Anybody run into Anyconnect prompting for admin credentials when the user changes their password? Apparently when they change it, and launch A.C. it prompts to modify the system keychain. Any way around that? The users are submitting for admin rights in order to do this update, which they shouldn't be. I never noticed it in the earlier versions. There's a new 3.1.05something version out, I haven't had a chance to grab it yet though.
Page 1 / 3
I have packaged Cisco AnyConnect 3.1.05152 and have not seen that.
We are using 3.1.05152 as well, and while we have not seen the issue described, we do see it prompting for to modify the system keychain when attempting to access a VPN that has certificate based authentication enabled.
We've engaged both Cisco and Apple support and have not gotten anywhere with either of them so far.
we're seeing it too ooshnoo. I think that may also be the issue the users are seeing, after a support guy went to work with the user, he said they never had any setup done...
One thing the Apple engineer did say is that there is no reason for AnyConnect to be doing this since all users and processes should have read access to the system keychain.
I suspect its an issue with AnyConnect.
oddly, we have 2 vpn concentrators - 3 and 4. When I connect to 3 it prompts for the system cert... and then returns certificate validation failed. so I went to 4 and it prompts... and then lets me in... went back to 3 and it works...
one way I just "solved" our issue was to allow all applications access to the private key of the local machine certificate. Of course how i could push out a shell script to do the same is beyond me since every Mac is named different, therefore no cert is named the same.
Regardless, I believe the issue you're seeing is that an ACL on some item in they system keychain is not set to allow all apps access.
A quick google search did not help figure out how to change the application access on a private key. Has anyone else run into this issue and solved it?
FWIW, I have a TAC case open with Cisco regarding this, which of course they're beating around the bush saying it's an OS issue.
FWIW, I'm seeing the same using Palo Alto's Global Protect.
Every login gets a prompt for the "system keychain" & we're using cert based authentication.
Next week I can test on a 10.8 mac too.
I'll test our changing acl on the private key & will advise.
Well this thread did me to enter the correct search terms in Google: https://live.paloaltonetworks.com/docs/DOC-5059
So, I'll try & see about scripting a solution.
Once done I'll post here & maybe it'll work for you guys?
I'll need the path of the anyconnect client & someone to test though.
That is our workaround as well...the change the properties on the private key. I asked Apple enterprise support about a way to script it, but they said it's not possible given the fact that the cert on every machine has a different name.
But FWIW, here is the path to AnyConnect...
/Applications/Cisco/Cisco AnyConnect Secure Mobility Client.app
I've got multiple private keys... how do I know which one is the machine certificate?
Running into the same issue with AnyConnect 3.1.05187 for Yosemite.
Has anyone found a permanent solution?
I'm also seeing this issue on Yosemite and the new client 3.1.05187
I am not seeing this at all... We are using 3.1.05160.
Does anyone have a concrete answer why some are seeing this but not all?
I have users in 10.7, 10.8, 10.9, and now 10.10 using the same client.
BTW, I ran into this at a client that was using machine-cert-based authentication and non-admin users.
The workaround was to (manually in Keychain Access, sadly):
a) allow AnyConnect access to the Private Key of the machine cert, and
b) allow AnyConnect access to the Private Key of the MDM cert
b) assumes that you are using MDM enrollment. Some people in high-security environments may not.
Regardless, once both private keys are allowed to be accessed by AnyConnect, the user is never prompted for admin credentials (unless the machine is removed from/re-added to mdm).
Doesn't look like there is any way to script this with the security command, but I'd love to be proved wrong...
--Robert
Thank you Robert for the latest update on this. It certainly resolves one issue, albeit via a manual addition to Access Control.
I'm also hoping for someone to share a scripted solution for this. That'll be heaven.
I'm using the AD Certificate payload to get the machine certificate and install it on the machine. I could in theory allow all applications to access the private key of the machine cert, but that tends to make security teams unhappy ;-)
It may also be possible to script this via the Security command, however that would entail exporting the machine certificate/private key and re-importing it. I tend to prefer letting the AD Certificate profile handle obtaining and installing the cert/private key automatically...
I believe I found a solution on this. Currently testing a scripted solution which is working for user based certificates, but the jist is this:
#get fingerprint from VPN cert
SHA=`security find-certificate -c $CERTNAME -Z | grep SHA | awk '{print $3}'`
VPNSERVER="yourserver"
#populate .anyconnect config file in user home
echo "<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>${SHA}</ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>${SERVERNAME}</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>" > ~/.anyconnectAnyConnect uses ~/.anyconnect to determine which cert to use, if not populated it WILL search your keychains for available machine certs (including Casper's) and prompt for Admin access because it does not have ACLs for these certs.
Naturally you do need Anyconnect ACLs in whichever cert is authenticating, which I've only found when using the -T flag when importing. You might need to deploy a machine cert via script as i'm not sure this is available through config profiles.
I'll be posting my current workflow and script using user based certs as soon as I have some time 
:)
Hope this helps, been a headache here for a while....
@timkalee We use smart cards in our environment and getting hit with this issue. Do you know which certs it is looking for? The dialog reads:
"OS X wants to make changes. Type an administrator's name and password to allow this. OS X wants to use the 'System' keychain."
Thanks for your digging!
bainter
Hi Bainter,
For me, it was adding the Anyconnect app to the Access Control tab of the MDM cert (it's unique to every enrolled mac) and the user ID cert in the System keychain. Doing that suppressed the prompt.
@waqas.s.khan The only way I found you can modify an existing cert ACL is manually. Have you found a way to automate/script that change?
@bainter I don't have a lot of familiarity with the smart card workflow in AnyConnect but I'll let you know if I come across anything
I'm also caught up in the access to the System keychain issue. Like others, I couldn't find a way to get at the machine certificate and key silently, so I tried a slightly different tack. Here are the ideas I came up with, which I offer as a source of inspiration and/or derision. Note the first two involve using a user rather than machine certificate to login with AnyConnect. I used @timkalee suggestions on creating the anyconnect preferences files, and Workaround 1 below to avoid admin prompts related to the keychain. This is still in testing, but it seems to work.
Workaround 1:
Load a config profile to create a user identity (cert/private key) in the users login keychain. The user can adjust access to items in their own keychain without being an admin. Right now, I install the profile with a script when the install AnyConnect policy is run. The script pulls the AD credentials from the computer and uses them as username and password in the config profile when requesting a user identity, which means the script doesn't have to ask the user for them.
Workaround 2:
As above, but request the identities for users with a non-corporeal AD account, such as an automated AD binding account. This means the config profile should be pushable via MDM rather than installed by a script, hopefully making the process less brittle. If you do this for all eligible users ahead of time, they can silently get an identity while on the local LAN, and then install AnyConnect when they feel they need it, even out in the wild. I may switch to this method based on feedback from initial testing.
Workaround 3:
You can downgrade the credentials required to make changes to the System keychain using the security authorizationdb command, then upgrade them back after the install. The user will still get prompted for admin credentials, but theirs will work even if they're not admin. I abandoned this method because of the additional scripting, security risks, and level of customer education/handholding required.
@joshuasee How are you pulling AD user credentials via script?
AD computer credentials, not user. Oddly enough, you request an identity for one account with the credentials of another… and it works.
Note the name produced by the command below is formatted for authentication, with the $ lopped off, rather than being the actual RecordName for the computer
adcompname=$(dsconfigad -show | sed -n 's/$//g;s/Computer.Account.*.=.//p');
adpassword=$(security find-generic-password -w "/Active Directory/YourADHere" -s /Library/Keychains/System.keychain);Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.