cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
5
Helpful
7
Replies

CAS SSO Failing

jthullen
Level 1
Level 1

We have a CAS appliance configured for Windows SSO. This worked in the past, but I notice today that the Windows SSo service showed stopped on the CAS(this is at our DR site and is not used often so I do not know how long it has been in this state). When I tried to start the service I see the following log entries in the nac_manager log:

setAttribute failed: com.perfigo.wlan.jmx.admin.ServerInfo.SSOState @10.7.255.100:duration=0:ConnectorClient not connected to RMI Connector Server

invoke failed:: com.perfigo.wlan.jmx.admin.ServerInfo.startSSOServer @10.7.255.100:duration=59992:Error unmarshaling return header; nested exception is: java.net.SocketTimeoutException: Read timed out

Any ideas? TAC case will be next in the morning if I cannot figure this out. I am flat out of ideas. I am having the Admins check the account that we use to ensure it has not changed, but short of that I do not now where to turn. Those log messages do not mean much to me.

7 Replies 7

srue
Level 7
Level 7

this CAS is at a DR site, does that mean there is another CAS that is possibly working correctly with SSO?

Yes, we have otehr CAS pairs that work, but they connect to a different CAM. Ihave opened a TAC case on this issue, and will keep you posted what TAC can determine.

i'll come down and troubleshoot seeing that yo'ure in cinci, and i'm in indy :)

Actaully we just got it resolved. The CAS is set to hit the any DC in the domain. Turns out it was hitting a DC that did not have the confgured account on it. Unfortunetly, seems like a crap shoot on which DC it will hit unless you configure one specific DC, then re-run ktpass on the user. We don't want to do that, so we are checking with our AD admins to see why the account was not replicated to the DC in question. Issue resolved, saved you a trip! :)

you can run ktpass against a specific DC or the entire domain, and then turn on SSO for the entire domain or specific DC. I usually configure SSO for the entire domain.

that is what we have done as well, but one of the DC's doesn't get the cas user account we configured, and thus the SSO was not able to start. Not sure why that DC did not have the account.

Hi Jeffrey,

Did you ever resolve why one of the DCs didn't get the cas user account?

Paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: