Azure VPN client - Mac OS - Error getKeyChainSecret

Question

Azure VPN client - Mac OS - Error getKeyChainSecret

Jochen Wilms 5

Hi,

I tried to install the Azure VPN client for a point-to-site connection with the Azure VPN Gateway. We try to authenticate through Azure AD. After importing the VPN settings XML, i am able to authenticate with my azure AD account. But the connection fails. In the logs directory, i can find following line:

Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-09T12:54:00.84+00:00
Hello @Jochen Wilms ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you tried installing the Azure P2S VPN client on your Mac to connect to Azure via Azure AD authentication and after importing the VPN settings XML, you are able to authenticate with your Azure AD account but the connection fails with the following error: "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300".

Could you please try the below steps:

Remove the Azure VPN Client

Delete all KeyChain data from com.microsoft.AzureVpnMac

Re-install Azure VPN Client from Mac App Store

Through System Preferences --> Privacy & Security --> Extensions (https://support.apple.com/en-in/guide/mac-help/mchl8baf92fe/mac), make below changes, if applicable:

Added extensions (networking) --> Azure VPN Client, Networking: Enabled

Full disk access --> Azure VPN Client: Enabled

Re-generate the VPN configuration XML file from the Azure portal and import it on the VPN client. And try connecting to VPN.

Regards,

Gita
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-11T15:59:09.9333333+00:00

@Jochen Wilms , could you please provide an update on this issue?
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-13T16:02:49.4366667+00:00

@Jochen Wilms , do you have any new updates on this issue? And could you please let us know if you were able to try the above suggested steps?

Dave Hess 5

@GitaraniSharma-MSFT I have this same problem. I tried the steps above with no success, but don't know what this means:

Delete all KeyChain data from com.microsoft.AzureVpnMac

Where is com.microsoft.AzureVpnMac located?

Running Ventura 13.5.2 on a M1 Max.

Some log output:

10/17/2023 11:02:46 Information Successfully Received AAD Credential Token. User: REDACTED 
10/17/2023 11:02:46 Information Saving AAD User Account 
10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET 
10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET, Status = Success 
10/17/2023 11:02:48 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 
10/17/2023 11:02:48 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 
10/17/2023 11:02:48 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300 
10/17/2023 11:02:48 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret  for Vpn connection: CLS-AADDS-vNET, so no cleanup is needed!

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-26T15:35:53.35+00:00
Hello @Dave Hess ,

com.microsoft.AzureVpnMac should be available in your Keychain Access app.

I would like to share some additional causes for this issue below:

Rosetta is a hard requirement for Azure VPN Client. Rosetta doesn’t come pre-installed on Apple Silicon M1 or M2 Macs. This means you will have to download and install it on your own.

There is a known issue with Apple silicon Macs (M1 or M2) which could lead to "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300" when connecting to Azure VPN.

To fix this issue, you need to Install Rosetta 2 on your Mac M1/M2:

If you need to install Rosetta on your Mac - Apple Support

If you face issues installing Rosetta 2 you should reach out to Apple Support.

The root cause for this issue is: If Rosetta is not installed on the machine, the mactunnelextension plugin will not be able to launch.

Another issue could be related to the certificate selected in the server validation.

Make sure that the Certificate Information value is selected as DigiCert Global Root G2.

https://stackoverflow.com/questions/75592582/azure-vpn-client-macos-fails-to-connect-due-to-error-getkeychainsecret

If the issue still persists, you can engage Apple support to further troubleshoot this issue as this can be an issue related to KeyChain as well.

Regards,

Gita

Dave Hess 5

@GitaraniSharma-MSFT

There are no entries in Keychain Access matching "com.microsoft.AzureVpnMac".

Rosetta is installed:

$ pkgutil --pkg-info com.apple.pkg.RosettaUpdateAuto
package-id: com.apple.pkg.RosettaUpdateAuto
version: 1.0.0.0.1.1693652110
volume: /
location: /
install-time: 1694527677
$

the tunnel is indeed x86 and does execute:

$ file "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension"
/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension: Mach-O 64-bit executable x86_64
$ "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension"
An XPC Service cannot be run directly.
Abort trap: 6
$

I switched to DigiCert Global Root G2 .

