Prerequisites:

The logon credentials for the local admin and domain user.

The domain user must have a mobile account.

The specific user account is set with “full name” in Users&Groups pane (Note: We will enhance this in TMEE 6.0 L10n.)

Do any of the following methods:

Method 1

Check if the specific user account has secure token and make sure it is disabled.

$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"

The $GUIAdmin is usually is local admin which has the secure token by default.
Add secure token for specific user account
1. Check if the local admin account has secure token and make sure it is enabled:
  
  $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"
2. Log on to Mac as the local admin and execute following command:
  
  $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"
Verify that the specific account has asecure token and that it is enabled.

$sudo sysadminctl -secureTokenStatus "$username"
Reboot the machine.

Method 2

Use SecureTokencmd to enable a secured token.
Endpoint Encryption 6.0 L10n includes the SecureTokencmd tool.

Method 2

Copy the tool to the Mac where the domain user is logged in.
Check the status of the secure token for a specific user:

$sudo ./SecureTokencmd Status
Find out the local admin account has secure token and make sure it Is enabled:

$sudo ./SecureTokencmd Status
Log on to Mac as the local admin.
Turn on the secure token for specified user where the secure token is disabled then provide the specific user account and corresponding credentials for the local admin.

$sudo ./SecureTokencmd enable
Verify the status of the secure token using the command in step 1.

Click image to enlarge
Reboot the machine.

Method 3

Install Encryption Management for Apple FileVault 6.0.0.1035 or later version.
Log on as a local admin and sync the policies (The local admin must have a ‘secure token’).
Input the password to start encryption.
Go to System Preferences > Security & Privacy > FileVault.
Unlock to make the changes.
Click Enable Users.
Enable the domain user to unlock the disk.

"Authentication server refused operation..." error message appears when enabling FileVault on macOS 10.13 High Sierra in Endpoint Encryption 6.0

Product / Version includes:

Endpoint Encryption 6.0

Last updated: 2025/05/08

Solution ID: KA-0008267

Category: Troubleshoot

Summary

When you try to manually enable FileVault with a mobile account, you will get following error message:

Authentication server refused operation because the current credentials are not authorized for the requested operation.

This issue only occurs when the storage device is in APFS format.

For more information about the error, refer to the Apple Support article: If you see authentication server errors when turning FileVault on in macOS High Sierra

To add a secure token for a specific account, the user must first have a local admin (with secure token) credentials.

Prerequisites:

The logon credentials for the local admin and domain user.
The domain user must have a mobile account.
The specific user account is set with “full name” in Users&Groups pane (Note: We will enhance this in TMEE 6.0 L10n.)

Do any of the following methods:

Method 1

Check if the specific user account has secure token and make sure it is disabled.

$sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"

The $GUIAdmin is usually is local admin which has the secure token by default.
Add secure token for specific user account
1. Check if the local admin account has secure token and make sure it is enabled:
  
  $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"
2. Log on to Mac as the local admin and execute following command:
  
  $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"
Verify that the specific account has asecure token and that it is enabled.

$sudo sysadminctl -secureTokenStatus "$username"
Reboot the machine.

Method 2

Use SecureTokencmd to enable a secured token.
Endpoint Encryption 6.0 L10n includes the SecureTokencmd tool.

Method 2

Copy the tool to the Mac where the domain user is logged in.
Check the status of the secure token for a specific user:

$sudo ./SecureTokencmd Status
Find out the local admin account has secure token and make sure it Is enabled:

$sudo ./SecureTokencmd Status
Log on to Mac as the local admin.
Turn on the secure token for specified user where the secure token is disabled then provide the specific user account and corresponding credentials for the local admin.

$sudo ./SecureTokencmd enable
Verify the status of the secure token using the command in step 1.

Click image to enlarge
Reboot the machine.

Method 3

Install Encryption Management for Apple FileVault 6.0.0.1035 or later version.
Log on as a local admin and sync the policies (The local admin must have a ‘secure token’).
Input the password to start encryption.
Go to System Preferences > Security & Privacy > FileVault.
Unlock to make the changes.
Click Enable Users.
Enable the domain user to unlock the disk.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

"Authentication server refused operation..." error message appears when enabling FileVault on macOS 10.13 High Sierra in Endpoint Encryption 6.0

Prerequisites:

Method 1

Method 1

Method 2

Method 2

Method 3

Method 3

"Authentication server refused operation..." error message appears when enabling FileVault on macOS 10.13 High Sierra in Endpoint Encryption 6.0

Product / Version includes:

Summary

Prerequisites:

Method 1

Method 1

Method 2

Method 2

Method 3

Method 3