The reason I asked what OS your domain controllers are running is because you may need to run ktpass differently for CAS server to support authentication to 2k8. We certainly did. We were only able to use a single domain controller vs a domain for the "Account CAS on setting".
The procedures in case you have multiple DCs is different then the one
with single DC.
Somewhere I heard that if you run KTPASS from the latest supported version of Windows Server in your domain, then the proper Kerberos mappings will replicate throughout. Your statement seems to contradict that; where did you find this information?
We are having a problem similar to the OP, where one of our two CAS servers is failing to start the SSO service. This after attempting to run the KTPASS routine to allow for Windows 7 support. I do believe GUI utility is called for in a situation like this.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...