You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Cisco AnyConnect wants access to os x system keychain

Yosemite 10.10.3 & Cisco AnyConnect Secure Mobility Client version 3.1.07021

OS X wants to make changes. Type an administrator's name and password to allow this. OS X wants to use the "System" keychain.

User uploaded file

If I enter credentials and press allow, the prompt comes back at least two more times before a connection is made, if I click deny the prompt repeats but eventually goes away and allows a connection without authenticating for the "System" keychain. While I can easily work around this by clicking deny, I would prefer to resolve this for the end users.


The same occurs under the guest account.

I have uninstalled and reinstalled several times, and tried the different versions of AnyConnect that are currently available for me to use here.

I had changed the permissions on the /Library/Keychains/System.keychain and that did not resolve

I had modified the permissions on private keys in the system keychain and that did not resolve


I started from scratch with a fresh 10.10.3 build, and the issue persists.

Posted on Apr 14, 2015 12:43 PM

Reply
Question marked as Top-ranking reply

Posted on Dec 1, 2017 12:04 AM

This solved my issue:


• Launch /Applications/Utilities/Keychain Access

• Select "System" from the Keychains menu in the upper left

• Select "Certificates" from the Category menu in the lower left

• Find the entry that corelates to your computer's name in the list on the right, and click on the disclosure triangle.

• Secondary click on the "Private Key" entry that appears and select "Get Info" from the contextual menu that appears.

• Select the Access Control tab.

• You can then *either* add AnyConnect to the the list at the bottom of the screen (more secure, but you will need to repeat this process anytime the version of AnyConnect changes), *or* toggle the radio button to "Allow all applications to access this item".

taken from Google Groups

16 replies
Question marked as Top-ranking reply

Dec 1, 2017 12:04 AM in response to feidakila

This solved my issue:


• Launch /Applications/Utilities/Keychain Access

• Select "System" from the Keychains menu in the upper left

• Select "Certificates" from the Category menu in the lower left

• Find the entry that corelates to your computer's name in the list on the right, and click on the disclosure triangle.

• Secondary click on the "Private Key" entry that appears and select "Get Info" from the contextual menu that appears.

• Select the Access Control tab.

• You can then *either* add AnyConnect to the the list at the bottom of the screen (more secure, but you will need to repeat this process anytime the version of AnyConnect changes), *or* toggle the radio button to "Allow all applications to access this item".

taken from Google Groups

May 5, 2015 11:26 AM in response to CantSalomeDown

Confirmed on two more builds, removing the first certificate, public, and private keys for Kerboros resolves the issue. Still leaving the second version of each behind.


If you remove the second certificate, public, and private keys for Kerboros the issue persists, but removing the first one of each of these has resolved my issues with AnyConnect asking for access to the System Keychain.

Apr 23, 2015 1:46 PM in response to CantSalomeDown

Update, I got this to work without issue on two Mac Book Airs with fresh build of Yosemite using a boot key I created following the apple KB for that, one is a brand new 2015, the other is a 2013.


Still having an issue with the mid 2012 MacBook Pro, which was the Mac I was trying to create my base image on, which suggests to me when I created the image on it I transferred the issue to the other models.

Apr 30, 2015 9:04 AM in response to CantSalomeDown

Cisco Support has evaluated files and logs I sent to them and said the following "I checked the Dart that you sent and it looks okay there is no issue with the AnyConnect client i believe it is an issue with the Mac itself. "


I have found that once I have responded to the popups they do not reappear until the mac is restarted. So I can log out and log back in without seeing them, I can shutdown and power back up, and sleep the mac without having to respond to the prompts. Restarting the mac results in the pop ups returning again.

May 1, 2015 8:22 AM in response to CantSalomeDown

I rebuilt all of the Macs I have today, 1 MacBook Pro and 3 MacBook Airs, all of them have this pop up today.

They were all built following the same process
Built fresh with Yosemite 10.10.3
Admin account created
Joined the domain
Network Managed account created and made admin
Installed Cert, Applications, and profiles
Turned off our wifi, and connect to DSL line (802.1x) to test VPN. (I also found a DSL line without 802.1x and this issue still persists.)

May 5, 2015 10:27 AM in response to CantSalomeDown

I think I may be on to something with this issue:


The macs that do have the issue, directly following the install of Yosemite have duplicate entries of everything Kerberos related in the System Keychain.


Please see the below images. The top image is from a Mac that has the AnyConnect pop ups, the bottom is from a mac without the pop ups directly after Yosemite is loaded. Both Macs were built using the exact same methods.


If I remove duplicate Kerboros entries in the System keychain on the affected mac it appears to resolve the issue, but I am rebuilding to test again.


User uploaded fileUser uploaded file

Jul 17, 2015 8:01 AM in response to CantSalomeDown

This is occurring again since the release of 10.10.4, and it is happening on machines that don't have duplicate Kerberos entries in the keychain. I confirmed with our network team that our VPN for macs doesn't use a certificate (a secret file is used instead, verified by hostscan) so there is even less of a reason for OS X to check the keychain when AnyConnect attempts to connect.


Changed all folder and keychain permissions on a test machine to give anyconnect full access to pretty much anything and the issue persists.

Apr 11, 2016 7:23 AM in response to CantSalomeDown

I had this problem after changing machine certificates. I'm running OS X El Capitan 10.11.4. I was able to remedy the issue by completely uninstalling Cisco Anyconnect. I not only ran the uninstaller but also deleted the /opt/cisco directory which contains settings for Cisco Anyconnect that aren't removed during uninstall. I wasn't seeing the dual entries for Kerberos certificates either.

Cisco AnyConnect wants access to os x system keychain

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.