Softwareupdate is trying to authenticate user - Authentication is disabled

pkleiber
Contributor

We have one user with a Macbook Pro M1 Laptop. Big Sur is installed on the machine and the logged in user is a Mobile Account and has admin rights. File vault 2 is also enabled.

Deployment was some month ago and everything worked fine. Two days ago the user approached me as he was not able to login with his account credentials at home. He was in the office yesterday and after I logged in with my local admin account everything was fine and he could work. So told him to also to update his Big Sur installation from 11.2.x to the latest version 11.5.2. But as he tried to enter his password the following screen states that Authentication is disabled.

Authentication is disabled.png

I grabbed this screenshot from the internet cause our dialogue is in German.

Anybody have seen this? Where does this come from and how can we fix this? I would greatly appreciate your help.

Thanks

1 ACCEPTED SOLUTION

pkleiber
Contributor

I was able to fix the error. It has to do with a corrupt secure token.

I told the user to login with the existing local admin account an then to execute the following script:

#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /

 After that I told him to do a reboot.

Everything seems fine now. Logging in offline to his Mobile account also works again.

View solution in original post

13 REPLIES 13

SCCM
Contributor II

Not seen that with the latest update, double check your login window > options / access settings and restrictions > application settings to make sure no ristrictions are enabled by mistake in any config profile

Hi @SCCM , thanks for the tip. We don't use config profiles with this setting in our environment.

junjishimazaki
Valued Contributor

It looks to me like the computer got kicked off the domain. Have you tried unbinding/re-binding the mac from the domain? Then have the user login again. 

Hi @junjishimazaki , was also my thought too. I did an unbind directly on his laptop then rebooted. After that our binding policy kicked in an automatically did rebind the client. Unfortunately this did not fix the issue.

You did this when the mac was hard-wired to ethernet correct?

Nope the user was on site with his laptop an we did this via wlan. Is there a difference?

I would do this hard-wired. Sometimes it needs a physical connection to reauth properly. 

@junjishimazakiwe did the unbind and rebind via network cable. Unfortunately it had no effect.

pkleiber
Contributor

I was able to fix the error. It has to do with a corrupt secure token.

I told the user to login with the existing local admin account an then to execute the following script:

#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /

 After that I told him to do a reboot.

Everything seems fine now. Logging in offline to his Mobile account also works again.

Great job in troubleshooting. I'm glad you found a solution. Definitely a weird one

Thank you very much for this - it helped fix a similar issue for us. Would you know if it is possible to grant a securetoken to a user that has no password? ie: most of our users are SmartCard only and we cannot get past the "enter password for 'user'" portion unless they have a password. For reference, we bind with directory utility and users login to mobile accounts. 99% of our users have no password.

NeiSpe77
New Contributor III

I came across this today at my work. A user had updated her OS from Big Sur to Ventura. It broke her securetoken. Thank you for this!

aprild
New Contributor II

This solution has fixed the issue for me but it keeps recurring.  Anyone else experiencing the secure tokens repeatedly becoming corrupt and having to reset each time there is an OS update? We are bound to AD and use mobile accounts.