NAC AD-SSO service started but client isn't doing SSO

Unanswered Question
Jan 18th, 2010

Hi All,

We have NAC version 4.7(1) and we integrated it with Domain Controller on windows 2008. The integration is done and the service is started but the client (XP machine) access the domain without doing SSO then NAC Agent (Ver. appears to start login with local DB only (there's no any other options rather than Local DB).
All Ports are opened to DC and CAS is listening to port 8910.
I attached some snapshots from NAM configuration.

One more thing, sometimes this error appears on NAC Agent "Invalid switch configuration-OOB Error:OOB client 00:17:42:BE:F3:CB/ not found. Please contact your network administrator." what does this error mean?? Although i can connect the same client machine to another port and it's working properly.

Thanks in Advance,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Sat, 01/23/2010 - 20:27


With 2k8 DES encryption is disabled by default, so if you had run your KTPASS with the +DesOnly option, you will have to create a new account and run KTPASS a little differently.

More details here:



hebaelshahat Sun, 01/24/2010 - 06:52

Hi Faisal,

i have run the following "KTPASS.EXE -princ [email protected] -mapuser newadsso -pass  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL -crypto All" and the output was

Targeting domain controller: DC01.DOMAIN.COM
Successfully mapped newadsso/ to newadsso.
Password succesfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\newadsso.keytab:
Keytab version: 0x502
keysize 53 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
1 (DES-CBC-CRC) keylength 8 (0x9be5c252a85d080b)
keysize 53 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
3 (DES-CBC-MD5) keylength 8 (0x9be5c252a85d080b)
keysize 61 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
17 (RC4-HMAC) keylength 16 (0x554e28e96389c80c975cc6f96b75fd92)
keysize 77 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
12 (AES256-SHA1) keylength 32 (0xcfc491228d9864ab4a5a0424b78b0178a686a8e1aa4ad2e
keysize 61 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
11 (AES128-SHA1) keylength 16 (0xcb99b6a0e424f312b5c804d5941b04d7)

and when i enabled Agent-Based Windows Single Sign-On with Active Directory the following appeared:

Error : Could not start the SSO service. Please check the configuration. although it was enabled and started with DesOnly Command!

Thanks in advance.

Faisal Sehbai Mon, 01/25/2010 - 14:04


What's the version of ktpass you used? What is the OS of the DC that the CAS is talking to?

Bump up the AD SSO logging on your CAS and look at the logs to see if anything interesting shows up there!



Marcel Imrich Tue, 02/09/2010 - 14:09


first check if you have disabled "Kerberos pre-authentication requirement" for SSO user account in AD. It's the last thing in account options.

This worked for us



This Discussion