Solved: Re: R80.40 - Mac OS unable to connect to Remote Ac...

bmartins-EUDA · ‎2022-02-14

Dear all,

We have rolled out machine certificate authentication in our company and it's working pretty well on Windows machines (both domain-joined and workgroup).

Starting to use this setup on our Mac devices does not work with the error message below (from trac.log):

11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::getSystemIdentityByName: Found suitable candidate
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] KeychainHelper::cmdSignWithName: Failed to sign. Error code: '-25308'
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: length too short
[ 11888 0x1118f1600][14 Feb 12:03:34][RaisCertManager] RaisCertManager::KeychainHelper::Sign: Return value : -1005
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] Rais_CAPICERT::capi_cert_sign: Failed to sign buffer
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] capi_cert_sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][Rais_CAPICERT] CAPICert::Machine_Sign: __end__ 12:03:34 Total time - 0 seconds
[ 11888 0x1118f1600][14 Feb 12:03:34][IKE] create_MM5(hybrid authentication): Failed to sign hash with the machine's certificate (-996)
[ 11888 0x1118f1600][14 Feb 12:03:34][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
:format (1.0)
:id (ClipsMessagesInternalError)
:def_msg ("Internal error; connection failed. More details may be available in the logs")
:arguments ()
)

Mac device hostname is matched with the certificate we have imported in the System keychain but it is failing to sign it?

Endpoint Security client version is E86.20, latest build.

Do you have any hints on this?

Cheers!

Bruno

Valentin1 · ‎2022-02-18

You could try to use:

sudo security import PATH_TO_CERT -P CERT_PASSWORD -k /Library/Keychains/System.keychain -T /Library/Application\ Support/Checkpoint/Endpoint\ Security /Endpoint \ Connect/TracSrvWrapper

This command imports certificate and adds service to the Allowed Apps List

View solution in original post

PhoneBoy · ‎2022-02-16

Recommend opening a TAC case.
In order to investigate, you'll probably need something like the following:

On the Client - Mac machine:

Right click on the Endpoint connect Icon
Click "VPN Options"
Click on the "Advanced" Tab > tick the box "Enable Logging" and change to "Extended"
Click close.

On the GW side:

Open SSH connection to the Security Gateway and log in as Expert;
Initiate VPN debug on the Security Gateway:
[Expert@HostName]# vpn debug trunc
[Expert@HostName]# vpn debug on TDERROR_ALL_ALL=5

>>>>

On the Client side:

Right Click again on the Endpoint connect Icon.
Click "VPN Options"
Click on the "Advanced" Tab > click on the button "Collect Logs"
Change from "Extended" to "Basic"
A cab file will be created with the entire debug files inside.
Provide the client log file called trlog_xx-xx-2021_time.cab

On the GW side:

Open SSH connection to the Security Gateway and log in as Expert;
Stop VPN debug on the FW:
[Expert@HostName]# vpn debug off
[Expert@HostName]# vpn debug ikeoff

The following files from the Security Gateway should be reviewed:

$FWDIR/log/ike.elg
$FWDIR/log/vpnd.elg

Valentin1 · ‎2022-02-18

Could you please check if Certificate private key is allowed to access ?

bmartins-EUDA · ‎2022-02-18

Hi,

That was one of my suspicions because Check Point Endpoint Security client is not listed and whenever I change any option on that window and click save, it reverts back to its default value.

I am not a Mac user and not sure what is going on there.

Thank you!

Valentin1 · ‎2022-02-18

You could try to use:

sudo security import PATH_TO_CERT -P CERT_PASSWORD -k /Library/Keychains/System.keychain -T /Library/Application\ Support/Checkpoint/Endpoint\ Security /Endpoint \ Connect/TracSrvWrapper

This command imports certificate and adds service to the Allowed Apps List

bmartins-EUDA · ‎2022-02-18

Thanks!

It also works if we do it this way:

Unlock system keychain
Import PFX to login keychain
Change access control for the private key in the login keychain
Copy certificate and private key from login to system keychain

LazarusG · ‎2023-03-07

Hi Valentin1, Id be really interested in touching base with you on this one. I have two seperate environments where Windows Machine auth works but MAC does not. The full certificate chain from the AD joined CA server is present in the system keychain of the MAC and we are using latest version of endpoint. TAC actually asked us to contact SE as they couldnt work out what the problem is...We have tried the solution from you and bmartins but without success.Any advice or information you can provide (that might not be in the documentation) would be very much appreciated.

LazarusG · ‎2023-06-15

also, sk181067 was published very recently

Are you a member of CheckMates?

R80.40 - Mac OS unable to connect to Remote Access VPN - Failed to sign