One of my users ran into an issue recently when launching Microsoft Lync. When the Lync application logged into the Lync server, a Microsoft Lync wants to use OC_KeyContainer_username@company.com. Please enter the keychain password prompt appeared.
The curious thing was that the keychain prompt would not accept the user’s current login password. When I checked, the user’s login keychain was unlocked and using the current password, so it didn’t appear to be caused by the login keychain password issues that I normally deal with.
After some research, I was able to find the answer and get this issue fixed. See below the jump for the details.
The fix:
1. Quit out of Microsoft Lync
2. Go to /Users/username/Library/Keychains
3. Remove the OC_KeyContainer__username@company.com file from /Users/username/Library/Keychains.
4. Launch Microsoft Lync
5. On relaunch, the prompt no longer appeared.
What caused the password prompt?:
Microsoft Lync creates a keychain file to store encryption keys. The file is physically stored in /Users/username/Library/Keychains and is named something similar to OC_KeyContainer__username@company.com.
The password for this keychain is not tied to the user’s account password and it looks like the Lync program itself will automatically generate a randomized password for it. The password to unlock that keychain is then stored in the user’s login keychain.
Occasionally, something in Lync happens that causes this keychain to refuse to work properly. In that event, a pop-up may appear requesting a password.
Removing the OC_KeyContainer__username@company.com keychain file will force Lync to create a new one.
When Lync is relaunched, it will generate a new OC_KeyContainer__username@company.com keychain file with a new randomized password and store it in /Users/username/Library/Keychains.
An interesting thing about this OC_KeyContainer keychain and associated password entry is that the persistence of it appears to be tied to whether or not Lync is set to save the user’s account password.
If the password is set not to be saved:
The OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry in the user’s login keychain are created when Lync connects to the Lync server.
Once the Lync application is quit, the OC_KeyContainer__username@company.com keychain and application password entry are automatically deleted. On relaunch, a new OC_KeyContainer__username@company.com keychain and application password entry in the user’s login keychain are created.
If the password is set to be saved:
If they do not already exist, the OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry in the user’s login keychain are created when Lync connects to the Lync server. A Microsoft Lync password entry is also created in the user’s login keychain if one does not already exist.
Once the Lync application is quit, the OC_KeyContainer__username@company.com keychain and application password entry persist and are not automatically deleted. On relaunch, Lync will look for and re-use the existing OC_KeyContainer__username@company.com keychain and OC_KeyContainer__username@company.com password entry.