Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
Azure VPN Client - Mac repeated authentication prompts
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 75%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Michael
21
Reputation points
For Mac users, utilizing version 2.0.8, while connected to the VPN, MacTunnelExtension requests permission to access the Negotiated token in keychain access, and doesn't respect the 'Always Allow' selection on this prompt. This happens consistently for Mac Clients. Is this an issue that has been reported already and Is a fix on the roadmap for a future release of the client?
Proposed solution would be to add the MacTunnelExtension as an approved application to the keychain item on creation from the client.
Doing this manually is not possible as part of the flow for the renegotiation is to remove the key from the keychain following a success.
Azure VPN Gateway
-
KapilAnanth 49,871 Reputation points Moderator2022-09-19T05:21:00.663+00:00 Hi @Michael ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are facing frequent authentication prompts with Azure P2S VPN Client.Currently, we are not aware of any such issues with respect to Mac clients.
- I see that this issue is seen across multiple Mac devices
- Can you please let us know how you came across this "proposed solution"?
- Meanwhile, I shall check internally if this is a known issue or not.
Thanks,
Kapil -
Michael 21 Reputation points
2022-09-19T13:32:08.043+00:00 Hey Kapil,
Thank you for your response. This was discovered by our pilot group of users for this product on the Mac platform. It looks as though the MacTunnelExtension is another executable file inside of Azure VPN Client, and when pulled up from the Keychain Access, is not listed in the approved applications to access this keychain item. Causing this prompt the next time it tries to access this keychain item.
Attempting to paste a screenshot of the prompt for better context.
It should be mentioned we are using Azure AD authentication, with MFA. -
KapilAnanth 49,871 Reputation points Moderator
2022-09-20T04:38:30.443+00:00 Hi @Michael ,
Thanks for sharing the info.
Can you please try to use "Always Allow" after rebooting the MAC client in safe mode?
And let me know if this helps.
(Post clicking Always allow once, in safe mode, you can login normally and observe the behavior)Currently, we are not aware of such issue in Azure VPN Client.
If the above fails, I would recommend you open a support ticket with Microsoft and share the SR# here, so we can track it internally.In case you do not have a support plan, please do let us know, we will try and help you get a one-time free technical support.
Cheers,
Kapil -
Michael 21 Reputation points
2022-09-21T14:20:59.517+00:00 Thank you for the follow up Kapil,
The 'Always Allow' option will resolve the issue for the single session, but the next time the user attempts to connect this issue re-presents itself to the user. I attempted to create a support ticket for this issue, but when trying to find the appropriate category for this issue, it recommends opening a ticket in Azure, and in those categories anything related to the VPN gateway, will run through a troubleshooter/diagnostics of the Azure environment and shows no issue and doesn't allow me to go further and report or describe the issue. There may be something I'm missing through the filing of this issue to get it to the appropriate audience. Any assistance with this process would be appreciated!
Unfortunately, I'm seeing the same issue in Safe Mode on the Macs. It seems that the flow is to remove the current keychain item, create a new entry, save the auth token to keychain item, and then remove, upon success. The very next time the connection is requested, it creates the keychain item, with only entitlement to the Azure VPN Client(main app), and when the MacTunnelExtension tries to access this item, the prompt above populates again.
Once the Always Allow has been selected, the entry specified by the prompt is no longer available in the keychain, as the approval of access to the MacTunnelExtension allow the removal step to complete.
This was the information discovered while troubleshooting this issue for a fix. -
KapilAnanth 49,871 Reputation points Moderator
2022-09-22T04:58:06.69+00:00 Hi @Michael ,
Thanks for updating the status
While creating the support request,
- Completely ignore the Recommended solution section.
- Once you are in Solutions section, click on "Return to support request"
-
- Then click Next and fill in the required information in the following sections
- It should lead you to the review page to create a SR
Let me know if you need further details on this.
Thanks,
Kapil -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 6%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jay Moss 0 Reputation points2023-05-02T14:55:15.5933333+00:00 We see this on all our Mac machines, "Always Allow" DOES NOT fix the issue, we'll get prompted 4-10 times a day. It's extremely annoying.
-
KapilAnanth 49,871 Reputation points Moderator
2023-05-03T05:22:27.6766667+00:00 Jay Moss ,
To troubleshoot the exact issue, I think we will need a specialized 1:1 session, where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Cheers,
Kapil
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 8%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEB%3C/text%3E%3C/svg%3E)
Ezequiel Blejman 0 Reputation points2023-05-23T13:44:35.0433333+00:00 Is this resolved or at least reported as a known bug? We are facing the exact same problem in our company, all macOS users running the latest version of Azure VPN until today (2.3.0) are receiving this auth prompts every time. We opened a ticket on MSFT support, but they do not have anything reported about this.
-
KapilAnanth 49,871 Reputation points Moderator
2023-05-24T09:21:02.5333333+00:00 I am not aware of this issue currently happening.
If this continues to happen, I would request you to please file a support ticket.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Cheers,
Kapil
-
Marc Groeneweg 0 Reputation points2023-09-12T11:24:08.7766667+00:00 We see the same (irritating) situation at our company amongst the macOS users. Is there a known issue assigned to this?
-
Marc Groeneweg 0 Reputation points
2023-09-12T11:24:30.2633333+00:00 And will this help for the macOS users?
https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/coming-soon-platform-sso-for-macos/ba-p/3902280 -
KapilAnanth 49,871 Reputation points Moderator
2023-09-12T12:41:23.0233333+00:00 This would require a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Meanwhile, can you please try using the version VPN client to version 2.2159.179.0 and see that helps?
Thanks,
Kapil
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 26%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Scott 0 Reputation points2023-10-11T01:10:16.3266667+00:00 I am still experiencing this. All day, every day. Super annoying. Azure VPN Client version 2.3.3. Sure would appreciate a patch/solution that would permanently respect either Always Allow or Deny or someway to shut it off...
-
KapilAnanth 49,871 Reputation points Moderator
2023-10-11T06:24:50.65+00:00 I would request you to please file a support ticket to troubleshoot this.
If you have a support plan you may file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
Cheers,
Kapil
Sign in to comment