Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4382: FileVault password is not syncing with AD password

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:22 AM

Applies to: All versions of Centrify DirectControl for Mac OS X

Problem:

The FileVault 2 pre-boot authentication screen will only accept an AD user's older password and does not update to the current password for that user. The automatic login fails and the standard desktop login screen will be presented. The user is then able to login using their current AD password.


Cause:

A FileVault 2 encrypted Mac will initially boot to an unencrypted disk partition and ask for the password or key to unlock the encrypted partition. Because this separate partition does not have access to Authentication Services and Active Directory, the most recent locally cached password must be used. If the user's cached password falls out of sync with their Active Directory password, then the FileVault 2 pre-boot authentication screen will not be updated to the current password for that user.

Notes:
  • This is NOT a Centrify issue.
  • The same results can also be produced when setting up a system with a Mobile Account under Apple's own AD plugin and FileVault 2 (with no Centrify on the system)
  • Similar issues have been reported on Apple's Support Community

Solution:
  1. Check that there is a local admin account added to the FileVault user's list.  Open the Terminal and enter the following commands:
    • sudo fdesetup list
      • If the only username listed is the affected user's account, then you can add another account (Where admin_username is the username of the local admin user):
    • sudo fdesetup add -usertoadd admin_username
      • You can also add the user in:
    • System Preferences > Security & Privacy > FileVault > Enable Users and clicking the button labelled: "Enable User"
    • User-added image
  2. Remove the affected user from FileVault (Where ad_username is the username of the AD user):
  3. Flush the AD cache:
    • sudo adflush
  4. Add the mobile AD user to FileVault (Where ad_username is the username of the AD user):
    • sudo fdesetup add -usertoadd ad_username
  5. Reboot the machine and test if the new password is working to unlock the machine.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.