I still get the exact same result. I should note that a coworker is on macOS 14 and is not experiencing this problem.

Punting this problem to Apple when it appears to be widespread is not a good look for Microsoft.

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-27T08:46:27.13+00:00

Hello @Dave Hess ,

I understand that this issue is affecting many customers.

Our Azure VPN backend team is already working on this issue and below is the update from them:

We are seeing this error due to secret not being fetched by the app. Checking with MAC OS team to see if we can mitigate this issue or need to address to apple support.

I'm sharing some of the fixes shared by other internal engineers for this issue which worked for them:

This issue is happening mostly on MacOS Ventura 13.5. Upgrading to MacOS Sonoma 14.0 helped few users.

In some cases, the problem appears to be that some of the Azure VPN Client binaries are compiled only for Intel processors. The MacTunnelExtension Mach-O program, part of the Azure VPN Client, is compiled only for the x86_64 (Intel) architecture. This prevents the Azure VPN Client from establishing the VPN for machines running on Apple Silicon with Rosetta installed.

Installing Rosetta with the command below solved the problem:

/usr/sbin/softwareupdate --install-rosetta --agree-to-license

Could you take a look at the above fixes and let me know if any of them help in your case?

Regards,

Gita
King, Brian 5 Reputation points

2023-10-31T15:24:43.91+00:00

Just adding to this thread. I have users with this same issue. I do not see a keychain entry for com.microsoft.AzureVpnMac either. I have run the rosetta update above.

10/31/2023 11:15:34 Information Dialing VPN connection ####, Status = Success

10/31/2023 11:15:50 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac

10/31/2023 11:15:50 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac

10/31/2023 11:15:50 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300

10/31/2023 11:15:50 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret for Vpn connection:

Client is on a M2 MAC with Ventura 13.6
Dave Hess 5 Reputation points

2023-10-31T16:14:21.5233333+00:00

It's beginning to seem that this is a problem isolated to macOS Ventura that started around the 13.5 update.
King, Brian 5 Reputation points

2023-10-31T16:54:33.37+00:00

Updated to Sonoma 14.1. no change in behavior.
Dave Hess 5 Reputation points

2023-10-31T18:45:24.4233333+00:00

Oof. That's not good news. I have a coworker on Sonoma and they are not experiencing this.
Dave Hess 5 Reputation points

2023-10-31T21:32:50.49+00:00

@GitaraniSharma-MSFT the softwareupdate command made no difference for my computer either.
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-11-01T10:07:01.7566667+00:00

Thank you for the update, @Dave Hess & @King, Brian .

The latest update that I have from the backend team is that they are working on a new manual Azure VPN client for Mac devices, but it is currently under testing with Apple team and will be rolled out for broader consumption after the testing is complete, however, we don't have a definite ETA for this.

For now, apart from the Rosetta installation and Mac OS upgrade, I have not seen any other fixes that could be applied from the customer end to resolve this issue.

So, I would request you to create support request for your issues and maybe the backend team can help in identifying and fixing the issue.

Regards,

Gita
Marius Crețu 0 Reputation points

2024-04-10T11:08:28.36+00:00

Hi ! I am facing the same issue with macOS Sonoma v14.4.1.
I tried all the above recommendations, nothing worked.
How can I get the manual Azure VPN client for Mac? I really need to be able to connect to azure vpn on my mac to conduc my work.
Dave Hess 5 Reputation points

2024-04-10T13:23:22.6566667+00:00

Just FYI, I was never able to get this to work with my original AD. They had to create a whole new account in AD for me – and then it worked.

They had changed my email address on my original account and that seemed to do something bad to the Azure VPN set up. It all seemed ok but never worked.

At least that's our best guess.
Christoph Roth 1 Reputation point

2025-04-08T10:50:36.62+00:00

Hi @GitaraniSharma-MSFT we have the same issue on MacOS 15.4 & newest azure vpn client version. The user must click on connect about every one hour when the token is refreshed... Is there a solution? @KapilAnanth-MSFT

Your answer

GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-09T12:54:00.84+00:00

Hello @Jochen Wilms ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you tried installing the Azure P2S VPN client on your Mac to connect to Azure via Azure AD authentication and after importing the VPN settings XML, you are able to authenticate with your Azure AD account but the connection fails with the following error: "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300".

