topic Re: AD SSO Problem in NAC in Network Security

AD SSO Problem in NAC

pandapritam — Fri, 21 Feb 2020 11:21:09 GMT

i have successfuly run the KT pass in AD. then as per the procedure i have sync the AD with CAS & CAM after that when i am going to start AD service

Error : Could not start the SSO service. Please check the configuration. is comming.

Neither i have found the log file in cas

/perfigo/logs/perfigo-redirect-log0.log.0.

1. i have checked the connectivty between AD and CAS its fine

2. As per the document i have completed all the steps still not able to integrate AD with CAS

can any one help me out

Re: AD SSO Problem in NAC

greg.washburn — Fri, 13 Mar 2009 12:57:38 GMT

Just wondering, are you using 2008 or 2003 domain controller(s).

Re: AD SSO Problem in NAC

jad.sadek — Fri, 13 Mar 2009 16:06:21 GMT

Follow the exact requirement of AD DC:

For Example Win2k3 with SP1 is supported while it is not supported without SP1...

Also, make sure the ktpass has the minimum required version. if not download it from Microsoft.

Make sure you follow the right procedure for ktpass. The procedures in case you have multiple DCs is different then the one with single DC.

Re: AD SSO Problem in NAC

greg.washburn — Fri, 13 Mar 2009 18:42:27 GMT

The reason I asked what OS your domain controllers are running is because you may need to run ktpass differently for CAS server to support authentication to 2k8. We certainly did. We were only able to use a single domain controller vs a domain for the "Account CAS on setting".

Re: AD SSO Problem in NAC

jwjorgensen — Fri, 13 Mar 2009 21:51:34 GMT

You might check the time on the DC, the CAS, and the CAM. ADSSO uses kerberos, which requires the times on the devices to be synced. (I believe within 5 minutes of each other)

Re: AD SSO Problem in NAC

Daniel Laden — Sat, 14 Mar 2009 06:08:50 GMT

"Neither i have found the log file in cas

/perfigo/logs/perfigo-redirect-log0.log.0"

What version of Cisco NAC do you have installed? If NAC 4.5+, look for the log file at /perfigo/access/tomcat/logs/nac-server.log

-Dan Laden

Re: AD SSO Problem in NAC

vishekha — Sat, 14 Mar 2009 06:38:07 GMT

The location od CAS log fines differes based on the version.

in 4.1.x its /perfigo/logs

in 4.5 and later its /perfigo/control/tomcat/logs/

Try to understand whats going on by reading the logs.

Also please make sure the time is synchronized on AD and CAS & CAM.

Re: AD SSO Problem in NAC

Daniel Laden — Sat, 14 Mar 2009 19:44:56 GMT

Just a point of clarity.

For 4.5+, the NAC Manager log files are at /perfigo/control/tomcat/logs and the NAC Server log files are at /perfigo/access/tomcat/logs.

-Dan Laden

Re: AD SSO Problem in NAC

netjustin — Tue, 30 Mar 2010 21:40:21 GMT

The procedures in case you have multiple DCs is different then the one with single DC.

Somewhere I heard that if you run KTPASS from the latest supported version of Windows Server in your domain, then the proper Kerberos mappings will replicate throughout. Your statement seems to contradict that; where did you find this information?

We are having a problem similar to the OP, where one of our two CAS servers is failing to start the SSO service. This after attempting to run the KTPASS routine to allow for Windows 7 support. I do believe GUI utility is called for in a situation like this.