Is there a any reason you’re not using Kerberos SSO (see https://learn.jamf.com/en-US/bundle/jamf-school-documentation/page/Configuring_Kerberos_Single_Sign-on.html if you’re not family) to sync the password of a local Mac account to the user’s AD password instead of using AD bound mobile accounts? AD binding is not recommended because of issues like the one you’re seeing with secure tokens and password changes.

Thanks for the reply and the link. I will look further into it.

At my company, it was a system I inherited from the person pervious in my role. I’m not sure why it was set up like that inital and currently looking for soultions to the issue. Currently our user are AD bound to mobile account like you said. Additional information on why it may be setup like that is we use Ping Identiy for our MFA. I’m not sure if that would be impacted by using Kerberos SSO or compatiable. 

The way it should work is when a user change there password, it should updated the devices PW and the Ping password. At the moment it just updating their Ping Password and not the Mac, leading to secure tokein issue. 

Thanks again for the help  

I’ve used Kerberos SSO (KSSO) in conjunction with Ping Identity MFA in the past and never had any issues. When you use the Change Password option in KSSO it can change both the AD and local Mac password simultaneously, and if you happen to have users who change their AD password via another mechanism it will detect the local and AD passwords different and prompt the user to re-sync them.

In addition KSSO also creates Kerberos TGTs so you should still be able to use AD based authentication for your org’s services which use that.

Awesome i will look into it, Thanks again for the help.