topic Re: Mac OS X Keychain asks for password on every connect in General Topics

Mac OS X Keychain asks for password on every connect

ManillaTechOps — Wed, 24 Apr 2013 22:24:28 GMT

We have Machine Certificates on our Mac OS X Lion clients. When the portal accesses the system keychain to verify the certificates, it prompts the users twice to allow this action.

Is this expected behavior? How do we get it to stop asking for permission to access the machine certificate every time a client connects to portal?

Re: Mac OS X Keychain asks for password on every connect

UhMayYeah — Thu, 25 Apr 2013 01:30:13 GMT

GlobalProtect has separate portal and

gateway(s) that require separate authentication (even if they reside in the same physical PAN device). For users who

use one time password (OTP) to authenticate, this means they will need to type the OTP twice (one for portal and the

leave the gateway authentication to require OTP. Another workaround is to make the portal only reachable from

inside office. This will force GP client to use the cached portal config file and avoid requesting OTP twice.

Ref :https://live.paloaltonetworks.com/docs/DOC-2568

Ref https://live.paloaltonetworks.com/docs/DOC-4560

Re: Mac OS X Keychain asks for password on every connect

ManillaTechOps — Thu, 25 Apr 2013 16:59:09 GMT

We are not using a One Time Password. The portal is requesting the x.509 certificate from the Mac OS X "system" keychain. When it makes this request, the user is prompted to enter a local administrator username and password to allow Global Protect to verify this certificate. Is there a way to have Global Protect ether a) cache the certificate b) "remember" decision to allow access to certificate in keychain.

Re: Mac OS X Keychain asks for password on every connect

ManillaTechOps — Wed, 01 May 2013 18:13:19 GMT

< sarcasm > Since support was awesome and got back to me on this.. < /sarcasm >

Subject: GlobalProtect Requests System Keychain Access on Mac OS X Clients Every Time

Scenario:

User will need to enter in Local Administrator account to allow System keychain access twice during the GlobalProtect VPN Connection Process, when using Machine Certificate authentication.

Cause:

When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" Keychain in OS X. This will cause a Keychain Access prompt to appear twice when the client attempts to access certificate for verification against to portal and gateway.

Workaround:

In Keychain Access application, locate the Machine Certificate issued to Mac OS X Client in the System keychain.
Right Click on the private key assoicated with Certificate and click Get Info, then click Access Control tab
Then click + sign to select an Application to allow
Then press key combiniation "<Command> + <Shift> + G" to open Go to Folder
Enter "/Applications/GlobalProtect.app/Contents/Resources and click Go
Find PanGPS and click, then press Add
Save Changes to private key

You have now allowed GlobalProtect access to only THIS certificate and private key. It will no longer prompt for keychain access, giving user a seamless no touch experience with GlobalProtect.

Re: Mac OS X Keychain asks for password on every connect

ericgearhart — Wed, 01 May 2013 18:14:49 GMT

Nice! Nice writeup. You could make a DOC- for this