Troubleshoot: macOS Password and Keychain Issues

If a macOS user experiences multiple password prompts or Touch ID failures after resetting their password, a complete keychain reset may be required. This article shows you how to address these issues, and recreate the user's keychain if necessary.

This process is more complete than relying on the agent to set the user’s keychain aside. The ~/Library/Keychains directory may contain more than just the user’s keychain database, including invisible files which may cause additional issues.

Symptoms

A corrupt keychain database and additional files located within the user’s ~/Library/Keychains directory may cause the following symptoms:

  • Inability to register a new fingerprint for TouchID.
  • Repeated prompts to verify their old and new passwords during login, or via the JumpCloud Menubar extra

See Syncing Your JumpCloud Password with Your Device Password to learn more about managing user passwords on macOS devices.

Resolution

User Can’t Register a Fingerprint for TouchID

Ensure the user’s password is up-to-date in the JumpCloud menubar app. If not, have the user enter their new and previous passwords to ensure their JumpCloud and local device password are in sync. See Syncing Your JumpCloud Password with Your Device Password to learn more.

Once the password is confirmed in the app or if the menu bar app shows the passwords are up to date, have the user log out and back in to their account on the device (not restart).

To log out and back in to the device:

  1. On the Mac, go to the Apple menu  > Log Out.
  2. At the login window, enter your credentials to log in.
    • TouchID is tied to the user’s keychain so having the user log out and back in to their account allows them to re-authenticate and unlock the keychain.
  3. Try adding or editing their TouchID fingerprint.

User Receives Repeated Password Prompts

If a user receives multiple password prompts, verify there are no stub files remaining in the /opt/jc/passwordupdates directory. If there are, delete the files and have the user to log out and back in to test. It's helpful to perform a password reset at this stage to ensure the credential rotates properly.

Preserving and Recreating the Keychain

If the user is still unable to add or edit a fingerprint, or is receiving repeated password confirmation prompts after the above steps, recreate the user's keychain.

To recreate the user’s keychain:

  1. Open the user's ~/Library folder:
    1. Open macOS Finder.
    2. In the top menu bar, select the Go menu.
    3. Press and hold the Option key to show Library in the menu list and select it.
  2. Locate the Keychains directory and rename it to Keychains-old.
  3. Have the user log out and back in to recreate their keychain directory and the subsequent database files.

When the user logs in, they should no longer receive a password confirmation prompt. Additionally, they should be able to register fingerprints for TouchID.

Note:

If the user needs to recover any data from their old keychain database, they can open the backup taken in Step 2 by locating the Keychains-old directory within their Library directory and double clicking the login.keychain-db file. This opens the Keychain Viewer and lets them copy any records they’d like to move to their current login keychain.

Back to Top

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case