macOS wants to use the "System" keychain

ChuckRiley
New Contributor

Testing out GlobalProtect for our Mac users and running into this keychain issue. We are using a local Certificate for authentication but the machine wants to use the system keychain every time GP tries to connect. The goal is to have the users never have to authenticate or enter a password after the local cert is installed.

I have already amended the ACL to include the GP app but the keychain still wants to be accessed. I am also using an administrator account, but still am prompted. If I manually unlock the System keychain from the keychain menu I am still prompted when I try and connect.

Thank you for any help or tips someone may have.

7122f674a78e494d977d2672428bd24f

8 REPLIES 8

rsantos
New Contributor II

gabester
Contributor III

Can likely automate this with the security tool... I'm playing with this right now. Something like:

security add-generic-password -a login -D "application password" -G GlobalProtect -s GlobalProtect  -T /Applications/GlobalProtect.app -U

Note that this does not actually work to do what the article referenced above says. I'm trying to figure that part out, how to add PanGPS to the private key of the computer's certificate.

awueschinski
New Contributor II

@Sterritt I was wondering you had any success with adding PanGPS to the private key? I been trying without any success.

kiltedtenor
New Contributor II

I'm also running into this issue after updating to the latest version of GlobalProtect. Anyone have any luck?

chris_hansen
Contributor

I am having this problem again recently.
I think the last round of supplemental Apple updates broke my solution.

I have tried both putting the certificate in a config profile, and adding the cert directly to the system keychain.
@Sterritt @awueschinski I built a pkg that places MySpecialCert.p12 in /private/var/tmp/GlobalProtectCert/
Then post install does this

#!/bin/sh
security import /private/var/tmp/GlobalProtectCert/MySpecialCert.p12 -k "/Library/Keychains/System.keychain" -P SecretWord -T /Applications/GlobalProtect.app/Contents/Resources/PanGPS

That does set the permissions and has worked for a year or two.
BUT since the latest update the system asks for the system credentials again at every restart regardless.

A workaround at paloalto https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkECAS suggests moving the certificate to the user's login keychain, but I have not been able to get this to work. I can move the cert, but the prompt is still to change the system keychain.
Lots of my domain users are not admins, and our methods for allowing temporary escalation rely on checking AD membership, which is failing because no VPN.

chris_hansen
Contributor

Working with Palo Alto, I finally got a support person with a good answer for this.

1. Open Keychain Access.app 2. Under the "System" keychain select Category: "Passwords" and search for "GlobalProtectService" 3. Delete the GlobalProtectService application-password from the system keychain 4. Reboot MacOS 5. Test if GlobalProtect version 5.2.3 still gives you the same issue

I took these steps, and no more prompt to change the system keychain, and the GlobalProtectService application-password is automatically recreated.

In at least my case, this has to do with the change in bundleIdentifier that happened between 5.0 and 5.1.2+ where the GlobalProtectService item is a password for the old identifier and there is a collision. Deleting the old file allows the new app to update the keychain, I suppose with the proper permissions.

For those of us who don't want to take all the manual steps at all the remote workstations, run as root (or sudo) :

security delete-generic-password -l GlobalProtectService "/Library/Keychains/System.keychain"

Stage a restart in a nice way, and on login, the service should start without the "macOS wants to use the "System" keychain" prompt.

I able to package with the version 5.2.8 but I had to perform manually configure keychain access 1st time after global protect.  I had to add PanGPS to the machine certificate that allow user to login on Global protect without Admin credential.

  1. In Keychain Access application, locate the Machine Certificate issued to Mac OS X Client in the System keychain. 
  2. Right Click on the private key associated with Certificate and click Get Info, then click Access Control tab
  3. Then click + sign to select an Application to allow
  4. Then press key combiniation "<Command> + <Shift> + G" to open Go to Folder
  5. Enter "/Applications/GlobalProtect.app/Contents/Resources and click Go
  6. Find PanGPS and click, then press Add
  7. Save Changes to private key

kiltedtenor
New Contributor II

Awesome answer. I don't want to package it with every install, but I was able to deploy it as it's own thing and it works perfectly.