I am having issues with the UI prompt which is asking me to enter my password to access the keychain credentials for proxy.
My mac is used in a local network without internet access, so I need to setup a proxy connection with username and password for browsing and all other mac services. I configured proxy including authentication in network settings. When browsing, chrome asks me once to enter credentials and it is working fine after then. If any other system service tries to connect, I am getting prompted to enter my password so proxy credentials can be fetched from keychain. I also changed the keychain entry to allow all applications to access it, but the prompt keeps on asking and asking and asking for my password. The next time, the keychain entry is changed back again to allow only some applications. Looks like it is always overriding the old entry.
Any ideas how I can fix that? Unfortunately I do not have any access on configuration of the proxy server or to change any parameters there, if it is a configuration issue of the proxy server. But there has to be a solution, I do not think entering the password hundreds of times a day can be an accepted solution.
My Mac is newly setup and running macOS Big Sur 11.2.1
Have you seen this answer https://apple.stackexchange.com/questions/106742/mac-username-password-for-proxy-settings-keep-resetting-by-itself? Usually you can move the password item in the keychain to the System section rather than the login section and this fixes the issue.
I have a similar issue but I am in a corporate environment and my issue seems to be related to NTLM https://apple.stackexchange.com/questions/292835/how-to-store-proxy-credentials-on-macos-so-they-are-used-by-system-services?rq=1
Related
I update the company mac to the new OS big sur. It was doing fine before the login but once the update was done, the AD user is not able to login once its not connected to the corporate network or if it is on outside network. It just keeps on asking to reset the password. But if it is connected to the corporate network, it works fine. Already check with the settings, all is check, like create a mobile login and all those stuff.
I had the same issue, to fix it I had to go into our Device Management site (AirWatch, though I've heard the same things from InTune and other management tools), and disable the "Password" profile. Once AirWatch synced again it allowed me to log in without the "Reset Password" prompt.
Other things I learned:
For the first couple of days I had this issue I was able to reset the SMC and it would allow me to log in until I disconnected from the VPN again (at night).
I was able to reset the password on local accounts (I have a local test account that would accept a new password but it had weird restrictions I had never set like not being dictionary words, being over 12 characters, etc. I had to use something like 1qaz#WSX3edc$RFV for it to work.
If I logged in as a local admin account I was still locked out from using my domain joined account to perform admin functions on the computer and make server connections, it didn't give me the change password prompt, just failed like I had the wrong password.
Just putting this here for people who have to defend their choices to the higher-ups:
On a corporate domain the Password profile being set manually for Mac is redundant as long as you have the profiles in your management suite set to not allow local account logins and the password requirements are set in AD. This forces you to login with an AD account and AD will enforce the password requirements.
I have been trying to create VPN connection programmatically, I referred to this link
Its working fine but when user installs the profile, its asking VPN password again. I’m not interested in asking the user to set the password. I need to set password automatically without getting it from user. How to do this? (I saw some app that has done this already).
I have a domain user that uses a remote desktop app. I recently reset his password via AD and although he can log in to his account he cant authenticate against the remote app anymore.
Ive checked the Remote app manager and cant see any settings for individual passwords there (dont think there is one?)
Hes setup as a remote desktop user and accesses the app through an .rdp file on his desktop..Any suggestions as to what this may be?
thanks,
I got the user to logout, reset their password and untick the 'change at next logon' requirement and log back in. This resolved their issue.
We already had a secured VPN using OpenVPN, so we don't want to use Git with SSH to avoid double encryption.
I successfully set up Bonobo Git Server on IIS 7 on Windows 2008 RC2 and created an repository. But when I tried to clone that repository from my laptop using Git GUI, it kept asking me username and password repetitively although I gave it the correct username and password created on Bonobo Server.
When I intentionally gave it incorrect credentials, it threw an expected authentication error.
Do you have any advice for me so I can connect to Git Server? Is it due to the lack of SSH keys?
As far as I can see, Bonobo offers three different authentication mechanisms: Forms, Basic, and Windows authentication. None of these involve SSH, so no, you are not using SSH and you don’t need SSH keys to make this work. SSH is just one mechanism that is commonly used for Git servers (simply because they run on Linux machines, and SSH access is very common there).
Bonobo uses the forms authentication by default. I believe you cannot preset the login information anywhere so you don’t have to enter it over and over again. You can do that with basic authentication though by changing the remote URL to include the credentials (e.g. http://user:password#bonobo-server/project.git). Of course, this will put the credentials in clear text into the repository’s configuration file, and also send the password in clear text over the network. The VPN connection will prevent someone outside of the VPN connection reading out that password, but inside of the VPN connection it is sent as clear text, so keep that in mind.
The more secure way would be Windows authentication. It uses your Windows login to authenticate at the server, and you won’t need to store your password somewhere. To Windows, it’s the “natural” authentication system, just like SSH is to Linux.
I was successful with poke's suggestion in his comment, which is utilizing a shared folder pointing to a remote bare repository.
Right now I'm distributing a .app file to people in my organization. I drag it to /Applications by authenticating as root, but every time the users launch the program they get a firewall warning. (The app checks for updates on launch--very important for us). Since the users aren't admins they can't authenticate to make the messages go away. Will a mpkg-installed application also provoke the firewall in such a way that end-users will need an admin to allow the update check? Is there a post-install script I can include to configure the the firewall for my app?
The ultimate goal for me is that an admin authenticate to run the installer. After installation, the admin would log out, the normal users would log in and run the application without any firewall warnings at all.
EDIT: I should mention the minimum version in the org is 10.5, but it would be nice if the solution worked on Tiger as well.
I'm not sure, but if your Mac clients have been configured to use Application-level firewall settings, users will need to authenticate to allow the application permission. Otherwise, any application could work around the firewall in the same way.
Also, if your application modifies itself when updates are detected, the new version will also have to be authenticated before it will be able to make an outbound connection.
One solution is to change your policies so OS X machines aren't set to block outbound connections on a per-application basis.
If you code sign the app, even if it's just using a self-signed certificate, then the user will only be asked once to approve the launch of the app. Subsequent updates, providing the signing certificate is the same, won't trigger the dialog.
More info is in the code signing docs and in this tech note.