As advised from the article for Chrome integration with Active Directory, helped Woodruffcenter admin on how to file a technical report related to the problem he is getting. 

Issue: When trying to access a Chromebook using a regular user, they are getting "Oops! An unknown error occurred.  Please try again later or contact your administrator if the issue persists."

Expected behavior:
Regular user should be able to access the enrolled Chromebook. 

Current behavior:
Regular users can't access the newly enrolled Chromebook.

We wanted to know if there's any settings that we are missing. Please see Help Center article that the Admin followed.
https://support.google.com/chrome/a/answer/7497916?hl=en&ref_topic=7497828

See logs here
https://drive.google.com/drive/folders/1SOMa3P1ucq0_WU97Pk7GWEtq1vIyMNaV?usp=sharing


Any input on this matter will be appreciated. Thank you in advance!

Case# 14468838
In the log I see:

2017-12-18T10:33:58.980504-05:00 INFO authpolicyd[4253]: Executing /usr/bin/net 'ads' 'search' '(sAMAccountName=<USER_SAM_ACCOUNT_NAME>)' 'objectGUID' 'sAMAccountName' 'cn' 'displayName' 'givenName' 'pwdLastSet' 'userAccountControl' '-s' '/tmp/authpolicyd/smb.conf' '-d' '10'
2017-12-18T10:33:58.980557-05:00 WARNING authpolicyd[4253]: libminijail[2]: allowing syscall: connect
2017-12-18T10:33:58.980571-05:00 WARNING authpolicyd[4253]: libminijail[2]: allowing syscall: sendto
2017-12-18T10:34:40.404274-05:00 INFO authpolicyd[4253]: Exit code: 0
2017-12-18T10:34:40.404445-05:00 INFO authpolicyd[4253]: Executing /usr/sbin/authpolicy_parser 'parse_account_info' 'EXXXXXXXXXXXXXXXXXXXXX=='
2017-12-18T10:34:40.404491-05:00 WARNING authpolicyd[4253]: libminijail[2]: allowing syscall: connect
2017-12-18T10:34:40.404505-05:00 WARNING authpolicyd[4253]: libminijail[2]: allowing syscall: sendto
2017-12-18T10:34:40.415551-05:00 WARNING authpolicy_parser[4429]: libminijail[22]: logging seccomp filter failures
2017-12-18T10:34:40.415888-05:00 ERR authpolicy_parser[4429]: Failed to find 'pwdLastSet' in string
2017-12-18T10:34:40.415982-05:00 ERR authpolicy_parser[4429]: Failed to parse account info
2017-12-18T10:34:40.416624-05:00 INFO authpolicyd[4253]: libminijail[2]: child process 22 exited with status 2
2017-12-18T10:34:40.416685-05:00 INFO authpolicyd[4253]: /usr/sbin/authpolicy_parser stdout: 
2017-12-18T10:34:40.416707-05:00 INFO authpolicyd[4253]: /usr/sbin/authpolicy_parser stderr: 
2017-12-18T10:34:40.416725-05:00 INFO authpolicyd[4253]: Exit code: 2
2017-12-18T10:34:40.416759-05:00 ERR authpolicyd[4253]: Failed to get user account id. Net response: Got 1 replies#012#012cn: Vdi Test#012displayName: vditest#012objectGUID: 2XXXXXXX-5XXX-4XXX-8XX1-fXXXXXXXXX59#012sAMAccountName: vditest#012#012
2017-12-18T10:34:40.416794-05:00 INFO authpolicyd[4253]: AuthenticateUser failed with code 11

in particular: "Failed to find 'pwdLastSet' in string" and "Failed to get user account id"

We're trying to read user account information from the server using LDAP queries and we're expecting that the LDAP attribute 'pwdLastSet' is always set, but in this case it's not. This is what makes auth fail. pwdLastSet is used to determine whether the password expired. It should be possible to handle this gracefully.

In the meantime you could try force resetting the user's password in Active Directory to see if that fixes the problem.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/3541c6db06c824dc21fa751a675acb5ba30f139b

commit 3541c6db06c824dc21fa751a675acb5ba30f139b
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Jan 23 16:28:57 2018

authpolicy: Gracefully handle missing LDAP attributes

Gracefully handle missing pwdLastSet and userAccountControl fields in
LDAP user queries. If the fields are missing, authpolicy won't be able
to detect expired passwords and assumes the password is valid. The user
will still be able to log into Chrome until the TGT expires. Then the
user is prompted to do an online login, which will trigger the password
change UI.

To limit the time until an online login is enforced, the user TGT is not
automatically renewed if the fields are missing. This means, the user
is prompted to relog after a day instead of after a week. This is
important for security reasons in case the admin wants the user to
change their password. We could also always force an online login, but
that would be extremely disruptive for the user (e.g. can never work
offline).

From the bug, it is unclear how the fields got missing.

BUG= chromium:795758 
TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy

Change-Id: I8331cd2137a583edcfa53b323acb60b388b57c8e
Reviewed-on: https://chromium-review.googlesource.com/870874
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/authpolicy.h
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/stub_common.h
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/samba_interface.cc
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/stub_kinit_main.cc
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/tgt_manager.h
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/authpolicy_parser_main.cc
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/samba_interface.h
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/stub_common.cc
[modify] https://crrev.com/3541c6db06c824dc21fa751a675acb5ba30f139b/authpolicy/stub_net_main.cc

Fixed. See above for caveat. In a nutshell, if your password expires, we can't detect that immediately if the fields are missing, but you'll be prompted to log out after a day when your Kerberos ticket expires.

Verified fixed, steps performed:

1. Enroll device to Active Directory
2. Login using a valid AD user
3. In AD User Properties, set that user account has expired
4. Logout
5. Login using the same expired user account
6. Sign-in error notification is displayed immediately (screenshot 1)
7. Click on Sign Out
8. When attempted to login, an error message is displayed (screenshot 2)

Chrome OS: 10452.45.0
Chrome: 66.0.3359.84
Device: Robo360

Deleted: Screenshot 2018-04-06 at 11.56.46 AM.png 106 KB

	Screenshot 2018-04-06 at 11.56.46 AM.png 106 KB View Download

Deleted: Screenshot 2018-04-06 at 12.05.23 PM.png 149 KB

	Screenshot 2018-04-06 at 12.05.23 PM.png 149 KB View Download

Reopened. 8. is wrong, it should run you through a password change flow. 

Actually, this is unrelated to this issue. I'll re-close and open a new one.

Ivan, when you say "In AD User Properties, set that user account has expired", what exactly are you selecting? Do you mean "Account is disabled"? I tried "User must change password at next logon", but that worked as expected (popped up pw change screen on Chromebook).

Yes, if you set "User must change password at next logon" it will prompt you to the password change screen. So, for the account expiration I used "Account expires" option just setting some old date (see attached screenshot).

Deleted: Screenshot from 2018-04-09 08-50-44.png 9.9 KB

	Screenshot from 2018-04-09 08-50-44.png 9.9 KB View Download