Centrify DirectControl 4.4.3 and above on all versions of Mac OS XQuestion:
After smart card support is turned on or off via Group Policy, why do Mac logins prompt a dialogue stating that "The system was unable to unlock your login keychain"?
When a network or mobile account password is changed by a directory security policy, then the keychain must be updated upon the next login. Turning on smart card support enables a PIN to be used instead of a password. Since the password has changed to a PIN, the keychain is unable to be automatically unlocked upon login and needs to be updated. Once you login with your PIN, the login keychain will want to be updated to use the PIN instead of the password.
If the keychain password is not updated, then applications with saved passwords will prompt for the old login keychain password:
If you choose Update Keychain Password
, you will be prompted to change the keychain password from an AD password into a PIN.
(Enter the password for the AD account in order to update the keychain.)
If you choose to Continue Log In
, then you must manually update the keychain password.
- Open Keychain Access from Applications > Utilities and right click on login from the list of Keychains on the left hand side.
- Select Change Password for Keychain "login"...
- Enter the password for the AD account in the Current Password field and enter the PIN into the New password and Verify fields.
If you choose Create New Keychain
, then the current login keychain will be deleted and a new keychain will be created with the smart card PIN. All saved passwords in the login keychain will be permanently deleted.Note:
After the keychain password has been updated, your PIN should work to unlock the login keychain. The same thing happens when you switch from using a PIN to an AD password. You must enter the PIN to update the keychain, so that the AD password can be used.
Trying the following steps can test if the PIN is unlocking the keychain:
- Log in with the smart card PIN.
- Click Update Keychain Password and enter the AD password to update the login keychain, if prompted.
- Open Keychain Access.
- Unlock the login keychain using the PIN.
Alternatively, trying these steps can test if the AD password is being used to unlock the keychain:
- Log in with the AD username/password.
- Click Update Keychain Password to update the login keychain and enter the smart card PIN, if prompted.
- Open Keychain Access.
- Unlock the login keychain using the AD username/password.
More information on Configuring Smart Card login is on page 217 of the Mac Admin Guide: