Re: NAC authentication SSO crashed after update fixes in Win Ser

diaz.jorge · ‎02-11-2011

NAC 4.7(2) authentication SSO with Active Directory on WinServer2k3 crashed after update the next fixes:

KB2478971 KERBEROS WEAK HASHING ALGORITHMS

This update addresses the vulnerabilities by preventing the use of weak hashing algorithms in both Windows Kerberos and Windows KDC and by preventing the client from downgrading the encryption standard to DES for Kerberos communication between client and server.

http://www.microsoft.com/technet/security/bulletin/MS11-013.mspx

KB2478953 ACTIVE DIRECTORY DoS

The vulnerability could allow denial of service if an attacker sent a specially crafted packet to an affected Active Directory server. The attacker must have valid local administrator privileges on the domain-joined computer in order to exploit this vulnerability.

http://www.microsoft.com/technet/security/bulletin/MS11-005.mspx

The NAC solution was working fine for a year, but since my costumer installed those fixes we have troubles to auth users in NAC, CAM can't read LDAP tree and CAS neither. I requested my customer to remove those fixes, they did it but they don´t have a snapshot or checkpoint previous to restore the servers.

We have followed the Cisco's tshoot guides but the problem continues...

Any suggestion?

songl · ‎02-14-2011

Could you please retpye ktpass on Win2003 server.You said CAM crashed, Do you find any message on support log.

If you need a quickly support . please open a tac support case for this issue .

SongL

diaz.jorge · ‎02-14-2011

We retyped the KTPass, but the problem continues, so we will open a TAC case.

Tnks for your support.

songl · ‎02-15-2011

Hi Jorge

Maybe you can disable DES attribute and enable AES attribute on AD domain SSO account. Because of Microsoft changes more stronge security algorithm by fixed patch.

SongL

NAC authentication SSO crashed after update fixes in Win Server2K3