Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,384 questions
Azure VPN client - Mac OS - Error getKeyChainSecret
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 20%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Jochen Wilms
5
Reputation points
Hi,
I tried to install the Azure VPN client for a point-to-site connection with the Azure VPN Gateway. We try to authenticate through Azure AD. After importing the VPN settings XML, i am able to authenticate with my azure AD account. But the connection fails. In the logs directory, i can find following line:
Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300
{count} vote
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee2023-10-09T12:54:00.84+00:00 Hello @Jochen Wilms ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you tried installing the Azure P2S VPN client on your Mac to connect to Azure via Azure AD authentication and after importing the VPN settings XML, you are able to authenticate with your Azure AD account but the connection fails with the following error: "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300".
Could you please try the below steps:
- Remove the Azure VPN Client
- Delete all KeyChain data from com.microsoft.AzureVpnMac
- Re-install Azure VPN Client from Mac App Store
- Through System Preferences --> Privacy & Security --> Extensions (https://support.apple.com/en-in/guide/mac-help/mchl8baf92fe/mac), make below changes, if applicable:
- Added extensions (networking) --> Azure VPN Client, Networking: Enabled
- Full disk access --> Azure VPN Client: Enabled
- Re-generate the VPN configuration XML file from the Azure portal and import it on the VPN client. And try connecting to VPN.
Regards,
Gita
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2023-10-11T15:59:09.9333333+00:00 @Jochen Wilms , could you please provide an update on this issue?
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2023-10-13T16:02:49.4366667+00:00 @Jochen Wilms , do you have any new updates on this issue? And could you please let us know if you were able to try the above suggested steps?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 6%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDH%3C/text%3E%3C/svg%3E)
Dave Hess 5 Reputation points2023-10-17T16:04:27.6966667+00:00 @GitaraniSharma-MSFT I have this same problem. I tried the steps above with no success, but don't know what this means:
- Delete all KeyChain data from com.microsoft.AzureVpnMac
Where is com.microsoft.AzureVpnMac located?
Running Ventura 13.5.2 on a M1 Max.
Some log output:
10/17/2023 11:02:46 Information Successfully Received AAD Credential Token. User: REDACTED 10/17/2023 11:02:46 Information Saving AAD User Account 10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET 10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET, Status = Success 10/17/2023 11:02:48 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 10/17/2023 11:02:48 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 10/17/2023 11:02:48 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300 10/17/2023 11:02:48 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret for Vpn connection: CLS-AADDS-vNET, so no cleanup is needed! -
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2023-10-26T15:35:53.35+00:00 Hello @Dave Hess ,
com.microsoft.AzureVpnMacshould be available in your Keychain Access app.I would like to share some additional causes for this issue below:
- Rosetta is a hard requirement for Azure VPN Client. Rosetta doesn’t come pre-installed on Apple Silicon M1 or M2 Macs. This means you will have to download and install it on your own.
There is a known issue with Apple silicon Macs (M1 or M2) which could lead to "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300" when connecting to Azure VPN.
To fix this issue, you need to Install Rosetta 2 on your Mac M1/M2:
If you need to install Rosetta on your Mac - Apple Support
If you face issues installing Rosetta 2 you should reach out to Apple Support.
The root cause for this issue is: If Rosetta is not installed on the machine, the
mactunnelextensionplugin will not be able to launch.- Another issue could be related to the certificate selected in the server validation.
Make sure that the Certificate Information value is selected as DigiCert Global Root G2.
If the issue still persists, you can engage Apple support to further troubleshoot this issue as this can be an issue related to KeyChain as well.
Regards,
Gita
-
Dave Hess 5 Reputation points
2023-10-26T15:58:38.7166667+00:00 There are no entries in Keychain Access matching "com.microsoft.AzureVpnMac".
Rosetta is installed:
$ pkgutil --pkg-info com.apple.pkg.RosettaUpdateAuto package-id: com.apple.pkg.RosettaUpdateAuto version: 1.0.0.0.1.1693652110 volume: / location: / install-time: 1694527677 $the tunnel is indeed x86 and does execute:
$ file "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension" /Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension: Mach-O 64-bit executable x86_64 $ "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension" An XPC Service cannot be run directly. Abort trap: 6 $I switched to
DigiCert Global Root G2.I still get the exact same result. I should note that a coworker is on macOS 14 and is not experiencing this problem.
