Help

Softwareupdate is trying to authenticate user - Authentication is disabled

Go to solution
pkleiber
Contributor

Posted on ‎08-26-2021 03:13 AM

We have one user with a Macbook Pro M1 Laptop. Big Sur is installed on the machine and the logged in user is a Mobile Account and has admin rights. File vault 2 is also enabled.

Deployment was some month ago and everything worked fine. Two days ago the user approached me as he was not able to login with his account credentials at home. He was in the office yesterday and after I logged in with my local admin account everything was fine and he could work. So told him to also to update his Big Sur installation from 11.2.x to the latest version 11.5.2. But as he tried to enter his password the following screen states that Authentication is disabled.

Authentication is disabled.png

I grabbed this screenshot from the internet cause our dialogue is in German.

Anybody have seen this? Where does this come from and how can we fix this? I would greatly appreciate your help.

Thanks

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
pkleiber
Contributor

Posted on ‎08-27-2021 06:18 AM

I was able to fix the error. It has to do with a corrupt secure token.

I told the user to login with the existing local admin account an then to execute the following script:

#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /

 After that I told him to do a reboot.

Everything seems fine now. Logging in offline to his Mobile account also works again.

View solution in original post

13 REPLIES 13

Go to solution
SCCM
Contributor II

Posted on ‎08-26-2021 05:00 AM

Not seen that with the latest update, double check your login window > options / access settings and restrictions > application settings to make sure no ristrictions are enabled by mistake in any config profile

0 Kudos

Go to solution
pkleiber
Contributor
In response to SCCM

Posted on ‎08-26-2021 06:44 AM

Hi @SCCM , thanks for the tip. We don't use config profiles with this setting in our environment.

0 Kudos

Go to solution
junjishimazaki
Valued Contributor

Posted on ‎08-26-2021 06:41 AM

It looks to me like the computer got kicked off the domain. Have you tried unbinding/re-binding the mac from the domain? Then have the user login again. 

0 Kudos

Go to solution
pkleiber
Contributor
In response to junjishimazaki

Posted on ‎08-26-2021 06:46 AM

Hi @junjishimazaki , was also my thought too. I did an unbind directly on his laptop then rebooted. After that our binding policy kicked in an automatically did rebind the client. Unfortunately this did not fix the issue.

0 Kudos

Go to solution
junjishimazaki
Valued Contributor
In response to pkleiber

Posted on ‎08-26-2021 07:03 AM

You did this when the mac was hard-wired to ethernet correct?

0 Kudos

Go to solution
pkleiber
Contributor
In response to junjishimazaki

Posted on ‎08-26-2021 07:20 AM

Nope the user was on site with his laptop an we did this via wlan. Is there a difference?

0 Kudos

Go to solution
junjishimazaki
Valued Contributor
In response to pkleiber

Posted on ‎08-26-2021 07:31 AM

I would do this hard-wired. Sometimes it needs a physical connection to reauth properly. 

0 Kudos

Go to solution
pkleiber
Contributor
In response to junjishimazaki

Posted on ‎08-27-2021 05:32 AM

@junjishimazakiwe did the unbind and rebind via network cable. Unfortunately it had no effect.

0 Kudos

Go to solution
pkleiber
Contributor

Posted on ‎08-27-2021 06:18 AM

I was able to fix the error. It has to do with a corrupt secure token.

I told the user to login with the existing local admin account an then to execute the following script:

#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /

 After that I told him to do a reboot.

Everything seems fine now. Logging in offline to his Mobile account also works again.

Go to solution
junjishimazaki
Valued Contributor
In response to pkleiber

Posted on ‎08-27-2021 06:27 AM

Great job in troubleshooting. I'm glad you found a solution. Definitely a weird one

0 Kudos

Go to solution
eportillo1
New Contributor
In response to pkleiber

Posted on ‎08-22-2022 10:02 AM

Thank you very much for this - it helped fix a similar issue for us. Would you know if it is possible to grant a securetoken to a user that has no password? ie: most of our users are SmartCard only and we cannot get past the "enter password for 'user'" portion unless they have a password. For reference, we bind with directory utility and users login to mobile accounts. 99% of our users have no password.

0 Kudos

Go to solution
NeiSpe77
New Contributor III

Posted on ‎04-03-2023 04:40 PM

I came across this today at my work. A user had updated her OS from Big Sur to Ventura. It broke her securetoken. Thank you for this!

0 Kudos

Go to solution
aprild
New Contributor II

4 weeks ago - last edited 4 weeks ago

This solution has fixed the issue for me but it keeps recurring.  Anyone else experiencing the secure tokens repeatedly becoming corrupt and having to reset each time there is an OS update? We are bound to AD and use mobile accounts.

0 Kudos