FileVault users - Single Sign-On?

JPDyson
Valued Contributor

Any of you folks using FileVault know what mechanism controls the ability to make sure the account that unlocks a disk (at power-on auth) is automatically logged on? I'm seeing intermittent behavior in some cases, where it may or may not automatically log the unlocking user into OS X.

1 ACCEPTED SOLUTION

thoule
Valued Contributor II

FV will use the last known good password. If you authenticate while connected to AD (unlock a system pref, etc), then the Mac will update the FV password to match. Unless you authenticate while connected to the network, the cache isn't updated.

View solution in original post

8 REPLIES 8

Walter
New Contributor II

I've seen this problem when the password has expired for the unlocking (power-on auth) account. I would get beyond the unlock screen, but the OS then presented its own login screen and the power-on auth account credentials would not log me in.

hkim
Contributor II

I'm seeing this with in an AD environment with cached accounts, where a password change for one reason is recorded in AD (and changed from the computer using System Preferences) but FileVault doesn't recognize that the password has changed, thus the passwords are out of sync. The keychain is updated with the new credentials, the locally cached account has the new credentials, the directory has the new credentials, but FV is still using the old credentials.

I'm still trying to figure out why.

ltrevino
New Contributor

Has anyone figured out why FV still using the old credentials?

thoule
Valued Contributor II

FV will use the last known good password. If you authenticate while connected to AD (unlock a system pref, etc), then the Mac will update the FV password to match. Unless you authenticate while connected to the network, the cache isn't updated.

JPDyson
Valued Contributor

@thoule This is what we've discovered as well. We're probably complicating things by using a 3rd party directory utility/mobile accounts, but that's not usually a problem for us anymore. Most of the time, if you perform a live/networked login with the updated credentials, it updates FileVault.

Jedberg
New Contributor III

What OS's are you seeing this with?

We were seeing this with some 10.8.x devices, but then once we upgraded those devices to 10.9.2 they were fixed.

APPLE RECOMMENDED WAY TO TRIGGER SYNC - UPDATING NON_SYNCED FV PREBOOT PASSWORDS
touch "/System/Library/PrivateFrameworks/EFILogin.framework/Resources/EFIResourceBuilder.bundle/Contents/Resources"

or

I FOUND THE BELOW WAY TO TRIGGER IT IN SOME CASES AS WELL
in terminal have user login with new password:
type "login username" at the prompt, then password.

We use Native AD Plugin.

JPDyson
Valued Contributor
What OS's are you seeing this with?

*Were; date stamps give you an idea of when, in case you're curious. It's much more reliable these days (perhaps due to Apple and/or Centrify updates since then).

Did Apple support give you the tip about that file? Seems reasonable. As for the second tip, that's about the same as thoule's recommendation (triggering an authentication).

KyleEricson
Valued Contributor II

I have this issue with Mac 10.10.4+ 10.10.3 are working fine. Have tried what you said on here still no luck.

Read My Blog: https://www.ericsontech.com