NAC: Implementing ADSSO on 2 AD servers

Unanswered Question
Oct 15th, 2009

Hi, can someone give me an idea on how to configure ADSSO on a network with two AD servers (1 active, 1 standby)?

Please tell me how to implement Device Management > Clean Access Servers > (managed IP) > Authentication > Windows Auth > Active Directory SSO > option for Domain (All Active Directory Servers)

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
pmccubbin Mon, 10/19/2009 - 11:27

It's unclear whether ktpass, in environments which have numerous AD servers, needs to be run on more than one AD server.

Is this correct or will the ktpass functionality replicate throughout the AD structure?

If I am unclear please let me know. Thanks.

Faisal Sehbai Mon, 10/19/2009 - 15:57

Ktpass needs to be run once only on the user account which you'll use for SSO. It doesn't need to be run on all the DCs separately. That users properties will propagate through your AD through normal AD replication (if setup correctly!)

HTH,

Faisal

pmccubbin Tue, 10/20/2009 - 08:47

Hi Faisal,

You have certainly helped.

Followup question:

In an environment with 3 pairs of high availability CAS boxes would you have the same user account for SSO for all boxes, including those dedicated for wireless and VPN?

Thank you in advance.

Paul

Faisal Sehbai Tue, 10/20/2009 - 08:52

Paul,

Yes you can use the same user for all CAS's. Only caveat is that the 'type' of SSO should be the same on the CASs too, i.e. you can't use the same user to do single server SSO on one, and domain SSO on another.

Wireless and VPN SSO are based off of Radius accounting packets and unrelated to AD.

That makes sense?

HTH,

Faisal

pmccubbin Tue, 10/20/2009 - 08:55

Yes, your answer makes sense regarding the single SSO versus the domain SSO.

Thanks and a "5" from NYC.

rc.castillo Mon, 10/26/2009 - 22:58

Hi all,

Thank you for all your help. This info will surely be of great help. Thanks.

Rgrds,

Dan

abushlow Mon, 03/29/2010 - 16:40

Faisal,

We followed the instructions for updating our CASUSER mapping with KTPASS on server 2008. The command produced the output message "successfully mapped casuser/[...]". Our syntax was to map the user to the domain, not to the domain controller. Nevertheless, AD-SSO still does not work for Windows 7 clients. It only works for XP/Vista, or with the Windows 7 clients who use the workaround in the secpol.msc snap in.

Our NAC is 4.7.2 and agent is 4.7.2.10

KTPASS.EXE file version is 6.0.6002.18005

Any help you can provide is greatly appreciated.

Faisal Sehbai Wed, 03/31/2010 - 23:16

Hi,

If the SSO service is started on the CAS, then you'll have to focus on the client side. Can you provide a set of client logs from the client that's failing SSO, or are you seeing it for all your Windows 7 clients?

If for all clients, then can you provide the output of the KTPASS run you did on your Win2k8 AD?

Also to note, is your AD in mixed mode with 2k3, or native 2k8 mode?

Faisal

netjustin Thu, 04/01/2010 - 12:07

Thanks for the reply.

Here are a Win7 log output, where SSO is failing but standard provider works fine. Also, the command and output from KTPASS on our 2008 R2 server. .Domain is a mixed 2003/08 envrionment at 2003 functional level.

I can also provide a copy of the keytab file though it is plaintext, seems it would be best sent via private mesage than on the forum.

Thanks again for any analysis you can offer.

-netjustin

Faisal Sehbai Thu, 04/01/2010 - 13:41

Hi,

With 2k3 mixed mode and 2k8 in the mix, it's tricky! Easiest fix (though don't know how feasible it is for you) is to upgrade your AD to native 2k8 and things will start working. If you can't then you need to run ktpass (version 5.2.3790.1830) on a 2k3 DC and point your CAS only to that 2k3 DC. Also make sure when you run ktpass against the 2k3 DC, you don't include the +DesOnly at the end of that ktpass run.

If you do run this against the 2k3 DC, please post the output of that here.

Give either of these a try and let me know how you fare.

HTH,

Faisal

netjustin Thu, 04/01/2010 - 16:03

Faisal,

We've gone ahead and re-run KTPASS.EXE 5.2.3790.1830 from the 2003 SP1 Support Tools package. The command and output were saved and are attached. Unfortunately, this did not do the trick. The Active Directory Server (FQDN) field is now set to our 2003 DC in CCA Servers -> IP ADDRESS -> Authentication -> Windows Auth. I even went so far as to point our LDAP authentication provider to the same server, but the result has not changed. SSO works in XP and Vista, but does not work in Windows 7.

We are avoiding the domain level functionality route until we have our other domain sensitive applications fully up to date. But we don't want to move onto those until NAC is fully functional. So we are kind of in a catch 22.

Faisal Sehbai Sat, 04/03/2010 - 17:41

Hello,

So what's happening now? Is the SSO service not starting, or is it running and your Windows 7 clients are failing?

Faisal

netjustin Sun, 04/04/2010 - 00:14

SSO service is running, and works in XP and Vista. SSO does not work in Windows 7. However, manual sign in does work in Windows 7.

netjustin Thu, 04/08/2010 - 09:27

*bump for ongoing problem

We're sort of up against a wall here, but if there is no solution then there is no solution. NAC always seems to be in a sort of "reactive" state in terms of functionality.

Faisal Sehbai Thu, 04/08/2010 - 15:39

Hi,

Please raise a TAC case for this issue. We might have to get higher powers involved to get this working, if you can't move to native 2k8!

HTH,

Faisal

Actions

This Discussion