OSX wants to make changes. Type an administrator's name and password... Won't go away

5

1

I recently needed to add some SSL certificates to my Mac (OSX 10.10.5) in order connect to a remote service. The certificates are needed for 2 factor authentication.

I have full Admin rights in OSX. I am able to successfully add the certificates to the Keychain. I can go into the KeyChain app and set the certificate to Always Trust without issue.

When I attempt to make the connection (using Cyberduck for WebDAV in this case), I am asked to choose the proper certificate, and then I get this window:

enter image description here

So I enter my Username and Password, which DOES have full Admin rights. I click Allow and the window pops back up again, asking me for my Username and Password again. It doesn't seem to do anything. No errors or anything like that. Clicking "Deny" obviously tells the system I'm rejecting the certificate and it won't let me connect.

I can go directly into the KeyChain application and unlock and make all the changes I want, using my Username and Password (that has Admin rights). So why is this dialog not accepting my same Username and Password?

UPDATE

When putting in my Username and Password, and clicking "Allow" the system log reports:

Apr 22 10:05:15 my-computer.local Cyberduck[1621]: [background-1] ERROR ch.cyberduck.core.ssl.CertificateStoreX509KeyManager - Keystore not loaded Get Key failed: pad block corrupted
Apr 22 10:05:16 my-computer.local com.apple.SecurityServer[87]: Problem opening rules file "/etc/authorization": No such file or directory

After some investigation, it appears that the /etc/authorization file was removed in Mavericks (OSX 10.9). So what is going on here exactly? Why is it trying to find this file that the OS should know isn't used anymore?

Jake Wilson

Posted 2016-04-22T15:07:16.703

Reputation: 3 044

It sounds like the certificates were not added to the certificate store correctly. Your user obviously does not have permission to the System keychain, my suggestion, added the certificates to the user's keychain. – Ramhound – 2016-04-22T15:15:55.593

I do have full access to the System Keychain. I can unlock it and make changes in the Keychain application. – Jake Wilson – 2016-04-22T15:35:48.310

You might try looking at the system.log. I had an issue recently where a program was interfering with the Keychain (causing the prompts not to be trusted), and was getting appropriate error messages there. – D Schlachter – 2016-04-22T15:54:39.813

The system log I think has some helpful info in it. See updated answer. – Jake Wilson – 2016-04-22T17:43:54.280

Answers

7

from keychain, select your certification, change access control to "allow all applications to access this item"

enter image description here

Robert TuanVu

Posted 2016-04-22T15:07:16.703

Reputation: 186

1Where exactly do you bring up that Window in the Keychain Access application? – Jake Wilson – 2016-04-27T15:04:17.157

To answer Jake Wilson's question: double click on the certificate in the Keychain Access application. – BazzPsychoNut – 2017-08-01T12:24:44.487

Here's an answer with a few more details: https://superuser.com/a/1306894/280734

– Jake Toronto – 2018-03-22T17:51:16.097

0

Just some info to hopefully help someone else... I have no answers for why this fixed my problem or why I created the cert way back when...

I had a similar problem... but always with Apple Mail and always with one specific mail account.... it always asked for the System keychain auth...

I fixed it by deleting a self-signed Open Directory certificate I created at some point a long while ago... the cert had the specific mail account id as the email in the cert...

I have no idea why I created the cert - as it was a long time ago... but the problems with the email id started last year when I reset my default keychain.

user685675

Posted 2016-04-22T15:07:16.703

Reputation: 1

Asked: 2016-04-22T15:07:16.703

Viewed: 34 953 times

Active: 2020-02-06T08:34:35.170