After changing password via an internal website (ldap), macos gives “authentication is disabled” for touch id related setting.
Fix is quite simple:
# run these command directly (without sudo / su - another-admin-user)
#
# but for the first two commands, remember to switch user to another admin
# user when prompt password, since another admin's password is unaffected.
sysadminctl -secureTokenOff <username> -password <AD-pwd> interactive
sysadminctl -secureTokenOn <username> -password <AD-pwd> interactive
diskutil apfs UpdatePreboot /
# no reboot is required.