01-18-2010 08:46 AM - edited 02-21-2020 03:51 AM
Hi All,
We have NAC version 4.7(1) and we integrated it with Domain Controller on windows 2008. The integration is done and the service is started but the client (XP machine) access the domain without doing SSO then NAC Agent (Ver. 4.7.1.511) appears to start login with local DB only (there's no any other options rather than Local DB).
All Ports are opened to DC and CAS is listening to port 8910.
I attached some snapshots from NAM configuration.
One more thing, sometimes this error appears on NAC Agent "Invalid switch configuration-OOB Error:OOB client 00:17:42:BE:F3:CB/172.20.10.20 not found. Please contact your network administrator." what does this error mean?? Although i can connect the same client machine to another port and it's working properly.
Thanks in Advance,
01-23-2010 08:27 PM
Hello,
With 2k8 DES encryption is disabled by default, so if you had run your KTPASS with the +DesOnly option, you will have to create a new account and run KTPASS a little differently.
More details here: http://bit.ly/54CcKF
HTH,
Faisal
01-24-2010 06:52 AM
Hi Faisal,
i have run the following "KTPASS.EXE -princ newadsso/domain.com@DOMAIN.COM -mapuser newadsso -pass PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL -crypto All" and the output was
Targeting domain controller: DC01.DOMAIN.COM
Successfully mapped newadsso/domain.com to newadsso.
Password succesfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to c:\newadsso.keytab:
Keytab version: 0x502
keysize 53 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
1 (DES-CBC-CRC) keylength 8 (0x9be5c252a85d080b)
keysize 53 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
3 (DES-CBC-MD5) keylength 8 (0x9be5c252a85d080b)
keysize 61 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
17 (RC4-HMAC) keylength 16 (0x554e28e96389c80c975cc6f96b75fd92)
keysize 77 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
12 (AES256-SHA1) keylength 32 (0xcfc491228d9864ab4a5a0424b78b0178a686a8e1aa4ad2e
fa95890da6361006d)
keysize 61 newadsso/domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x
11 (AES128-SHA1) keylength 16 (0xcb99b6a0e424f312b5c804d5941b04d7)
and when i enabled Agent-Based Windows Single Sign-On with Active Directory the following appeared:
Error : Could not start the SSO service. Please check the configuration. although it was enabled and started with DesOnly Command!
Thanks in advance.
01-25-2010 02:04 PM
Hi,
What's the version of ktpass you used? What is the OS of the DC that the CAS is talking to?
Bump up the AD SSO logging on your CAS and look at the logs to see if anything interesting shows up there!
HTH,
Faisal
02-09-2010 02:09 PM
Hi,
first check if you have disabled "Kerberos pre-authentication requirement" for SSO user account in AD. It's the last thing in account options.
This worked for us
m>
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: