By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.

Mac OS X and Keychains

Mac OS X uses a mechanism called keychains to store sensitive data, such as passwords for websites, a wireless network passphrase, trusted certificates for websites etc. The way in which Mac OS X keeps this data safe is by encrypting the contents of the file. In this article we’ll try and cover the basics of how keychains work, how issues can occur and how to deal with them when they do. We will also discuss issues specifically related to Active Directory integrated macs and the user’s keychains.


How does the keychain file get created?

When a new user is created on a mac, the keychain is created. When the file is created it is encrypted using the current password of the user account logging in. This sharing of credentials with the login process allows an automatic “unlock” of the keychain while logging in so accessing stored credential is seamless for the user. 


Where is the file stored?

The keychain file is stored in the ~/Library/Keychains folder (where ~ replaces the name of the currently logged in user). The login.keychain file is the file that gets generated on first login and encrypted using the user’s password.



What happens if I delete the file?

If you delete the file it will simply get re-created on the next login. If you do delete the file, remember that all of the passwords that you have stored in this file will be lost.



What issues can occur?

Most issues occur through the changing of passwords. If you change a password for a local user account on a mac the keychain will update to reflect that change. The original password will decrypt the file and the new password will re-encrypt the file and allow it to be unlocked (there is a great article on how to make a great password here)

Issues can occur with this process if the user account is hosted on an external server.  This allows a server administrator to reset or change the users password without the keychain being updated.


Microsoft Active Directory Integration and Keychains 

When a mac is bound to an Active Directory environment, Mac OS X authenticates against the network server instead of a locally held user database. This means it queries a server to see if the username and password provided match those stored in the Active Directory system.

If the username and password match then the login process starts. Again if this is the first time a user has logged in the keychain file is created and encrypted with the current password.



What happens if an Active Directory user forgets their password?

If an Active Directory user is unable to login to a Mac because they have forgotten their password or an enforced password policy has locked the account, most proactive users would simply contact the IT department and request that their password is reset or changed. In this scenario the mac where the keychain file is stored would not be aware of the change so cannot update the encryption of the keychain. This means that when the user logs in to a mac for the first time after their password has been reset, whilst the login process will authenticate successfully with the new password (since the check is done on the server where the password was changed), the mac will display a dialog box similar to the one below explaining that it was unable to unlock the users keychain with their current login password: 


Keychain Issues


Which option should I choose?

You can ‘Continue log in’. This option is acceptable since the login process will continue without issue, but you may be prompted for the keychain password again as the system tries to access it for stored passwords etc.

The keychain remains encrypted and can be unlocked with the old password, but typically this issue has been generated because the user forgot their password. And we would not recommend a policy allowing different user and keychain passwords

Update Keychain’ password is pretty much self-explanatory. It allows the user to update the keychain with the new password, however the user will need to know their old password, which they may not. If they do remember the password then this is our recommended action to retain all existing keychain information.

So that leaves ‘Create New Keychain’. This will destroy the old keychain and re-create a new one, again encrypting the file with the new password for that user.  Although doesn’t allow the user to recover any information from the old keychain, it’s often the only course of action if they have forgotten their old password.


Follow us on Twitter.

Email us at

Call us on 01159851797

Comment Below


    No Comments yet. be the first to comment.