Mac- Login keychain warnings when you log in

This article explains what to do if you see a warning that the system was unable to unlock your login keychain, and why this occurs.

We get a lot of Mac users contacting us with Keychain issues. They are presented with the dreaded “The system was unable to unlock your login keychain” message. Or perhaps they got past the login and see “____ wants to use the login keychain”. I will attempt to explain in simple terms what this is all about, and what you need to do to “fix” it.

Why am I seeing login keychain warnings?

Lets start at the beginning. When you joined WCER a network account was created for you in Active Directory. Tech Services created a username (based on your NetID username) and then helped you create a password. You then logged in to your Mac for the first time and were able to do your work, and all was good. During this “first” login your Mac created a secure vault, or “login keychain” for you, where you will store all sorts of things, mainly saved passwords. This vault is also locked with a password, the SAME password you used to login to the Mac.

Because WCER requires you to change your password every 120 days, once your password is within 30 days of expiring, any Mac  bound to Active Directory will prompt you when you try to login. It will advise you to update your password. So you enter a new one and your WCER password is good for another 120 days. At the same time, the password that secures your login keychain on that Mac is updated. Perfect!

Ok, so everything is great if you are a one Mac kinda person, but what if your password is changed on another computer? What if Tech Services reset your password for you on the “system”? Maybe you had to reset it while out of the office via the WCER Password Reset Portal?

You’ll be able to login to your Mac with your NEW password, but it wants to access your “login keychain”. This is still locked with your OLD password. Basically your network password and your “login keychain” password have gone out of sync and you will see this:

Update Keychain Warning

So which button should you push?

There are three options to choose from. Here’s what they mean:

Continue Log In:

This means I’m in a rush and just need to get into my Mac. I don’t care… (Most people click this EVERY time they login. Like a bully, it won’t go away until you do something about it.)

Create New Keychain:

This one means you’ve totally forgotten your old password and are not able to unlock your “login keychain”. Now you’ll need to create a new one. By doing this your Mac will delete your old login keychain. (This is a good choice if you don’t know your old WCER password or if you don’t care that any saved passwords to websites, etc. will be lost).

Update Keychain Password:

Now this one is the one you want! By clicking this button you will have the option to simply update the old password with your new one. You will be prompted to enter your old password. In most cases this will be the last one you used. Click OK and you’re good to go!

How can I avoid these login keychain warnings in the future?

Always change your WCER password from your Mac that is bound to Active Directory (see footnote), either from the Password Expiration reminder at login…

Password Expiration Prompt

… or through the Users & Groups preference pane within System Preferences.

Users & Groups System Preference

So in future when you see the ‘system was unable to unlock your login keychain’ message after login, and you have three options, click the correct one. Keeping your login keychain in sync with your WCER password will save you lots of hassle in the future.


A short footnote, to explain some terms and provide some technical background:

What is Active Directory, and what does ‘bound to Active Directory’ mean?

Active Directory is a set of software services developed by Microsoft which is installed on our network servers.  Among other things, Active Directory is a list containing all our network’s computers and users (and their rights or privileges). When a computer is added to Active Directory, it is said to be “bound” to Active Directory. That just means it is a trusted device on our network and only users that are also on that list are able to login.

Not all computers are bound to Active Directory

If your only Mac is a laptop, the chances are good that you will never see the “login keychain” warnings on the laptop itself. This is because until recently, only desktop computers located on campus were bound to Active Directory. This was done because laptops bound to Active Directory sometimes had problems when users logged into them while they were not on campus (i.e., not connected to the UW network). These problems have been reduced over the last few years, and now Tech Services has started to bind more laptops to Active Directory since it makes many network-related tasks easier for users.


Material sourced from the following website:

Keywords:Mac, keychain, warning, active directory, sync, apple, os x   Doc ID:51918
Owner:David P.Group:WCER Technical Services
Created:2015-06-04 08:48 CDTUpdated:2020-10-26 15:45 CDT
Sites:WCER Technical Services
Feedback:  4   2