CAS SSO Failing

Unanswered Question
Jul 30th, 2009

We have a CAS appliance configured for Windows SSO. This worked in the past, but I notice today that the Windows SSo service showed stopped on the CAS(this is at our DR site and is not used often so I do not know how long it has been in this state). When I tried to start the service I see the following log entries in the nac_manager log:


setAttribute failed: com.perfigo.wlan.jmx.admin.ServerInfo.SSOState @10.7.255.100:duration=0:ConnectorClient not connected to RMI Connector Server


invoke failed:: com.perfigo.wlan.jmx.admin.ServerInfo.startSSOServer @10.7.255.100:duration=59992:Error unmarshaling return header; nested exception is: java.net.SocketTimeoutException: Read timed out


Any ideas? TAC case will be next in the morning if I cannot figure this out. I am flat out of ideas. I am having the Admins check the account that we use to ensure it has not changed, but short of that I do not now where to turn. Those log messages do not mean much to me.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Fri, 07/31/2009 - 06:32

this CAS is at a DR site, does that mean there is another CAS that is possibly working correctly with SSO?

jthullen Fri, 07/31/2009 - 06:41

Yes, we have otehr CAS pairs that work, but they connect to a different CAM. Ihave opened a TAC case on this issue, and will keep you posted what TAC can determine.

srue Fri, 07/31/2009 - 06:47

i'll come down and troubleshoot seeing that yo'ure in cinci, and i'm in indy :)



jthullen Fri, 07/31/2009 - 07:01

Actaully we just got it resolved. The CAS is set to hit the any DC in the domain. Turns out it was hitting a DC that did not have the confgured account on it. Unfortunetly, seems like a crap shoot on which DC it will hit unless you configure one specific DC, then re-run ktpass on the user. We don't want to do that, so we are checking with our AD admins to see why the account was not replicated to the DC in question. Issue resolved, saved you a trip! :)

srue Fri, 07/31/2009 - 07:15

you can run ktpass against a specific DC or the entire domain, and then turn on SSO for the entire domain or specific DC. I usually configure SSO for the entire domain.



jthullen Fri, 07/31/2009 - 07:21

that is what we have done as well, but one of the DC's doesn't get the cas user account we configured, and thus the SSO was not able to start. Not sure why that DC did not have the account.

pmccubbin Wed, 11/04/2009 - 10:32

Hi Jeffrey,

Did you ever resolve why one of the DCs didn't get the cas user account?


Paul

Actions

This Discussion