Hi @dmuenster. We’ve been setting this issue aside while your other thread was explored. Since that has been resolved now I’d like to continue with this issue, assuming you’re still seeing it after squaring up your CAs on the controller. (I’m assuming that the macOS clients mentioned here are connecting to the same controller as the ziti-edge-tunnels in the other thread).
It’s definitely odd that Ziti Desktop Edge is preferring to use legacy authentication despite your controller being configured to use internal OIDC authentication. ziti-sdk-c 1.8.5 was relatively early in terms of oidc development, so it’s possible that you’re seeing a bug here that was unnoticed by us and already fixed in the current ziti-sdk-c release.
The next version of Ziti Desktop Edge for Mac (2.53) uses the same version of ziti-sdk-c as the ziti-edge-tunnels that are working for you. Our testing of 2.53 has been going well, and I’m getting ready to promote it to the App Store next week.
If you’re interested in trying 2.53 on any of your macOS hosts before it hits the App Store, I can send a test flight invitation to you. In order to do this you would need to use the Test Flight application from the macOS App Store, and I’d need your Apple ID email so I could send you an invitation.
Outside of trying the next version, the next thing I can think of here is to enable tlsuv/TRACE logging on a client so we can see details about the interactions between the tunneler and the controller.
Thanks!