Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

AD SSO Service Starts, But Client Not Performing SSO


I hope someone can help me with this issue.

I have a NAC environment in which NAM and NAS are operating in high availability mode. The NAS is in Out-of-band Virtual gateway mode, and I have configured AD-SSO.

Users in local database (NAM) can authenticate as normally.

My problem is that users can not authenticate via AD-SSO functionality.

The AD-SSO service is up and running, but when a user tries to login into the domain (with the AD credentials), the attempt is unsuccessful and the user gets the NAC agent. For testing purposes, I have allowed data traffic from untrusted side (unauthenticated roll) to the DC domain to any port.

Does any body can help me to find which my problem is?

I have gotten the logs from the command “more /perfigo/access/tomcat/logs/nac_server.log”. I can not see any traffic to port 8910 (but there is traffic to port 8905). Besides, if someone knows where can I find documentation which helps to interpret the logs, I will thanks to share it with me.

I am attaching a document with the details.

I really appreciate your help.


Cisco Employee

AD SSO Service Starts, But Client Not Performing SSO

Hi Damaso,

For your reference, here is the full procedure of how the CAS should authenticate the user with AD SSO:

1. The user logs in to Windows and obtains a Ticket-Granting Ticket (TGT) from the kerberos Authentication Service on AD.

[here the CAS is not involved]

2. The Agent starts and the CAS instructs the Agent to get a kerberos Service Ticket (ST) for the SSO Service from the AD server.

[here the CAS is involved]

3. The user sends its Ticket-Granting Ticket (TGT) to request the Service Ticket (ST) from the kerberos Ticket-Granting Service (TGS) on AD.

[here the CAS is not involved, as long as all the communications from/to AD are allowed for the unauthenticated role]

This Service Ticket (ST) can be seen through the Microsoft Kerbtray.exe tool.

4. The Agent sends the Service Ticket (ST) to the CAS for the user authentication and role mapping.

[here the CAS is involved]

The Kerbtray.exe tool allows us to display the Service Ticket (ST) obtained by the user from AD, that will then be sent by the Agent to the CAS.

Could you confirm through Kerbtray whether the user is getting the right ST?

If a user does not have any Service Ticket (ST) at all there may be an issue with AD (considering the fact that the CAS is already allowing all the traffic to/from AD).

The user may either be unable to send the Ticket-Granting Ticket (TGT) to AD, or it may be unable to obtain the Service Ticket (ST) from AD.

The CAS during this phase is neither performing any actions nor blocking any traffic, since all the communications to/from AD are already fully open in the unauthenticated role.




If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

CreatePlease to create content