AD SSO Problem in NAC

Unanswered Question
Mar 13th, 2009
User Badges:

i have successfuly run the KT pass in AD. then as per the procedure i have sync the AD with CAS & CAM after that when i am going to start AD service


Error : Could not start the SSO service. Please check the configuration. is comming.


Neither i have found the log file in cas

/perfigo/logs/perfigo-redirect-log0.log.0.



1. i have checked the connectivty between AD and CAS its fine

2. As per the document i have completed all the steps still not able to integrate AD with CAS


can any one help me out

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
greg.washburn Fri, 03/13/2009 - 05:57
User Badges:

Just wondering, are you using 2008 or 2003 domain controller(s).

jad.sadek Fri, 03/13/2009 - 09:06
User Badges:

Follow the exact requirement of AD DC:

For Example Win2k3 with SP1 is supported while it is not supported without SP1...

Also, make sure the ktpass has the minimum required version. if not download it from Microsoft.

Make sure you follow the right procedure for ktpass. The procedures in case you have multiple DCs is different then the one with single DC.

greg.washburn Fri, 03/13/2009 - 11:42
User Badges:

The reason I asked what OS your domain controllers are running is because you may need to run ktpass differently for CAS server to support authentication to 2k8. We certainly did. We were only able to use a single domain controller vs a domain for the "Account CAS on setting".

netjustin Tue, 03/30/2010 - 14:40
User Badges:

The procedures in case you have multiple DCs is different then the one with single DC.



Somewhere I heard that if you run KTPASS from the latest supported version of Windows Server in your domain, then the proper Kerberos mappings will replicate throughout. Your statement seems to contradict that; where did you find this information?


We are having a problem similar to the OP, where one of our two CAS servers is failing to start the SSO service. This after attempting to run the KTPASS routine to allow for Windows 7 support. I do believe GUI utility is called for in a situation like this.

jwjorgensen Fri, 03/13/2009 - 14:51
User Badges:

You might check the time on the DC, the CAS, and the CAM. ADSSO uses kerberos, which requires the times on the devices to be synced. (I believe within 5 minutes of each other)

Daniel Laden Fri, 03/13/2009 - 23:08
User Badges:
  • Cisco Employee,

"Neither i have found the log file in cas

/perfigo/logs/perfigo-redirect-log0.log.0"


What version of Cisco NAC do you have installed? If NAC 4.5+, look for the log file at /perfigo/access/tomcat/logs/nac-server.log


-Dan Laden

vishekha Fri, 03/13/2009 - 23:38
User Badges:

The location od CAS log fines differes based on the version.

in 4.1.x its /perfigo/logs

in 4.5 and later its /perfigo/control/tomcat/logs/


Try to understand whats going on by reading the logs.

Also please make sure the time is synchronized on AD and CAS & CAM.


Daniel Laden Sat, 03/14/2009 - 12:44
User Badges:
  • Cisco Employee,

Just a point of clarity.


For 4.5+, the NAC Manager log files are at /perfigo/control/tomcat/logs and the NAC Server log files are at /perfigo/access/tomcat/logs.


-Dan Laden

Actions

This Discussion