GlobalProtect iOS App fails authentication with Error "SecItemCopyMatching failed -25300 for query"
1438
Created On 07/12/23 20:01 PM - Last Modified 05/10/24 21:00 PM
Symptom
- GlobalProtect App fails Cert based authentication.
- Error message "SecItemCopyMatching failed -25300 for query" is seen in PanGPS.log.
- Error -25300 means "The specified item could not be found in the keychain.".
- This indicates GP app cannot find any client cert from the keychain that GP app can access.
Error( 912): SecItemCopyMatching failed -25300 for query:
{ class = idnt; "m_Limit" = "m_LimitAll"; "r_PersistentRef" = 1; "r_Ref" = 1; }
Environment
- GlobalProtect (GP) App version 5.0+
- Mobile Device Management (MDM)
- Microsoft Intune
Cause
- Starting from 5.0, GP app has to use new Apple VPN framework (the old VPN framework is prohibited by Apple).
- The new VPN framework only allows VPN app to access client cert installed with VPN profile.
- The information is available in the Knowledge article and Documentation.
Resolution
- Log into Intune > Click on Devices > Click on iOS/iPadOS > Click the "+Create Profile"
- Click on Create Profile > Profile Type: Templates > Template Name: [Desired-Name] > Create
- In Step 2 Configuration Settings choose Connection Type: Custom VPN
- In the Key Field add: saml-use-default-browser
- Set Value: True