Applies to: Centrify DirectControl for Mac
Everytime a user logs into their Mac, the following message is seen:
Messages Agent wants to use the "login" keychain.
Entering the user's AD password is not accepted.
How can this message be stopped from appearing?Answer:
In OS X, the keychain is a central and secure location for saving passwords. One of the default keychains in OS X is the "login" keychain and when the user logs in, the login keychain is unlocked and made accessible to the user. The same password that is used for logging into the Mac is used for unlocking the login keychain. However if the password for logging into the Mac falls out of sync with the login keychain password, the unlock will fail. As a result, applications attempting to access the keychain will prompt the user for a password until it can be unlocked.
There are several scenarios where this may occur, for example:
- Migrating a home folder from a local to AD user, where the passwords for the local account is different than the password for the AD account.
- Changing the AD user's password from outside the Mac itself, such as directly in AD or through OWA.
- A user manually changes the login keychain password, or imports a new login keychain from another system.
The Keychain Access app can be used to re-sync the login keychain with the user's current AD password. If the password for the login keychain is not known, it may be necessary to delete the existing login keychain and create a new one, though this will delete all existing app passwords that were associated with the user's account. Once the passwords are synced, the login keychain will unlock automatically when logging in, and the messages asking for the password will stop.
This issue is not limited to Centrify and can occur when using Apple's native AD plugin. For further reading, please review Apple's document on troubleshooting the login keychain: