User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36

Steps to reproduce:

Each time I send an email using my Office365 account - just as the email is preparing to send, I am prompted with 'macOS wants to make changes. Enter an administrator's name and password to allow this'
'macOs wants to use the "System" keychain'.

I have two other email addresses - both Gmail, and I am able to send emails not get this problem.

To establish some base line I created a new profile (using the profile manager) and put in my O365 credentials, as though it was fresh, and the same administrator prompt emerges when I go to send an email.

Actual results:

I have to enter the administrator username and password in order to send the email from the Office365 account.

Expected results:

I should be able to send an email, as before, TB78 without prompting for an administrator username and password.

Using Office365 through IMAP/SMTP, or using an add-on?

Great question - I'm using IMAP / SMTP

Are you using yubikey or other smart card? If you are, try removing that if it's connected.

(In reply to Magnus Melin [:mkmelin] from comment #3)

Are you using yubikey or other smart card? If you are, try removing that if it's connected.

Good question - no yubikey or other smart card. The account does have MFA. I have removed the password and re-entered my credentials, the but persists.

So I have rolled back TB91 to TB78.13 and created a new profile and re-added my email accounts, including the O365 with MFA - and that seems to have resolved the issue - I can send emails using my O365 account without being prompted for admin credentials to update the keychain.

I think the problem is somewhere in the update / upgrade from TB78 to TB91. Instead of waiting for the TB update mechanism, I downloaded TB91 from the website and overwrote the existing TB78 in the /Applications folder, potentially creating an error (or inconsistency) in the keychain?

I'm not familiar with how O365 with MFA work, is there something in your keychain needed to auth with O365? Have you set signon.management.page.os-auth.enabled to true and turned on "Use a primary password" in TB?

Can you provide some debug logs in TB91. First set mailnews.smtp.loglevel to All, open DevTools and clear everything in Console, do a send with your O365 account, no need to type anything in the keychain prompt (or maybe click the deny button), copy the logs in the Console tab here.

Please check the security.enterprise_roots.enabled and maybe security.osclientcerts.autoload preferences and see if changing them makes a difference.

Maybe this is related to SSL client certificates somehow. Check the certificates if any you have set for yourself.

(In reply to Magnus Melin [:mkmelin] from comment #9)

Please check the security.enterprise_roots.enabled and maybe security.osclientcerts.autoload preferences and see if changing them makes a difference.

Maybe this is related to SSL client certificates somehow. Check the certificates if any you have set for yourself.

So it seems that security.osclientcerts.autoload was the issue - I am no longer getting the 'macOs wants to use the "System" keychain' prompt. I've quit TB and restarted my computer - just to make sure the issue did not persist.

Thanks so much @Magnus Melin.

I am not sure what happens next - given that the issue is resolved?

Thanks everyone in this thread who offered feedback and troubleshooting steps. It's clear Thunderbird as a community of practice is quite vibrant and supportive.

It is curious to me that the issue only emerged after force upgrading TB78 to TB91 on MacOS.

security.osclientcerts.autoload was enabled by default in bug 1696997 during the cycle. We may want to set that to false by default for Thunderbird.

Unfortunately I guess that pref will cause a problem if you have any S/MIME certificates set up, since some configurations will then try to do authentication using SSL client certificates, causing the access to the cert store. While that's not nice in it self, it's worse that you get the prompt to access the OS cert store....

TB really needs to stop assuming that it needs to do client SSL auth with connections and make it configurable to select specifically what certificate to use.

Handling the issue in bug 1726442.