NAC 4.7.1 ADSSO can't work on client

Unanswered Question
Dec 2nd, 2009

Dear Sir ,


I used NAC 4.7.1 and config  AD SSO with Windows 2k Server . ( LDAP auth is OK)

The service of  SSO is running on CAS , but TCP/8910 port can't be listen .

How should I do open TCP/8910 port and how to fix it ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Faisal Sehbai Mon, 12/07/2009 - 18:50

Yang,


That should be available when the SSO service is started. Is the SSO service running?


Have you bounced the perfigo service, or the server itself?


Thanks,

Faisal

beckman.yang Sun, 12/13/2009 - 18:02

Dear Sir ,

ADSSO service is running . I had tried service restart on CAS , but can't work on client .


thanks

Faisal Sehbai Mon, 12/14/2009 - 08:42

Hi,


If SSO service is running, then the next thing you have to look at (if it's failing at the agent) is the ports that are open in the unauthenticated role.


Can you post a listing of those?


Can you also post the output of the following command from your CAS: nslookup where your_domain_name is the domain name you're trying to do SSO against.


Faisal    

Faisal Sehbai Tue, 12/15/2009 - 18:48

Hi,


Two things:


- One of your DC's being returned when we do a nslookup is a 169.254 address. This means that one of your DCs has DHCP enabled on one of it's interfaces and that is also being registered in your AD as a DC. This will cause problems for you, so best to have your AD cleaned up


- You posted the netstat output. I was looking for the unauthenticated role policies. To get those, go to the CAM gui, and click on User Roles, Traffic policies, choose unauthenticated role and hit select. The resulting page is what I wanted to see.


Faisal

Faisal Sehbai Thu, 12/17/2009 - 07:14

Hello,


Please open traffic to ALL your DCs, and not just one, and try again.


If that doesn't work, try opening ALL IP in the unauthenticated role (just for testing) and see if AD SSO succeeds.


Faisal

danielnunes Thu, 05/13/2010 - 11:07

Hi Faisal,

I have the same problem and you can see the nslookup result from my CAS.


At Now I could to start the ADSSO Service on CAS but I couldn't see port 8910 opened on CAS.


thanks a lot

Attachment: 
Faisal Sehbai Fri, 05/14/2010 - 12:37

Daniel,


The screen shot shows the SSO service not starting. Post your CAS logs so we can see why.


Faisal

danielnunes Fri, 05/14/2010 - 13:41

Faisal,

thanks for your attention,

We had two problems, first of all our AD Domain was with incorrect number IP add, there were more IP address that is necessary and first we made a clean-up there, second thing was that I saw that machines that couldn't make AD SSO because the kerbero ticket does not appear on machine, I used a Kerbtray program to do this, and i could figure out that there were some UDP ports that does not open.


After this everything works fine.


thanks a lot

Actions

This Discussion