Clean Access SSO

Unanswered Question
May 13th, 2008
User Badges:

Hello NetPro,

I am piloting an OOB Clean Access setup on my network. I have successfully configured Clean access using the client and am happy with its performance.

I have attempted configuring Active directory SSO and have mixed results.

The first result being enabling the SSO by following the config guide and then clicking the update button and watching paint dry as the IE progress bar clicks along.

The second being the usual message of "Error : Could not start the SSO service. Please check the configuration."

I have dug up the logs from the CAS in question and during the first error, there are no messages. During the second error however the message is "SEVERE: loginToKDC - SSO Service authentication failed. Clients credentials have been revoked (18)"

I have searched the Cisco website for details of this message and there seems to be no reference.

I am authenticating to a Domain and have followed the proceedure correctly (I assume based on re checking of the output.

Does anyone have any advice?

Cheers, Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
gojericho0 Wed, 05/14/2008 - 03:34
User Badges:
  • Bronze, 100 points or more

Hi Rick,

I had a similar problem, and the culprit was DNS. Our domain had some multi NIC DCs by accident. These additional NICs were supposed to be disabled, but instead for attempting to receive a DHCP address unsuccessfully which resulted in them receiving a 169.254.x.x address. Since they were DCs they added these IPs as A records for the domain zone.

I'm not saying that you have the same problem, but I figured this out by monitoring the switchport the CAM was connected to and observing the traffic with wireshark.

I'd first do a nslookup for you domain. If it looks like its resolving all the addresses correctly, I would setup SPAN and run wireshark for any other issues.

nickbettison Fri, 05/30/2008 - 00:43
User Badges:

Hi Rick,

I'm seeing the same issue, have you found a resolution?



CoetzerJ Tue, 06/10/2008 - 22:27
User Badges:

Did you run KTPASS correctly?

I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.

For Domain Authentication:

ktpass.exe -princ cleanaccess/[email protected]_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

For AD Server Authentication:

ktpass.exe -princ cleanaccess/[email protected]_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)

Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.

O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.

Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.

Hope this helps.

nickbettison Wed, 06/11/2008 - 02:21
User Badges:


I did get it working after a bit of playing around, I think I found out that the "credentials revoked" message means that the account is locked out.... possibly due to authentication error (wrong password) or as you say incorrect ktpass, I found deleting & re-creating my AD account, then re-doing the ktpass command solved my problem.



CoetzerJ Wed, 06/11/2008 - 23:10
User Badges:

Cool, Glad my post was helpfull. I had the same problems with a big implementation I was doing last week, hence I thought i'd share the tests. :-)


This Discussion