Posted on 08-26-2021 03:13 AM
We have one user with a Macbook Pro M1 Laptop. Big Sur is installed on the machine and the logged in user is a Mobile Account and has admin rights. File vault 2 is also enabled.
Deployment was some month ago and everything worked fine. Two days ago the user approached me as he was not able to login with his account credentials at home. He was in the office yesterday and after I logged in with my local admin account everything was fine and he could work. So told him to also to update his Big Sur installation from 11.2.x to the latest version 11.5.2. But as he tried to enter his password the following screen states that Authentication is disabled.
I grabbed this screenshot from the internet cause our dialogue is in German.
Anybody have seen this? Where does this come from and how can we fix this? I would greatly appreciate your help.
Thanks
Solved! Go to Solution.
Posted on 08-27-2021 06:18 AM
I was able to fix the error. It has to do with a corrupt secure token.
I told the user to login with the existing local admin account an then to execute the following script:
#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /
After that I told him to do a reboot.
Everything seems fine now. Logging in offline to his Mobile account also works again.
Posted on 08-26-2021 05:00 AM
Not seen that with the latest update, double check your login window > options / access settings and restrictions > application settings to make sure no ristrictions are enabled by mistake in any config profile
Posted on 08-26-2021 06:44 AM
Hi @SCCM , thanks for the tip. We don't use config profiles with this setting in our environment.
Posted on 08-26-2021 06:41 AM
It looks to me like the computer got kicked off the domain. Have you tried unbinding/re-binding the mac from the domain? Then have the user login again.
Posted on 08-26-2021 06:46 AM
Hi @junjishimazaki , was also my thought too. I did an unbind directly on his laptop then rebooted. After that our binding policy kicked in an automatically did rebind the client. Unfortunately this did not fix the issue.
Posted on 08-26-2021 07:03 AM
You did this when the mac was hard-wired to ethernet correct?
Posted on 08-26-2021 07:20 AM
Nope the user was on site with his laptop an we did this via wlan. Is there a difference?
Posted on 08-26-2021 07:31 AM
I would do this hard-wired. Sometimes it needs a physical connection to reauth properly.
Posted on 08-27-2021 05:32 AM
@junjishimazakiwe did the unbind and rebind via network cable. Unfortunately it had no effect.
Posted on 08-27-2021 06:18 AM
I was able to fix the error. It has to do with a corrupt secure token.
I told the user to login with the existing local admin account an then to execute the following script:
#Check if your account has securetoken enabled, (it probably does)
# Disable it then reenable it.
sysadminctl -secureTokenStatus <username>
sysadminctl -secureTokenOff <username> -password - -adminUser <adminusername> -adminPassword -
sysadminctl -secureTokenOn <username> -password - -adminUser <adminusername> -adminPassword -
diskutil apfs UpdatePreboot /
After that I told him to do a reboot.
Everything seems fine now. Logging in offline to his Mobile account also works again.
Posted on 08-27-2021 06:27 AM
Great job in troubleshooting. I'm glad you found a solution. Definitely a weird one
Posted on 08-22-2022 10:02 AM
Thank you very much for this - it helped fix a similar issue for us. Would you know if it is possible to grant a securetoken to a user that has no password? ie: most of our users are SmartCard only and we cannot get past the "enter password for 'user'" portion unless they have a password. For reference, we bind with directory utility and users login to mobile accounts. 99% of our users have no password.
Posted on 04-03-2023 04:40 PM
I came across this today at my work. A user had updated her OS from Big Sur to Ventura. It broke her securetoken. Thank you for this!
4 weeks ago - last edited 4 weeks ago
This solution has fixed the issue for me but it keeps recurring. Anyone else experiencing the secure tokens repeatedly becoming corrupt and having to reset each time there is an OS update? We are bound to AD and use mobile accounts.