The FileVault 2 pre-boot authentication screen will only accept an AD user's older password and does not update to the current password for that user. The automatic login fails and the standard desktop login screen will be presented. The user is then able to login using their current AD password.Cause:
A FileVault 2 encrypted Mac will initially boot to an unencrypted disk partition and ask for the password or key to unlock the encrypted partition. Because this separate partition does not have access to Authentication Services and Active Directory, the most recent locally cached password must be used. If the user's cached password falls out of sync with their Active Directory password, then the FileVault 2 pre-boot authentication screen will not be updated to the current password for that user.Notes:
- This is NOT a Centrify issue.
- The same results can also be produced when setting up a system with a Mobile Account under Apple's own AD plugin and FileVault 2 (with no Centrify on the system)
- Similar issues have been reported on Apple's Support Community
- Check that there is a local admin account added to the FileVault user's list. Open the Terminal and enter the following commands:
- sudo fdesetup list
- If the only username listed is the affected user's account, then you can add another account (Where admin_username is the username of the local admin user):
- sudo fdesetup add -usertoadd admin_username
- You can also add the user in:
- System Preferences > Security & Privacy > FileVault > Enable Users and clicking the button labelled: "Enable User"
- Remove the affected user from FileVault (Where ad_username is the username of the AD user):
- sudo fdesetup remove -user ad_username
- Note: Please ensure that this account is a Mobile Account that was not linked using version 5.2.1 or lower of the Mac agent's Account Migration tool.
- If the target user account was migrated using a 5.2.1 or lower agent, then please first see:
- Flush the AD cache:
- Add the mobile AD user to FileVault (Where ad_username is the username of the AD user):
- Note you need to use an account that has been able to unlock filevault:
- sudo fdesetup add -usertoadd ad_username
Example: of a 'localadmin' wanting to regrant access to unlock filevault for 'testuser' this is what the output looks like:
$ sudo fdesetup add -usertoadd testuser
Enter the user name:localadmin
Enter the password for
Enter the password for
the added user 'testuser':
- Reboot the machine and test if the new password is working to unlock the machine.