Macintosh Support - Keychain Management

Managing your Macintosh Keychain

What is a keychain?

The keychain in Mac OS X is Appleā€™s password management system.

A keychain can store all your passwords for applications, servers, and websites, or even sensitive information unrelated to your computer, such as credit card numbers or personal identification numbers (PINs) for bank accounts.

When you connect to a network server, open an email account, or access any password-protected item that is keychain-aware, your keychain can provide the password so you don't have to type it.

You start with a single keychain, which is created automatically the first time you log in to your Mac OS X user account. Your default keychain has the same password as your login password. This keychain is unlocked automatically when you log in to Mac OS X and is referred to in Keychain Access menus as the "login" keychain.


When keychain problems occur

Keychain problems occur when a user's login password does not match their keychain password.  This can be caused by using authentication methods other than the standard OS X local account system.  On UMKC Macs, users log in with their UMKC Username account credentials.  However, when a user changes their UMKC Username password, OS X keychain does not recognize the change automatically.  When the password used to log into the machine does not match the current keychain password, the login keychain does not unlock, resulting in persistant popup messages.  The user is able to log onto the machine with their new UMKC password, but will be immediately prompted that "The system was unable to unlock your login keychain."

Below is an example of the keychain prompt at login:



Updating your keychain password

When a keychain mismatch occurs like the situation above, the user must change their keychain password to match the new UMKC password used to log on to the machine.  To correctly change your keychain password, the user will select "Update Keychain Password." The user will then enter their previous UMKC password. If entered correctly, the keychain will be updated with the new UMKC password and will retain all information in the existing keychain.


If the user does not remember their previous UMKC password, they will be required to create a new keychain. Click the Create New Keychain button, and verify the new login password (new UMKC password). Note that this will destroy all information in their existing keychain, such as saved password information for websites/network locations/etc.


When Users cannot change their keychain password 

In some specific situations, the above instructions may not be sufficient to unlock or recreate the keychain. This can occur if a keychain has become corrupt or has permission errors. In those instances, it may be necessary to manually delete and recreate your keychain. 

Manually deleting the keychain

Follow the instructions below to manually delete the login keychain:

  1. Log in with the affected account.
  2. If any login keychain prompts are presented at login, ignore them for the moment.
  3. Navigate to the Applications folder and locate the Self Service application.
  4. Launch Self Service.
  5. Click the System Management category on the lefthand side.
  6. Run the policy titled "Reset User's Keychain" and follow the instructions to restart the machine.
  7. Log in with your current UMKC password and verify that keychain prompts have stopped.

Note: If the above instructions still do not resolve the keychain problem, please contact the UMKC Technology Support Center.