Mac OS X Keychain asks for password on every connect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Mac OS X Keychain asks for password on every connect

Not applicable

We have Machine Certificates on our Mac OS X Lion clients.  When the portal accesses the system keychain to verify the certificates, it prompts the users twice to allow this action.

Is this expected behavior?  How do we get it to stop asking for permission to access the machine certificate every time a client connects to portal?

1 accepted solution

Accepted Solutions

Not applicable

< sarcasm > Since support was awesome and got back to me on this.. < /sarcasm >

Subject: GlobalProtect Requests System Keychain Access on Mac OS X Clients Every Time

Scenario:

User will need to enter in Local Administrator account to allow System keychain access twice during the GlobalProtect VPN Connection Process, when using Machine Certificate authentication.

Cause:

When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" Keychain in OS X.  This will cause a Keychain Access prompt to appear twice when the client attempts to access certificate for verification against to portal and gateway.

Workaround:

  1. In Keychain Access application, locate the Machine Certificate issued to Mac OS X Client in the System keychain. 
  2. Right Click on the private key assoicated with Certificate and click Get Info, then click Access Control tab
  3. Then click + sign to select an Application to allow
  4. Then press key combiniation "<Command> + <Shift> + G" to open Go to Folder
  5. Enter "/Applications/GlobalProtect.app/Contents/Resources and click Go
  6. Find PanGPS and click, then press Add
  7. Save Changes to private key

You have now allowed GlobalProtect access to only THIS certificate and private key.  It will no longer prompt for keychain access, giving user a seamless no touch experience with GlobalProtect.

View solution in original post

4 REPLIES 4

L5 Sessionator

GlobalProtect has separate portal and

gateway(s) that require separate authentication (even if they reside in the same physical PAN device). For users who

use one time password (OTP) to authenticate, this means they will need to type the OTP twice (one for portal and the

other for gateway in GP). At present, the only workaround is to use static user/password for portal authentication and ©2012, Palo Alto Networks, Inc. [4]

leave the gateway authentication to require OTP. Another workaround is to make the portal only reachable from

inside office. This will force GP client to use the cached portal config file and avoid requesting OTP twice.

Ref :https://live.paloaltonetworks.com/docs/DOC-2568

Ref https://live.paloaltonetworks.com/docs/DOC-4560

We are not using a One Time Password.  The portal is requesting the x.509 certificate from the Mac OS X "system" keychain.  When it makes this request, the user is prompted to enter a local administrator username and password to allow Global Protect to verify this certificate.  Is there a way to have Global Protect ether a) cache the certificate b) "remember" decision to allow access to certificate in keychain.

Not applicable

< sarcasm > Since support was awesome and got back to me on this.. < /sarcasm >

Subject: GlobalProtect Requests System Keychain Access on Mac OS X Clients Every Time

Scenario:

User will need to enter in Local Administrator account to allow System keychain access twice during the GlobalProtect VPN Connection Process, when using Machine Certificate authentication.

Cause:

When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" Keychain in OS X.  This will cause a Keychain Access prompt to appear twice when the client attempts to access certificate for verification against to portal and gateway.

Workaround:

  1. In Keychain Access application, locate the Machine Certificate issued to Mac OS X Client in the System keychain. 
  2. Right Click on the private key assoicated with Certificate and click Get Info, then click Access Control tab
  3. Then click + sign to select an Application to allow
  4. Then press key combiniation "<Command> + <Shift> + G" to open Go to Folder
  5. Enter "/Applications/GlobalProtect.app/Contents/Resources and click Go
  6. Find PanGPS and click, then press Add
  7. Save Changes to private key

You have now allowed GlobalProtect access to only THIS certificate and private key.  It will no longer prompt for keychain access, giving user a seamless no touch experience with GlobalProtect.

Nice! Nice writeup. You could make a DOC- for this Smiley Happy

  • 1 accepted solution
  • 14352 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!