04-24-2013 03:24 PM
We have Machine Certificates on our Mac OS X Lion clients. When the portal accesses the system keychain to verify the certificates, it prompts the users twice to allow this action.
Is this expected behavior? How do we get it to stop asking for permission to access the machine certificate every time a client connects to portal?
05-01-2013 11:13 AM
< sarcasm > Since support was awesome and got back to me on this.. < /sarcasm >
Subject: GlobalProtect Requests System Keychain Access on Mac OS X Clients Every Time
Scenario:
User will need to enter in Local Administrator account to allow System keychain access twice during the GlobalProtect VPN Connection Process, when using Machine Certificate authentication.
Cause:
When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" Keychain in OS X. This will cause a Keychain Access prompt to appear twice when the client attempts to access certificate for verification against to portal and gateway.
Workaround:
You have now allowed GlobalProtect access to only THIS certificate and private key. It will no longer prompt for keychain access, giving user a seamless no touch experience with GlobalProtect.
04-24-2013 06:30 PM
GlobalProtect has separate portal and
gateway(s) that require separate authentication (even if they reside in the same physical PAN device). For users who
use one time password (OTP) to authenticate, this means they will need to type the OTP twice (one for portal and the
other for gateway in GP). At present, the only workaround is to use static user/password for portal authentication and ©2012, Palo Alto Networks, Inc. [4]
leave the gateway authentication to require OTP. Another workaround is to make the portal only reachable from
inside office. This will force GP client to use the cached portal config file and avoid requesting OTP twice.
04-25-2013 09:59 AM
We are not using a One Time Password. The portal is requesting the x.509 certificate from the Mac OS X "system" keychain. When it makes this request, the user is prompted to enter a local administrator username and password to allow Global Protect to verify this certificate. Is there a way to have Global Protect ether a) cache the certificate b) "remember" decision to allow access to certificate in keychain.
05-01-2013 11:13 AM
< sarcasm > Since support was awesome and got back to me on this.. < /sarcasm >
Subject: GlobalProtect Requests System Keychain Access on Mac OS X Clients Every Time
Scenario:
User will need to enter in Local Administrator account to allow System keychain access twice during the GlobalProtect VPN Connection Process, when using Machine Certificate authentication.
Cause:
When using Machine Certificates with GlobalProtect on Mac OS X Clients, the certificate must be accessed from the "System" Keychain in OS X. This will cause a Keychain Access prompt to appear twice when the client attempts to access certificate for verification against to portal and gateway.
Workaround:
You have now allowed GlobalProtect access to only THIS certificate and private key. It will no longer prompt for keychain access, giving user a seamless no touch experience with GlobalProtect.
05-01-2013 11:14 AM
Nice! Nice writeup. You could make a DOC- for this 
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
