NAC ADSSO doesn't work

Unanswered Question
Mar 14th, 2008

Hi there,

I have 1 CAS and 1 CAM. Everything works fine if I use localDB authentication.

I tried to complete SSO AD configuration, from CAM installation guide. SSO service started to work successful. I'm trying to login to the domain - It's ok, I see green kerbtray icon, tickets are ok, but anyway I receive CCA Agent login/password screen.

AD logging looks like: ( is AD server)

Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

INFO: GSSServer - SPN : [cisco/[email protected]]

Mar 14, 2008 1:10:00 PM com.perfigo.wlan.jmx.admin.GSSServer buildKDCList

INFO: buildKDCList - KDC-1:

Mar 14, 2008 1:10:10 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

INFO: GSSServer - KDC(s) : []

Mar 14, 2008 1:14:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run

INFO: GSSR - Windows SSO is running

Mar 14, 2008 1:19:22 PM com.perfigo.wlan.jmx.admin.GSSRetrier$RetrierTask run

INFO: GSSR - Windows SSO is running

What's may be wrong in my configuration? Local time on CAM, CAS and AD is the same, TCP/8910 in CAS is in listening mode. I opened full IP from * to my AD Server for Unauthenticated Role.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
a.goldstein Fri, 03/14/2008 - 08:35

ooops, I found the problem.

Workstation OS version was w2003server. With w2000wks and XP my configuration is working.



gojericho0 Mon, 06/02/2008 - 07:19

Have you created an Authentication Server for your AD SSO?

Log on to CAM

User Management -> Authentication Server

szajihsaniatan Mon, 08/04/2008 - 10:15

hello yprasannas...

We are having the same issue with AD SSO...Loging into the domain is ok, but we set the CCA Agent login/password screen as well...We also configured vlan mapping as well, but no luck...

I noticed vlan mapping fixed your issue, what other things did you do?


vinhtran427 Mon, 08/04/2008 - 15:19

Are you running OOB Layer-3 with Real-IP gateway? Are you running 4.1.3? Are you using Certificate Authority? If the answer is yes to all. You may want to review this Be careful though, you may also need to apply an egress ACL to block trusted vlan from sending TCP-8910 to the FQDN of the OOB-CAS's Untrusted IP. Otherwise, the CCA agent may continue to send TCP-8910 to CAS and process SSO and refresh IP continuously(looping process).

szajihsaniatan Tue, 08/05/2008 - 06:47

i answered yes to the first 2...not sure about the certificate authority...ill take a look at the link and update....thanks for the response

manfernandez Tue, 12/01/2009 - 14:53

I am having an issue with Windows Server 2008 Datacenter Core 2 64Bit and AD SSO.

I am getting the “Client not found in Kerberos database (6)” error I confirmed that the customer has the KB951191 hot fix.

TAC is saying it is not supported on Windows 2008 64Bit although their documentation says it IS supported with the new v4.7.1

Anyone else running 2008 64 with issues similar?


This Discussion