Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
3
Replies

SSO (Single Sign-on) through an ACE4710

Go to solution
fsteininger
Level 1
Level 1

‎03-03-2009 07:23 AM

Hello,

I am loadbalancing Terminal Server Windows 2008 sessions with an ACE4710.

I am trying to establish a Terminal Server session with Single Sign-On (SSO), but without success. Normal login with Username and Password on the TS are functionning, but never SSO session.

Does anyone have an idea how to configure the ACE to allow SSO session to be established.

Thanks

François

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to fsteininger

‎03-05-2009 02:39 AM

Indeed, if the problem is the name sent by the server, you're only solution is to change the server name if possible.

See if you can maybe configure loopback on all servers with the vip address and use transparent loadbalancing.

Only possible if your servers are adjacent to the appliance (share a vlan between ace and servers).

Gilles.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee

‎03-04-2009 07:10 AM

Do you have stickyness configured ?

Sniffer trace ?

G.

0 Helpful

Go to solution
fsteininger
Level 1
Level 1
In response to Gilles Dufour

‎03-04-2009 07:33 AM

Hello,

Yes I have "sticky source IP" configured.

Some explanation about the situation.

I have 3 Windows 2008 Terminal Servers (for example: TS1, TS2 and TS3). On the ACE4710 I have a VIP address (DNS name = TSserver.mydomain.ch) which load balance the sessions between the servers and does source-IP sticky.

The problem I see is that the client PC opens a TS session to "TSserver.mydomain.ch". This session is for example sent to the server TS1. Then client PC refuse the Single Signon because the remote Terminal Server responds with "TS1.mydomain.ch" during the SSO.

At this point the user is prompted for "user name" and "password". If we log in normally the TS session is working fine.

But what we wanted is SSO !

I am not sur if we can do something on the ACE because I think this is a name problem between the PC, which connects to the VIP's DNS name and the real server responding with it's real host name!

But, I am open to any suggestion...

Thanks

0 Helpful

Go to solution
Gilles Dufour
Cisco Employee
Cisco Employee
In response to fsteininger

‎03-05-2009 02:39 AM

Indeed, if the problem is the name sent by the server, you're only solution is to change the server name if possible.

See if you can maybe configure loopback on all servers with the vip address and use transparent loadbalancing.

Only possible if your servers are adjacent to the appliance (share a vlan between ace and servers).

Gilles.

0 Helpful
Customers Also Viewed These Support Documents