Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Authentication server refused operation..." error message appears when enabling FileVault on macOS 10.13 High Sierra in Endpoint Encryption 6.0

    • Updated:
    • 19 Mar 2018
    • Product/Version:
    • Endpoint Encryption 6.0
    • Platform:
    • N/A N/A
Summary

When you try to manually enable FileVault with a mobile account, you will get following error message:

Authentication server refused operation because the current credentials are not authorized for the requested operation.

This issue only occurs when the storage device is in APFS format.

For more information about the error, refer to the Apple Support article: If you see authentication server errors when turning FileVault on in macOS High Sierra

Details
Public

To add a secure token for a specific account, the user must first have a local admin (with secure token) credentials.

Prerequisites:

  • The logon credentials for the local admin and domain user.
  • The domain user must have a mobile account.
  • The specific user account is set with “full name” in Users&Groups pane (Note: We will enhance this in TMEE 6.0 L10n.)

    Full Name

Do any of the following methods:

Method 1

  1. Check if the specific user account has secure token and make sure it is disabled.

    $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"

    The $GUIAdmin is usually is local admin which has the secure token by default.

  2. Add secure token for specific user account

    1. Check if the local admin account has secure token and make sure it is enabled:

      $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenStatus "$username" -password "$user_password"

    2. Log on to Mac as the local admin and execute following command:

      $sysadminctl -adminUser "$GUIAdmin" -adminPassword "$GUIAdminPw" -secureTokenOn "$username" -password "$user_password"

  3. Verify that the specific account has asecure token and that it is enabled.

    $sudo sysadminctl -secureTokenStatus "$username"

  4. Reboot the machine.
  • Use SecureTokencmd to enable a secured token.
  • Endpoint Encryption 6.0 L10n includes the SecureTokencmd tool.

Method 2

  1. Copy the tool to the Mac where the domain user is logged in.
  2. Check the status of the secure token for a specific user:

    $sudo ./SecureTokencmd Status

    Secure token status for specific user

  3. Find out the local admin account has secure token and make sure it Is enabled:

    $sudo ./SecureTokencmd Status

  4. Log on to Mac as the local admin.
  5. Turn on the secure token for specified user where the secure token is disabled then provide the specific user account and corresponding credentials for the local admin.

    $sudo ./SecureTokencmd enable

  6. Verify the status of the secure token using the command in step 1.

    Verify the secure token status

    Click image to enlarge

  7. Reboot the machine.

Method 3

  1. Install Encryption Management for Apple FileVault 6.0.0.1035 or later version.
  2. Log on as a local admin and sync the policies (The local admin must have a ‘secure token’).
  3. Input the password to start encryption.
  4. Go to System Preferences > Security & Privacy > FileVault.
  5. Unlock to make the changes.
  6. Click Enable Users.
  7. Enable the domain user to unlock the disk.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1119488
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.