Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2625: Configuring Centrify login with Filevault 2 creates two login screens

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:11 AM

Applies to: All versions of Centrify DirectControl on Mac OS X 10.7 and above
 
Problem:
 
When Filevault 2 is enabled for an AD user, it will require two logins when logging into the Mac: 
  1. The first login screen is the solid grey screen which is used to unlock Filevault 2. 
  2. The second login screen is the standard Mac desktop login screen.
This behavior does not occur when enabling Filevault 2 for a local user. 

Logging in with a local user only requires the first grey screen for unlocking Filevault 2 after which the system will automatically log the user straight through to their desktop.
 

Cause:
 
Logging in with an AD account requires the two separate logins because the Mac agent needs to restart the SecurityAgent process after FileVault is unlocked.

This works fine for a normal login, but when FileVault 2 is enabled, the killing of SecurityAgent causes the login window to lose the current user context:
 
Oct 16 14:50:25 Developers-MacBook-Air com.apple.launchd[1] (com.apple.SecurityAgent.00000000-0000-0000-0000-0000000186A5[165]): Exited abnormally: Hangup: 1
 

Workaround: 
 
Edit /etc/centrifydc/centrifydc.conf and add the line:
 
adclient.autoedit.CentrifyPAM: false
 
After rebooting, it should only require one login screen again.
 
NOTE: Be aware that this workaround has some risk for when the computer needs to leave the domain:
  • First remove the centrifydc.conf edit
  • Reboot
  • THEN leave the domain. 
Leaving the domain without performing these steps may cause local users to not be able to login after rebooting.
 

Resolution:
 
This issue is resolved from Centrify agent version 5.1 onwards.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.