Could you please try the below steps:

Remove the Azure VPN Client

Delete all KeyChain data from com.microsoft.AzureVpnMac

Re-install Azure VPN Client from Mac App Store

Through System Preferences --> Privacy & Security --> Extensions (https://support.apple.com/en-in/guide/mac-help/mchl8baf92fe/mac), make below changes, if applicable:

Added extensions (networking) --> Azure VPN Client, Networking: Enabled

Full disk access --> Azure VPN Client: Enabled

Re-generate the VPN configuration XML file from the Azure portal and import it on the VPN client. And try connecting to VPN.

Regards,

Gita
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-11T15:59:09.9333333+00:00

@Jochen Wilms , could you please provide an update on this issue?
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-13T16:02:49.4366667+00:00

@Jochen Wilms , do you have any new updates on this issue? And could you please let us know if you were able to try the above suggested steps?
Dave Hess 5 Reputation points

2023-10-17T16:04:27.6966667+00:00

@GitaraniSharma-MSFT I have this same problem. I tried the steps above with no success, but don't know what this means:

Delete all KeyChain data from com.microsoft.AzureVpnMac

Where is com.microsoft.AzureVpnMac located?

Running Ventura 13.5.2 on a M1 Max.

Some log output:

10/17/2023 11:02:46 Information Successfully Received AAD Credential Token. User: REDACTED 10/17/2023 11:02:46 Information Saving AAD User Account 10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET 10/17/2023 11:02:46 Information Dialing VPN connection CLS-AADDS-vNET, Status = Success 10/17/2023 11:02:48 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 10/17/2023 11:02:48 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac 10/17/2023 11:02:48 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300 10/17/2023 11:02:48 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret for Vpn connection: CLS-AADDS-vNET, so no cleanup is needed!
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-26T15:35:53.35+00:00

Hello @Dave Hess ,

com.microsoft.AzureVpnMac should be available in your Keychain Access app.

I would like to share some additional causes for this issue below:

Rosetta is a hard requirement for Azure VPN Client. Rosetta doesn’t come pre-installed on Apple Silicon M1 or M2 Macs. This means you will have to download and install it on your own.

There is a known issue with Apple silicon Macs (M1 or M2) which could lead to "Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300" when connecting to Azure VPN.

To fix this issue, you need to Install Rosetta 2 on your Mac M1/M2:

If you need to install Rosetta on your Mac - Apple Support

If you face issues installing Rosetta 2 you should reach out to Apple Support.

The root cause for this issue is: If Rosetta is not installed on the machine, the mactunnelextension plugin will not be able to launch.

Another issue could be related to the certificate selected in the server validation.

Make sure that the Certificate Information value is selected as DigiCert Global Root G2.

https://stackoverflow.com/questions/75592582/azure-vpn-client-macos-fails-to-connect-due-to-error-getkeychainsecret

If the issue still persists, you can engage Apple support to further troubleshoot this issue as this can be an issue related to KeyChain as well.

Regards,

Gita
Dave Hess 5 Reputation points

2023-10-26T15:58:38.7166667+00:00

@GitaraniSharma-MSFT

There are no entries in Keychain Access matching "com.microsoft.AzureVpnMac".

Rosetta is installed:

$ pkgutil --pkg-info com.apple.pkg.RosettaUpdateAuto package-id: com.apple.pkg.RosettaUpdateAuto version: 1.0.0.0.1.1693652110 volume: / location: / install-time: 1694527677 $

the tunnel is indeed x86 and does execute:

$ file "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension" /Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension: Mach-O 64-bit executable x86_64 $ "/Applications/Azure VPN Client.app/Contents/PlugIns/MacTunnelExtension.appex/Contents/MacOS/MacTunnelExtension" An XPC Service cannot be run directly. Abort trap: 6 $

I switched to DigiCert Global Root G2 .

I still get the exact same result. I should note that a coworker is on macOS 14 and is not experiencing this problem.

Punting this problem to Apple when it appears to be widespread is not a good look for Microsoft.
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-10-27T08:46:27.13+00:00

Hello @Dave Hess ,

I understand that this issue is affecting many customers.

