Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5191: Receiving prompts to enter password for "login" keychain

Centrify Identity Service, Mac Edition ,  

23 March,15 at 05:03 PM

Applies to: Centrify DirectControl for Mac

Question:


Everytime a user logs into their Mac, the following message is seen:

Messages Agent wants to use the "login" keychain.
 
Message asking for password for the "login" keychain.

Entering the user's AD password is not accepted.  

How can this message be stopped from appearing?


Answer:

In OS X, the keychain is a central and secure location for saving passwords. One of the default keychains in OS X is the "login" keychain and when the user logs in, the login keychain is unlocked and made accessible to the user. The same password that is used for logging into the Mac is used for unlocking the login keychain. However if the password for logging into the Mac falls out of sync with the login keychain password, the unlock will fail. As a result, applications attempting to access the keychain will prompt the user for a password until it can be unlocked.

There are several scenarios where this may occur, for example:
  • Migrating a home folder from a local to AD user, where the passwords for the local account is different than the password for the AD account.
  • Changing the AD user's password from outside the Mac itself, such as directly in AD or through OWA.
  • A user manually changes the login keychain password, or imports a new login keychain from another system.

The Keychain Access app can be used to re-sync the login keychain with the user's current AD password. If the password for the login keychain is not known, it may be necessary to delete the existing login keychain and create a new one, though this will delete all existing app passwords that were associated with the user's account. Once the passwords are synced, the login keychain will unlock automatically when logging in, and the messages asking for the password will stop.

This issue is not limited to Centrify and can occur when using Apple's native AD plugin. For further reading, please review Apple's document on troubleshooting the login keychain:

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.