Punting this problem to Apple when it appears to be widespread is not a good look for Microsoft.
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2023-10-27T08:46:27.13+00:00 Hello @Dave Hess ,
I understand that this issue is affecting many customers.
Our Azure VPN backend team is already working on this issue and below is the update from them:
We are seeing this error due to secret not being fetched by the app. Checking with MAC OS team to see if we can mitigate this issue or need to address to apple support.
I'm sharing some of the fixes shared by other internal engineers for this issue which worked for them:
This issue is happening mostly on MacOS Ventura 13.5. Upgrading to MacOS Sonoma 14.0 helped few users.
In some cases, the problem appears to be that some of the Azure VPN Client binaries are compiled only for Intel processors. The
MacTunnelExtension Mach-Oprogram, part of the Azure VPN Client, is compiled only for the x86_64 (Intel) architecture. This prevents the Azure VPN Client from establishing the VPN for machines running on Apple Silicon with Rosetta installed.Installing Rosetta with the command below solved the problem:
/usr/sbin/softwareupdate --install-rosetta --agree-to-licenseCould you take a look at the above fixes and let me know if any of them help in your case?
Regards,
Gita
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 85%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKB%3C/text%3E%3C/svg%3E)
King, Brian 5 Reputation points2023-10-31T15:24:43.91+00:00 Just adding to this thread. I have users with this same issue. I do not see a keychain entry for com.microsoft.AzureVpnMac either. I have run the rosetta update above.
10/31/2023 11:15:34 Information Dialing VPN connection ####, Status = Success
10/31/2023 11:15:50 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac
10/31/2023 11:15:50 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac
10/31/2023 11:15:50 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300
10/31/2023 11:15:50 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret for Vpn connection:
Client is on a M2 MAC with Ventura 13.6
-
Dave Hess 5 Reputation points
2023-10-31T16:14:21.5233333+00:00 It's beginning to seem that this is a problem isolated to macOS Ventura that started around the 13.5 update.
-
King, Brian 5 Reputation points
2023-10-31T16:54:33.37+00:00 Updated to Sonoma 14.1. no change in behavior.
-
Dave Hess 5 Reputation points
2023-10-31T18:45:24.4233333+00:00 Oof. That's not good news. I have a coworker on Sonoma and they are not experiencing this.
-
Dave Hess 5 Reputation points
2023-10-31T21:32:50.49+00:00 @GitaraniSharma-MSFT the softwareupdate command made no difference for my computer either.
-
GitaraniSharma-MSFT 47,421 Reputation points Microsoft Employee
2023-11-01T10:07:01.7566667+00:00 Thank you for the update, @Dave Hess & @King, Brian .
The latest update that I have from the backend team is that they are working on a new manual Azure VPN client for Mac devices, but it is currently under testing with Apple team and will be rolled out for broader consumption after the testing is complete, however, we don't have a definite ETA for this.
For now, apart from the Rosetta installation and Mac OS upgrade, I have not seen any other fixes that could be applied from the customer end to resolve this issue.
So, I would request you to create support request for your issues and maybe the backend team can help in identifying and fixing the issue.
Regards,
Gita
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 24%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Marius Crețu 0 Reputation points2024-04-10T11:08:28.36+00:00 Hi ! I am facing the same issue with macOS
Sonomav14.4.1.
I tried all the above recommendations, nothing worked.
How can I get the manual Azure VPN client for Mac? I really need to be able to connect to azure vpn on my mac to conduc my work. -
Dave Hess 5 Reputation points
2024-04-10T13:23:22.6566667+00:00 Just FYI, I was never able to get this to work with my original AD. They had to create a whole new account in AD for me – and then it worked.
They had changed my email address on my original account and that seemed to do something bad to the Azure VPN set up. It all seemed ok but never worked.
At least that's our best guess.
Sign in to comment