https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399876#M740086 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>My client runs 3 AD in their environment with OS windows 2003. Now they plan to upgrade one AD to windows 2008,</P><P>but the "function level" is still windows 2003. When I ran ktpass in 2008, there will be some error messages appear.</P><P></P><P>I have tested NAC with pure windows 2008 and it works fine with AD SSO.</P><P>But some customer won't upgrade AD straight to pure wondows 2008 in case of some incompatible problems.</P><P>So is there any method to solve the environment with Server 2008 but function level is still Server 2003?</P><P></P><P>ps: According to the document "If the AD system is based on an upgrade from Windows Server 2003, you must raise the domain functionality to Windows Server 2008 level for Cisco NAC appliance to perform SSO on <STRONG>Windows 7 clients</STRONG>. Without this you will not be able to automatically login to the Cisco NAC Appliance network.",<SPAN style="text-decoration: underline;"> if the client's PC OS is <STRONG>XP</STRONG>, not windows 7, will it not be affected with AD SSO??</SPAN></P><P></P><P>Thanks a lot!</P><P></P><P>Jet</P></BODY></HTML> Tue, 27 Apr 2010 07:48:23 GMT jetli1983 2010-04-27T07:48:23Z https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399872#M740019 <P>Hello,</P><P></P><P>I have a question, can i integrate NAC 4.7.2 with AD 2K3 using client machine windows 7 to login with SSO?, I have this question, because I have client machines in windows 7 and I have integrated NAC 4.7.2 with AD 2K8 to SSO, but I havent raised funtional level from W2K3 to W2K8, but it works client machine WXP with SSO.</P><P></P><P>Any suggest?</P><P></P><P>Best Regards</P> Sat, 22 Feb 2020 07:20:44 GMT https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399872#M740019 Alvaro Perez Unzueta 2020-02-22T07:20:44Z https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399873#M740025 <HTML><HEAD></HEAD><BODY><P>Alvaro,</P><P></P><P><SPAN>Raise the domain level to 2k8. That's the only supported method that works with SSO. More details here: </SPAN><A class="jive-link-external-small" href="http://bit.ly/471_SSO">http://bit.ly/471_SSO</A><SPAN> footnote 2.</SPAN></P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Wed, 21 Apr 2010 19:28:18 GMT https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399873#M740025 Faisal Sehbai 2010-04-21T19:28:18Z https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399874#M740045 <HTML><HEAD></HEAD><BODY><P>Hello Faisal,</P><P></P><P>is it works AD2K3 + NAC 4.7.2 + Windows 7 client + SSO AD? i undertand that i have to enable DES encryption, but one time done that it is work?</P><P></P><P>Thank you</P><P></P><P>Alvaro</P></BODY></HTML> Wed, 21 Apr 2010 20:07:39 GMT https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399874#M740045 Alvaro Perez Unzueta 2010-04-21T20:07:39Z https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399875#M740061 <HTML><HEAD></HEAD><BODY><P>Alvaro,</P><P></P><P>Yes. That can work, but you have to create a new account and run ktpass on it differently. Make sure the KTPASS version is the one ending in 1830 and run it like this:</P><P></P><P><SPAN class="content"><PRE><SPAN>KTPASS.EXE -princ newadsso/[adserver.]</SPAN><A class="jive-link-email-small" href="mailto:domain.com@DOMAIN.COM">domain.com@DOMAIN.COM</A><SPAN> -mapuser newadsso -pass </SPAN><BR />PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL<BR /><BR /><SPAN style="font-family: arial,helvetica,sans-serif;"><SPAN>More info: </SPAN><A class="jive-link-external-small" href="http://bit.ly/471_SSO">http://bit.ly/471_SSO</A><BR /><BR />HTH,<BR />Faisal</SPAN></PRE></SPAN></P></BODY></HTML> Thu, 22 Apr 2010 22:17:58 GMT https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399875#M740061 Faisal Sehbai 2010-04-22T22:17:58Z https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399876#M740086 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>My client runs 3 AD in their environment with OS windows 2003. Now they plan to upgrade one AD to windows 2008,</P><P>but the "function level" is still windows 2003. When I ran ktpass in 2008, there will be some error messages appear.</P><P></P><P>I have tested NAC with pure windows 2008 and it works fine with AD SSO.</P><P>But some customer won't upgrade AD straight to pure wondows 2008 in case of some incompatible problems.</P><P>So is there any method to solve the environment with Server 2008 but function level is still Server 2003?</P><P></P><P>ps: According to the document "If the AD system is based on an upgrade from Windows Server 2003, you must raise the domain functionality to Windows Server 2008 level for Cisco NAC appliance to perform SSO on <STRONG>Windows 7 clients</STRONG>. Without this you will not be able to automatically login to the Cisco NAC Appliance network.",<SPAN style="text-decoration: underline;"> if the client's PC OS is <STRONG>XP</STRONG>, not windows 7, will it not be affected with AD SSO??</SPAN></P><P></P><P>Thanks a lot!</P><P></P><P>Jet</P></BODY></HTML> Tue, 27 Apr 2010 07:48:23 GMT https://community.cisco.com/t5/network-security/client-nac-windows-7-using-sso-ad-with-active-directory-2003/m-p/1399876#M740086 jetli1983 2010-04-27T07:48:23Z