Answered Question
Sep 6th, 2010
User Badges:


I am trying to configure NAC OOB SSO with AD. The software on my CAS and CAM is 4.7(2)

and my AD is Windows Server 2008.

I have some information that with this version of NAC software (4.7.2) I do not need to run ktpass

on AD server. Is this true? Because I didn't find that kind of information in any manual.

So do I need to run ktpass and if I do, what version should I use?


Correct Answer by Faisal Sehbai about 6 years 7 months ago


Check this link. Even though it says it's for 4.8, it works with 4.7.2 also:



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
zoran.suica Wed, 09/08/2010 - 14:27
User Badges:


thank you very much. I did configure it as it says in the document and it is working.

But I have another thing that worries me. Why is it (and is it) necessary to select

"Use Kerberos DES encryption types for this account" under my CAS username when

it also says in the section about windows 7 that I can Enable Additional Algorithms on Existing AD Servers

But it explains only doing it with ktpass. Why can't I just enable other algorithms over ldp?

To be honest I am worried about this DES encryption because it is something my internal control doesn't like.

And I don't know in which step of kerberos authentication (in NAC AD SSO) is DES algorithm used? Between

client and AD or just client and CAS?

So is there a way to avoid DES totally and if not could you at least tell me in which phase of auth. process is it

used so I can see if it is acceptable because of internal control.

Thanks once again,


Faisal Sehbai Thu, 09/09/2010 - 03:30
User Badges:
  • Gold, 750 points or more


Under the user properties, if you uncheck "Use Des encryption...." it will allow all encryption types. You can verify that it is not using DES by doing a packet capture between the CAS and the DC.




This Discussion