NAC 4.5 ADSSO on multiple AD servers not working, how to troubleshoot?

Unanswered Question
Nov 19th, 2009

Hi All,

     I'm handling a NAC (CAS and CAM ver 4.5) to be implemented to a network on production.  The network has two working AD servers, one acting as back-up.  We want to configure the NAC to be able to run ADSSO even if the active AD fails, so we configured NAC to run ADSSO on multiple servers.  I followed the documents, run ktpass for multiple ADs, installed kerbtray to see Kerb tickets, but still I'm puzzled of the problem.  My CAS shows the the ADSSO service is already started, but my workstation cannot perform Single-sign On.  After the "performing AD authentication" window, the agent then reverts back to as a local account.  Please help guys.  I'm willing to share other details about this.  Thanks.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Faisal Sehbai Fri, 11/20/2009 - 12:58


If the service is started and SSO still failing, check for open ports on your unauthenticated traffic policy. For testing you can open all IP, and if that works, then look closely at the documented port openings and have them open.



rc.castillo Sun, 11/22/2009 - 19:31

Hi Faisal,

     The Unauthorized role is already in all trafic enabled policy.  My problem is that the KT that is shown in the workstation is different from the one I created using ktpass, although I matched the cases of the domain and the one in the ktpass.  I deeply appreciate if you can help.  Thanks.



Faisal Sehbai Mon, 11/23/2009 - 07:28


Do you still have the text of the ktpass run you did on that account?


alex goshtaei Fri, 11/20/2009 - 14:40

Make sure check "Domain" instead of "single AD server" in CAS authentication page.


grant.maynard Mon, 11/23/2009 - 10:10

Check the syntax of ktpass.

Also make sure the DCs and the CAS are synchronised to the same time source (or the CAS is synched to the DC itself)


This Discussion