Our Azure VPN backend team is already working on this issue and below is the update from them:

We are seeing this error due to secret not being fetched by the app. Checking with MAC OS team to see if we can mitigate this issue or need to address to apple support.

I'm sharing some of the fixes shared by other internal engineers for this issue which worked for them:

This issue is happening mostly on MacOS Ventura 13.5. Upgrading to MacOS Sonoma 14.0 helped few users.

In some cases, the problem appears to be that some of the Azure VPN Client binaries are compiled only for Intel processors. The MacTunnelExtension Mach-O program, part of the Azure VPN Client, is compiled only for the x86_64 (Intel) architecture. This prevents the Azure VPN Client from establishing the VPN for machines running on Apple Silicon with Rosetta installed.

Installing Rosetta with the command below solved the problem:

/usr/sbin/softwareupdate --install-rosetta --agree-to-license

Could you take a look at the above fixes and let me know if any of them help in your case?

Regards,

Gita
King, Brian 5 Reputation points

2023-10-31T15:24:43.91+00:00

Just adding to this thread. I have users with this same issue. I do not see a keychain entry for com.microsoft.AzureVpnMac either. I have run the rosetta update above.

10/31/2023 11:15:34 Information Dialing VPN connection ####, Status = Success

10/31/2023 11:15:50 Information removeClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac

10/31/2023 11:15:50 Information getClientAuthLoginCredentials: Using account: com.microsoft.AzureVpnMac

10/31/2023 11:15:50 Error getKeyChainSecret: Failed to retrieve KeyChain secret. Status code -25300

10/31/2023 11:15:50 Warning removeClientAuthLoginCredentials: Failed to retrive previously saved ClientAuth: aad secret for Vpn connection:

Client is on a M2 MAC with Ventura 13.6
Dave Hess 5 Reputation points

2023-10-31T16:14:21.5233333+00:00

It's beginning to seem that this is a problem isolated to macOS Ventura that started around the 13.5 update.
King, Brian 5 Reputation points

2023-10-31T16:54:33.37+00:00

Updated to Sonoma 14.1. no change in behavior.
Dave Hess 5 Reputation points

2023-10-31T18:45:24.4233333+00:00

Oof. That's not good news. I have a coworker on Sonoma and they are not experiencing this.
Dave Hess 5 Reputation points

2023-10-31T21:32:50.49+00:00

@GitaraniSharma-MSFT the softwareupdate command made no difference for my computer either.
GitaraniSharma-MSFT 49,881 Reputation points Microsoft Employee

2023-11-01T10:07:01.7566667+00:00

Thank you for the update, @Dave Hess & @King, Brian .

The latest update that I have from the backend team is that they are working on a new manual Azure VPN client for Mac devices, but it is currently under testing with Apple team and will be rolled out for broader consumption after the testing is complete, however, we don't have a definite ETA for this.

For now, apart from the Rosetta installation and Mac OS upgrade, I have not seen any other fixes that could be applied from the customer end to resolve this issue.

So, I would request you to create support request for your issues and maybe the backend team can help in identifying and fixing the issue.

Regards,

Gita
Marius Crețu 0 Reputation points

2024-04-10T11:08:28.36+00:00

Hi ! I am facing the same issue with macOS Sonoma v14.4.1.
I tried all the above recommendations, nothing worked.
How can I get the manual Azure VPN client for Mac? I really need to be able to connect to azure vpn on my mac to conduc my work.
Dave Hess 5 Reputation points

2024-04-10T13:23:22.6566667+00:00

Just FYI, I was never able to get this to work with my original AD. They had to create a whole new account in AD for me – and then it worked.

They had changed my email address on my original account and that seemed to do something bad to the Azure VPN set up. It all seemed ok but never worked.

At least that's our best guess.
Christoph Roth 1 Reputation point

2025-04-08T10:50:36.62+00:00

Hi @GitaraniSharma-MSFT we have the same issue on MacOS 15.4 & newest azure vpn client version. The user must click on connect about every one hour when the token is refreshed... Is there a solution? @KapilAnanth-MSFT

Share via

Azure VPN client - Mac OS - Error getKeyChainSecret

Your answer