AD CS Connector cert in local login not system

KyleEricson
Valued Contributor II

I have the AD CS Connector setup and works great. My cert is based on the user of the Mac, but it installs in the System Keychain. This is not good for other apps like VPN that need to read this file. Is there a way for the user cert install in login keychain instead of system.

Read My Blog: https://www.ericsontech.com
12 REPLIES 12

mcampbel
New Contributor II

I'm running into a similar issue with the SCEP cert payload. The client downloads the cert and places it in the System keychain and when Cisco Anyconnect tries to access it it prompts for admin credentials.

sdagley
Esteemed Contributor II

@mcampbel If you have a Configuration Profile that's applied at the Computer Level then the certificate from the SCEP payload is going to install in the System keychain as that's just the way it works. If you want the cert in the login keychain it has to be a User Level profile (and that's a whole other bunch of fun)

patgmac
Contributor III

What sdagley said. But VPN apps should be able to read the system keychain as well.

KyleEricson
Valued Contributor II

VPN can read just needs admin password to do so.

Read My Blog: https://www.ericsontech.com

mcampbel
New Contributor II

@patgmac I agree, it should be able to read the cert in the system keychain, but for some reason it's not. I do have "Allow Access to All Apps" checked in the payload and it's still having this issue. We have one ticket open with Cisco and are going to open another with Apple to try to resolve.

KyleEricson
Valued Contributor II

@mcampbel Let me know if you get this fixed.

Read My Blog: https://www.ericsontech.com

mcampbel
New Contributor II

@kericson One of these articles may help

https://help.duo.com/s/article/4791?language=en_US

https://mostlikelee.com/blog-1/2017/9/16/cisco-anyconnect-certificate-auth-and-admin-prompts

Hyvonen
New Contributor II

We're in the same situation, we have the AD CS Connector setup and can get the Machine cert applied, but need it in the local login instead of the System Keychain. We use AnyConnect VPN and are required to have this cert in place for the device to be allowed on our network.

@mcampbel - any update on your open Cisco and Apple support cases?

patgmac
Contributor III

@Hyvonen Are you deploying your profile as a "device-level" profile? If so, the cert should be placed in your System keychain.

jameson
Contributor II

We are using ADCS and I don´t remember any issues on this. We get the certificates in the login keychain and not in system

whitebeer
Contributor

Hi @Hyvonen

there is the possibility to configure AnyConnect in which stores it should check for the identitiy cert.

We use the AD CS Connector for user certs placed in login keychain, therefore we configured it just to check login keychain and allowed all apps access to it. Have a look your AnyConnect profile and it's config - there should be your solution.

Greets Max

Hyvonen
New Contributor II

Can anyone share how they were able to get this to work? See my post earlier from 5/28. We can get the User cert to apply if we download the .mobileconfig file and manually open it on another Mac, but then the user has to enter their credentials. This is a clunky workaround.

Our Macs are all bound to the domain. We have an 802.1x network with Cisco ISE. Our windows machines receive certs automatically from our CA via GPO. We have an ADCS Connector setup on Server 2016 in the DMZ. All necessary ports have been opened up.

The Machine cert is set to Computer Level, using an AD Certificate payload. This completes and adds the cert to the System Keychain. When selecting "User Level" it fails.

The ADCS Connector whitepaper suggests using the Certificate Payload instead of the AD Certificate payload. Every test we've tried with that payload fails.

We've opened several Jamf Support cases but it's still not resolved. We have a hard deadline of having both machine and user certs in place by end of June. Thanks in advance!