topic Re: NAC 4.7.1 ADSSO can't work on client in Network Security

NAC 4.7.1 ADSSO can't work on client

beckman.yang — Fri, 21 Feb 2020 11:49:00 GMT

Dear Sir ,

I used NAC 4.7.1 and config AD SSO with Windows 2k Server . ( LDAP auth is OK)

The service of SSO is running on CAS , but TCP/8910 port can't be listen .

How should I do open TCP/8910 port and how to fix it ?

Re: NAC 4.7.1 ADSSO can't work on client

Faisal Sehbai — Tue, 08 Dec 2009 02:50:39 GMT

Yang,

That should be available when the SSO service is started. Is the SSO service running?

Have you bounced the perfigo service, or the server itself?

Thanks,

Faisal

Re: NAC 4.7.1 ADSSO can't work on client

beckman.yang — Mon, 14 Dec 2009 02:02:09 GMT

Dear Sir ,

ADSSO service is running . I had tried service restart on CAS , but can't work on client .

thanks

Re: NAC 4.7.1 ADSSO can't work on client

Faisal Sehbai — Mon, 14 Dec 2009 16:42:11 GMT

Hi,

If SSO service is running, then the next thing you have to look at (if it's failing at the agent) is the ports that are open in the unauthenticated role.

Can you post a listing of those?

Can you also post the output of the following command from your CAS: nslookup where your_domain_name is the domain name you're trying to do SSO against.

Faisal

Re: NAC 4.7.1 ADSSO can't work on client

beckman.yang — Wed, 16 Dec 2009 01:20:15 GMT

Dear Sir ,

fyi

thanks

Re: NAC 4.7.1 ADSSO can't work on client

Faisal Sehbai — Wed, 16 Dec 2009 02:48:39 GMT

Hi,

Two things:

- One of your DC's being returned when we do a nslookup is a 169.254 address. This means that one of your DCs has DHCP enabled on one of it's interfaces and that is also being registered in your AD as a DC. This will cause problems for you, so best to have your AD cleaned up

- You posted the netstat output. I was looking for the unauthenticated role policies. To get those, go to the CAM gui, and click on User Roles, Traffic policies, choose unauthenticated role and hit select. The resulting page is what I wanted to see.

Faisal

Re: NAC 4.7.1 ADSSO can't work on client

beckman.yang — Thu, 17 Dec 2009 05:49:29 GMT

Dear Sir ,

fyi

thanks

Re: NAC 4.7.1 ADSSO can't work on client

Faisal Sehbai — Thu, 17 Dec 2009 15:14:33 GMT

Hello,

Please open traffic to ALL your DCs, and not just one, and try again.

If that doesn't work, try opening ALL IP in the unauthenticated role (just for testing) and see if AD SSO succeeds.

Faisal

Re: NAC 4.7.1 ADSSO can't work on client

danielnunes — Thu, 13 May 2010 18:07:00 GMT

Hi Faisal,

I have the same problem and you can see the nslookup result from my CAS.

At Now I could to start the ADSSO Service on CAS but I couldn't see port 8910 opened on CAS.

thanks a lot

Re: NAC 4.7.1 ADSSO can't work on client

Faisal Sehbai — Fri, 14 May 2010 19:37:14 GMT

Daniel,

The screen shot shows the SSO service not starting. Post your CAS logs so we can see why.

Faisal

Re: NAC 4.7.1 ADSSO can't work on client

danielnunes — Fri, 14 May 2010 20:41:10 GMT

Faisal,

thanks for your attention,

We had two problems, first of all our AD Domain was with incorrect number IP add, there were more IP address that is necessary and first we made a clean-up there, second thing was that I saw that machines that couldn't make AD SSO because the kerbero ticket does not appear on machine, I used a Kerbtray program to do this, and i could figure out that there were some UDP ports that does not open.

After this everything works fine.

thanks a lot