I am piloting an OOB Clean Access setup on my network. I have successfully configured Clean access using the client and am happy with its performance.
I have attempted configuring Active directory SSO and have mixed results.
The first result being enabling the SSO by following the config guide and then clicking the update button and watching paint dry as the IE progress bar clicks along.
The second being the usual message of "Error : Could not start the SSO service. Please check the configuration."
I have dug up the logs from the CAS in question and during the first error, there are no messages. During the second error however the message is "SEVERE: loginToKDC - SSO Service authentication failed. Clients credentials have been revoked (18)"
I have searched the Cisco website for details of this message and there seems to be no reference.
I am authenticating to a Domain and have followed the proceedure correctly (I assume based on re checking of the output.
I had a similar problem, and the culprit was DNS. Our domain had some multi NIC DCs by accident. These additional NICs were supposed to be disabled, but instead for attempting to receive a DHCP address unsuccessfully which resulted in them receiving a 169.254.x.x address. Since they were DCs they added these IPs as A records for the domain zone.
I'm not saying that you have the same problem, but I figured this out by monitoring the switchport the CAM was connected to and observing the traffic with wireshark.
I'd first do a nslookup for you domain. If it looks like its resolving all the addresses correctly, I would setup SPAN and run wireshark for any other issues.
NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
I did get it working after a bit of playing around, I think I found out that the "credentials revoked" message means that the account is locked out.... possibly due to authentication error (wrong password) or as you say incorrect ktpass, I found deleting & re-creating my AD account, then re-doing the ktpass command solved my problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...