Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4199: What happens to the login keychain when authentication is changed from AD username/password to smart card on Mac OS X

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:22 AM

Applies to: Centrify DirectControl 4.4.3 and above on all versions of Mac OS X

Question:

After smart card support is turned on or off via Group Policy, why do Mac logins prompt a dialogue stating that "The system was unable to unlock your login keychain"?
 
User-added image



Answer: 

When a network or mobile account password is changed by a directory security policy, then the keychain must be updated upon the next login. Turning on smart card support enables a PIN to be used instead of a password. Since the password has changed to a PIN, the keychain is unable to be automatically unlocked upon login and needs to be updated. Once you login with your PIN, the login keychain will want to be updated to use the PIN instead of the password.

If the keychain password is not updated, then applications with saved passwords will prompt for the old login keychain password:
User-added image




If you choose Update Keychain Password, you will be prompted to change the keychain password from an AD password into a PIN.
 
User-added image

(Enter the password for the AD account in order to update the keychain.)




If you choose to Continue Log In, then you must manually update the keychain password. 
  1. Open Keychain Access from Applications > Utilities and right click on login from the list of Keychains on the left hand side. 
    • User-added image
  2. Select Change Password for Keychain "login"...
    • User-added image
  3. Enter the password for the AD account in the Current Password field and enter the PIN into the New password and Verify fields. 
    • User-added image




If you choose Create New Keychain, then the current login keychain will be deleted and a new keychain will be created with the smart card PIN. All saved passwords in the login keychain will be permanently deleted.


Note: After the keychain password has been updated, your PIN should work to unlock the login keychain. The same thing happens when you switch from using a PIN to an AD password. You must enter the PIN to update the keychain, so that the AD password can be used. 

Trying the following steps can test if the PIN is unlocking the keychain: 
  1. Log in with the smart card PIN. 
  2. Click Update Keychain Password and enter the AD password to update the login keychain, if prompted. 
  3. Open Keychain Access. 
  4. Unlock the login keychain using the PIN. 

Alternatively, trying these steps can test if the AD password is being used to unlock the keychain: 
  1. Log in with the AD username/password. 
  2. Click Update Keychain Password to update the login keychain and enter the smart card PIN, if prompted. 
  3. Open Keychain Access. 
  4. Unlock the login keychain using the AD username/password. 


More information on Configuring Smart Card login is on page 217 of the Mac Admin Guide:
Related Articles:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.