Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
4
Replies

NAC AD-SSO service started but client isn't doing SSO

hebaelshahat
Level 1
Level 1

‎01-18-2010 08:46 AM - edited ‎02-21-2020 03:51 AM

Hi All,


We have NAC version 4.7(1) and we integrated it with Domain Controller on windows 2008. The integration is done and the service is started but the client (XP machine) access the domain without doing SSO then NAC Agent (Ver. 4.7.1.511) appears to start login with local DB only (there's no any other options rather than Local DB).
All Ports are opened to DC and CAS is listening to port 8910.
I attached some snapshots from NAM configuration.

One more thing, sometimes this error appears on NAC Agent "Invalid switch configuration-OOB Error:OOB client 00:17:42:BE:F3:CB/172.20.10.20 not found. Please contact your network administrator." what does this error mean?? Although i can connect the same client machine to another port and it's working properly.

Thanks in Advance,

1 person had this problem
Preview file
82 KB
Preview file
84 KB
Preview file
79 KB
0 Helpful
4 Replies 4

Faisal Sehbai
Level 7
Level 7

‎01-23-2010 08:27 PM

Hello,

With 2k8 DES encryption is disabled by default, so if you had run your KTPASS with the +DesOnly option, you will have to create a new account and run KTPASS a little differently.

More details here: http://bit.ly/54CcKF

HTH,

Faisal

0 Helpful

hebaelshahat
Level 1
Level 1
In response to Faisal Sehbai

‎01-24-2010 06:52 AM

Hi Faisal,

i have run the following "KTPASS.EXE -princ newadsso/domain.com@DOMAIN.COM -mapuser newadsso -pass  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL -crypto All" and the output was

Targeting domain controller: DC01.DOMAIN.COM
Successfully mapped newadsso/domain.com to newadsso.
Password succesfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\newadsso.keytab:
Keytab version: 0x502
keysize 53 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
1 (DES-CBC-CRC) keylength 8 (0x9be5c252a85d080b)
keysize 53 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
3 (DES-CBC-MD5) keylength 8 (0x9be5c252a85d080b)
keysize 61 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
17 (RC4-HMAC) keylength 16 (0x554e28e96389c80c975cc6f96b75fd92)
keysize 77 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
12 (AES256-SHA1) keylength 32 (0xcfc491228d9864ab4a5a0424b78b0178a686a8e1aa4ad2e
fa95890da6361006d)
keysize 61 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
11 (AES128-SHA1) keylength 16 (0xcb99b6a0e424f312b5c804d5941b04d7)


and when i enabled Agent-Based Windows Single Sign-On with Active Directory the following appeared:

Error : Could not start the SSO service. Please check the configuration. although it was enabled and started with DesOnly Command!

Thanks in advance.


0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to hebaelshahat

‎01-25-2010 02:04 PM

Hi,

What's the version of ktpass you used? What is the OS of the DC that the CAS is talking to?

Bump up the AD SSO logging on your CAS and look at the logs to see if anything interesting shows up there!

HTH,

Faisal

0 Helpful

Marcel Imrich
Level 4
Level 4
In response to hebaelshahat

‎02-09-2010 02:09 PM

Hi,

first check if you have disabled "Kerberos pre-authentication requirement" for SSO user account in AD. It's the last thing in account options.

This worked for us

m>

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card