \
           -protocol smb \
           -shell /bin/bash \
           -packetencrypt ssl \
           -namespace domain

2. Certificate Validation Issues

If your domain uses SSL certificates:

# Temporarily bypass certificate validation (for testing)
sudo defaults write /Library/Preferences/com.apple.opendirectoryd \
    ADTrustType -int 0

# For production environments, import the CA certificate
security add-trusted-cert -d -k /Library/Keychains/System.keychain \
    /path/to/your_ca_cert.pem

Enable verbose logging to capture detailed error information:

# Enable DirectoryService debug logging
sudo defaults write /Library/Preferences/com.apple.opendirectoryd \
    DSLogLevel -int 65535

# Watch the logs in real-time
log stream --predicate 'subsystem == "com.apple.opendirectoryd"' \
    --level debug

For persistent issues, examine these areas:

  • Check if the computer account already exists in AD (remove stale entries)
  • Verify the binding user has proper permissions (minimum: "Add workstations to domain")
  • Test different authentication protocols (NTLMv2 vs Kerberos)

Example of checking existing computer accounts:

# PowerShell command to check for existing computer object
Get-ADComputer -Filter {Name -like "MacComputerName*"} \
    -Server your.domain.controller