Skip to main content

We have our network setup with ADCS connector to get the certificates for the computer. The profile is working and the certificate is in the keychains.  In the admin user, I am able to connect to the wifi without any issues. In the user’s account, it won’t connect and doesn’t prompt to choose the certificate. It should prompt for the certificate. I have removed the plist in the user’s library preference folder that had anything to do with network. I still can’t get it to work. I had already cleared out everything in the /Library/Preferences/SystemConfiguration folder. 

I’m at a loss on what else to delete.

The Mac will only prompt for the certificate if there is something wrong with the configuration profile. Do you have the certificate and Network Payload in the same Configuration Profile and the network payload mapped to use the certificate?

just a thought is the the certificate for the wifi added to the user level keychain or the system keychain. i would think to be accessible via all users it would need to be in the system keychain and not the user level one,

Sadly as far as i am aware, the security binary doesn’t support directly moving certs between keychains if necessary,  

You could test the theory by manually moving the cert to system with keychain access, to the system keychain and trying again. 

 

the beginnings of a scripted solution would be something like

 Export

security export -k ~/Library/Keychains/login.keychain-db -t certs -f pemseq -o cert.pem

 

Import into the system keychain:

 

sudo security add-certificates -k /Library/Keychains/System.keychain cert.pem
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain cert.pem

 

If the cert is being left in the user level keychain the export command would have to be run as user like

 

#!/bin/zsh --no-rcs

#!/bin/zsh --no-rcs
currentUser=$(echo "show State:/Users/ConsoleUser" | scutil \
							| awk '/Name :/ && !/loginwindow/ {print $3}')         
uid=$(id -u "$currentUser")

# --- helper: run *anything* in that user’s context
runAsUser() {                                                        
	if    -n "$currentUser" && "$currentUser" != "loginwindow" ]]; then
		launchctl asuser "$uid" sudo -u "$currentUser" "$@"
	else
		echo "No interactive user – aborting" >&2
		exit 1
	fi
}

# ----------- example: export a certificate form the user's keychain -----------
comtorun=$(runAsUser security export -k ~/Library/Keychains/login.keychain-db -t certs -f pemseq -o cert.pem)

echo ${comtorun}

 

The configuration profile is setup in such a way that it asks the user to choose the cert.. The cert is a system certificate which is how I was able to connect in a different user with the certificate. 

Standard user of the computer doesn’t get prompted to choose the certificate. This user can not connect to the wifi

Admin account gets prompted for the certificate and can choose the correct cert and connect to the network. 

I actually remembered the answer to this issue.. There was a rogue keychain attached to the wifi. We deleted that from the keychains and were able to connect properly. 

Terms & ConditionsCookie settings